Evidence of meeting #156 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was payments.
A video is available from Parliament.
5:30 p.m.
Liberal
5:30 p.m.
NDP
5:30 p.m.
Liberal
The Chair Liberal John McKay
We had held four minutes for Mr. Dubé as the next questioner, but you may want to catch your breath and we can come back to you.
5:30 p.m.
NDP
Richard Cannings NDP South Okanagan—West Kootenay, BC
I would like to catch my breath and figure out what exactly we're talking about.
5:30 p.m.
Liberal
The Chair Liberal John McKay
Well, we're trying to figure out the same thing.
Mr. Motz, you have five minutes.
5:30 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you, Mr. Chair.
First of all, thank you to both of the organizations for being here today.
I'll start with you, Ms. O'Brien. Canadians wonder—and I think I know the answer to this, but you can shed some light for us—if an Interac e-Transfer is traceable.
5:30 p.m.
Chief Risk Officer, Interac Corp.
Could you expand on the question? In what regard do you mean traceable?
5:30 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
We're talking about cybersecurity today, so if we have an issue with an e-transfer, is that e-transfer a traceable transaction, if it is to a bad actor?
5:30 p.m.
Chief Risk Officer, Interac Corp.
Part of my testimony today was about encouraging open collaboration and more information sharing and safe harbour provisions with the RCMP. The transactions are traceable. However, in today's environment, if the RCMP is looking at a bad actor, as you suggest, they will keep certain information around that bad actor secret. They will sometimes issue a production order, in which case we will share the information we have, as required by law, and then they will continue their investigation into that bad actor.
We have some information that is shared among ourselves at Interac, the financial institutions and law enforcement, wherein we can have indicators that inform our behavioural models, but how the RCMP does its tracing of bad actors is shared to us as they are able to do so.
5:35 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you for that.
In your opening remarks, you spoke about having a proactive sharing system, I think you called it.
Can you describe for us, in an ideal world, what the ideal sharing would be between your organization or the industry in general and law enforcement, to protect consumers? What would that look like?
5:35 p.m.
Chief Risk Officer, Interac Corp.
Sure. I'm happy to crystal-ball some great ideas in that space. We would absolutely love.... The cybercrime unit, particularly in government and the RCMP, as well as law enforcement, will regularly monitor some of the online or dark web or deep web marketplaces. Those marketplaces come up and go down quite frequently as they are trying to hide some of the marketplaces and some of the identifiable features of them.
In an open sharing environment, we would know that very quickly, and therefore we would have an ability—as to your earlier question—to trace bad actors as they come up in these online marketplaces in a closer to real-time fashion. If that information was openly shared with us, we could do a lot more to block or monitor potentially fraudulent transactions.
5:35 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Payments Canada, would you care to weigh in on that question? In an ideal world, what do you see as being a vehicle or a way in which we can share information between the financial institutions or the financial industry and law enforcement to protect consumers better than we do now?
5:35 p.m.
Chief Operating Officer, Payments Canada
I'll have our CISO, Martin Kyle, respond to that, because we're active in that.
5:35 p.m.
Martin Kyle Chief Information Security Officer, Payments Canada
There are many sharing organizations and groups already in place. In our comments, we talked a little bit about an information sharing group with the Canadian Bankers Association, for example. We talked about information sharing with a non-profit, the Canadian Cyber Threat Exchange, which was represented here by a witness, I believe. We have information sharing with the Canadian Centre for Cyber Security and with the RCMP. All of these various sharing groups allow us to get more information about existing threats and learn how to detect those threats on our systems, and then allow us to respond to those threats.
5:35 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
You said in your opening remarks that Payments Canada transfers more than $200 billion daily through your various networks. If that's the case, how do you keep those large sums of money safe during your transfers? What does that look like?
5:35 p.m.
Chief Information Security Officer, Payments Canada
As you know, our number one priority is the security of those transfers. We enable the safety of our systems by reducing our attack surface, as we in the trade call it. We have a very small, close-knit group of members whom we support and allow into that network. That network is very segregated from other networks, and that small attack surface allows us to pay very close attention to what happens on it in identifying threats, monitoring the activities and responding to the things that occur there in real time.
5:35 p.m.
Liberal
The Chair Liberal John McKay
Thank you, Mr. Motz.
Mr. Cannings, have you caught your breath, or should I go to Ms. Dabrusin?
5:35 p.m.
NDP
Richard Cannings NDP South Okanagan—West Kootenay, BC
Thank you.
As you understand, it's a bit of a surprise for me to be here. I just got off a plane and voted, and then they took me down here. So unfortunately I have not been able to hear your testimony. I had no idea what was going on before in this study either.
A question pops into my mind about payments with chip cards. You may have covered this, and my apologies if that's the case. Canada was an early adopter, at least compared to the United States. I'm just wondering about two things. Is that an issue, that Canada has widely used chip cards and Americans have not? I'm not sure if that's changing. Is there an issue between the two countries on the security status of those systems? Should we be more worried in the United States than we are here, or vice versa?
5:40 p.m.
Chief Risk Officer, Interac Corp.
That's a very good question. We have almost eradicated fraud in Canada on the debit card with chip and PIN. It's a very effective technology and secondary control, and only the person knows the PIN. The EMV technology on the card has been very effective to date.
We do have risk in that the U.S. has not adopted EMV technology. Industry pressure is increasing for them to do so. More of their point-of-sale terminals are being enabled. They have offered chip and signature in some point-of-sale terminals, but they haven't fully migrated to a chip and PIN environment.
It's a good example where a consortium of the industry, together with payments processors in the centre of the industry and settlement partners, can combat fraud when coming together on solutions.
The risk to Canadians in the U.S. is certainly lower, but it does continue with the magnetic stripe.
5:40 p.m.
NDP
Richard Cannings NDP South Okanagan—West Kootenay, BC
Where I interact with it, it's more the inconvenience of trying to buy gas in the United States and they demand a swipe and a postal code; of course, Canadian postal codes don't work down there.
5:40 p.m.
NDP
Richard Cannings NDP South Okanagan—West Kootenay, BC
I don't know. In Texas, they have trouble with it.
I was just going to ask you about skimming devices and chips. Is that not an issue at all?
