Fraud protection is a race against scale.
For instance, Mastercard’s network processes roughly 160 billion transactions a year, and experiences surges of 70,000 transactions a second during peak periods (like the December holiday rush). Finding the fraudulent purchases among those — without chasing false alarms — is an incredible task, which is why fraudsters have been able to game the system.
But now, sophisticated AI models can probe down to individual transactions, pinpointing the ones that seem suspicious — in milliseconds’ time. This is the heart of Mastercard’s flagship fraud platform, Decision Intelligence Pro (DI Pro).
“DI Pro is specifically looking at each transaction and the risk associated with it,” Johan Gerber, Mastercard’s EVP of security solutions, said in a recent VB Beyond the Pilot podcast. “The fundamental problem we're trying to solve here is assessing in real time.”
How DI Pro works
Mastercard’s DI Pro was built for latency and speed. From the moment a consumer taps a card or clicks “buy,” that transaction flows through Mastercard’s orchestration layer, back onto the network, and then on to the issuing bank. Typically, this occurs in less than 300 milliseconds.
Ultimately, the bank makes the approve-or-decline decision, but the quality of that decision depends on Mastercard’s ability to deliver a precise, contextualized risk score based on whether the transaction could be fraudulent. Complicating this whole process is the fact that they’re not looking for anomalies, per se; they’re looking for transactions that, by design, are similar to consumer behavior.
At the core of DI Pro is a recurrent neural network (RNN) that Mastercard refers to as an "inverse recommender" architecture. This treats fraud detection as a recommendation problem; the RNN performs a pattern completion exercise to identify how merchants relate to one another.
As Gerber explained: “Here's where they've been before, here's where they are right now. Does this make sense for them? Would we have recommended this merchant to them?”
Chris Merz, SVP of data science at MasterCard, explained that the fraud problem can be broken down into two sub components: A user’s pattern behavior and a fraudster’s pattern behavior. “And we're trying to tease those two things out,” he said.
Another “neat technique,” he said, is how Mastercard approaches data sovereignty, or when data is subject to the laws and governance structures in the region where it is collected, processed, or stored. To keep data “on soil,” the company’s fraud team relies on aggregated, “completely anonymized” data that is not sensitive to any privacy concerns and thus can be shared with models globally.
“So you still can have the global patterns influencing every local decision,” said Gerber. “We take a year's worth of knowledge and squeeze it into a single transaction in 50 milliseconds to say yes or no, this is good or this is bad.”
Scamming the scammers
While AI is helping financial companies like Mastercard, it’s helping fraudsters, too; now, they’re able to rapidly develop new techniques and identify new avenues to exploit.
Mastercard is fighting back by engaging cyber criminals on their turf. One way they’re doing so is by using "honeypots," or artificial environments meant to essentially "trap" cyber criminals. When threat actors think they’ve got a legitimate mark, AI agents engage with them in the hopes of accessing mule accounts used to funnel money. That becomes “extremely powerful,” Gerber said, because defenders can apply graph techniques to determine how and where mule accounts are connected to legitimate accounts.
Because in the end, to get their payout, scammers need a legitimate account somewhere, linked to mule accounts, even if it’s cloaked 10 layers down. When defenders can identify these, they can map global fraud networks.
“It’s a wonderful thing when we take the fight to them, because they cause us enough pain as it is,” Gerber said.
Listen to the podcast to learn more about:
How Mastercard created a "malware sandbox" with Recorded Future;
Why a data science engineering requirements document (DSERD) was essential to align four separate engineering teams;
The importance of "relentless prioritization" and tough decision-making to move beyond "a thousand flowers blooming" to projects that actually have a strong business impact;
Why successful AI deployment should incorporate three phases: ideation, activation, and implementation — but many enterprises skip the second step.
Listen and subscribe to Beyond the Pilot on Spotify, Apple or wherever you get your podcasts.
