Evidence of meeting #154 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A video is available from Parliament.
5:10 p.m.
Voices
Oh, oh!
5:10 p.m.
Executive Vice-President and Chief Security Officer, Mastercard Canada
There are a couple of things. We don't store you; we know a 16-digit number that belongs to an issuing bank. The Canadian bank would actually understand who Matthew is; all we know is a 16-digit number. We don't have any kind of open...our data is available to—
5:10 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Sorry to interrupt, I just want to jump in to understand. I recently moved and I changed my address. It got pushed back at me because it was not updated in the system. Whose system is that? Is that yours or the bank's, which is the card issuer?
5:10 p.m.
Executive Vice-President and Chief Security Officer, Mastercard Canada
Where are you having the challenge? Is it the zip code or something like that?
5:10 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I was trying to confirm a payment for an online purchase. I was asked for the name of the cardholder as it appears on the card, the three numbers on the back of the card and the address. Because I had changed it that same day, I ended up calling the helpline and was told I would have to wait until the system reset for the address to be up to speed. Is that the issuer?
5:10 p.m.
Executive Vice-President and Chief Security Officer, Mastercard Canada
Did you call the number on the back of the card?
5:10 p.m.
Executive Vice-President and Chief Security Officer, Mastercard Canada
That's the issuer. That's your bank.
5:10 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
If I'm dealing with PayPal, for example, and using a credit card, if I'm putting the number and the address, the number is going to you for validation, and then the address, the cardholder's name, etc., is going to the bank.
5:10 p.m.
Executive Vice-President and Chief Security Officer, Mastercard Canada
Right, and we use that number to talk to the issuer. Is this good information for us to allow the transaction? It comes through us by the 16-digit number, we pass it to the issuer—that's your bank, which knows you—that information passes and it says, “Yes, and he has the money.” Then we pass it back to the inquiring merchant to say, “Yes, they have the money; go ahead and do the transaction.” Then we pass the amounts back through to the issuer.
The thing that passes that helps us to make a transaction work is the 16-digit number, and that's the data we use.
5:10 p.m.
Liberal
The Chair Liberal John McKay
Thank you.
I have a couple of questions, and then I have Mr. de Burgh Graham and Mr. Paul-Hus, for three minutes, and anybody else. That should run the clock right down. No questions for Mr. Motz—ageism.
You know, part of this study is precipitated by virtue of the 5G controversy, and particularly the 5G controversy with respect to Huawei, Nokia and Ericsson. You three in particular are on the front lines of defence, and so my question is this. If this is coming down the track—and it is—how are you preparing for that, or are you preparing for that, and how would your preparations change what you've just said today, if in fact it would change what you just said today?
We'll start with Mr. Green and work to the right.
5:10 p.m.
Executive Vice-President and Chief Security Officer, Mastercard Canada
Sure, no matter what the communication vehicle is—mobile or 5G or Wi-Fi or even plugged-in networking—when our folks are in environments where they're leveraging those things, we provide a secure pipe so that it pipes through. Be it 5G, be it mobile, we will secure the data that transits that for our employees. A lot of what powers our network is that it's a private network. We aren't on the Internet; the things that enable commerce to happen are on a very private network that we control. If I'm using a 5G network, I'm going to secure a pipe so my people can communicate securely. The network that we ride, where we do all our work, is our own private network.
5:10 p.m.
Liberal
The Chair Liberal John McKay
Really, is the entire Mastercard processing around the world a private network?
5:10 p.m.
Executive Vice-President and Chief Security Officer, Mastercard Canada
It is a private network that we enable out to the edges. That's some of the reason it's difficult to do the things we do, because it's taken us time to build this private network that we have.
5:10 p.m.
National Financial Services Cyber Leader, EY
Sure, we try to focus on protecting data from end unit to end unit. While it's in transit, no one else should be able to read it. That is the goal, depending on whether people have the technology to be able to intercept and change and whatnot.... That is advanced technology. It is possible, but by taking the basis that only one entity can read and send, and then once it enters its exit phase, it is then decoded and read again, it's exactly what Mr. Green just said. It can be done by private network or it can be done by public network, but that is the focus.
5:15 p.m.
Liberal
5:15 p.m.
National Financial Services Cyber Leader, EY
It depends on what kinds of systems they are using. For example, there are private networks between the banks for SWIFT messaging, wire transfers and such, and then there are public networks for dealing with their customer bases.
It depends on what criticality of asset they are resolving. For example, in a lot of cases they will have dedicated private networks for their third party service providers as well.
5:15 p.m.
Liberal
The Chair Liberal John McKay
We had one security person describe it as secure here, secure here and a cardboard box in between.
Wouldn't a number of your clients have exactly that issue whether the cardboard box is here, or there, or in between it's still unsecure?
5:15 p.m.
National Financial Services Cyber Leader, EY
To reduce that is the goal. It's like coding a message when we used to send messages back and forth during the war in indigenous languages so they couldn't be read midstream. We do the same thing today. As a message is being sent through the wire, you try to keep it as decoded as possible, but once it gets to its destination, someone has a token or a key to unlock the information and understand what's there.
5:15 p.m.
Executive Director, Canadian Cyber Threat Exchange
From the very narrow perspective of the CCTX, it's not going to matter because that responsibility will reside with each one of our members having to deal with it. Depending on the type of member we have, they will be dealing with it from the financial institutions or they will be relying on the public network.
5:15 p.m.
Executive Director, Canadian Cyber Threat Exchange
I'm not monitoring their networks so I don't see what all of my members are seeing. What I get is the result of what they are looking at on their network, and when they see anomalies coming in, that's what I actually see. I'm not sitting and watching what's going on inside their network.