PCI and Fraud Analysis: To Have and Have Not
Written by David TaylorGuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.
As merchants work to reduce the scope of PCI compliance and the risk due to having credit card data in their environment, some companies are actually taking access to this data away from people who need it to do their job, including the managers who are charged with investigating fraudulent credit card transactions. Instead of PCI controls helping reduce fraud, for some companies, they are making fraud detection more difficult.
We all know that PCI compliance creates dividing lines. Flat networks must be segmented. The number of databases that store—and applications that use—cardholder data needs to be reduced and the number of persons with full card number access needs to be reduced as well. The whole process of separating the “haves” from the “have nots” often leads to arguments and requires extensive justification on the part of those who maintain they must have the ability to see unencrypted card data in order to do their job.
This seems obvious: Why should marketing have access to full, unencrypted credit card data? Yet it still provokes arguments. Not because of the people or policies, but simply because of the applications and the costs of changing them. Two years ago, we talked to merchants who were able to get away with this, using compensating controls that reduced data volumes, logged each access, and restricted access to batches of transactions, etc.
Today, however, that sort of explanation will not fly with an assessor or processor who reviews an assessment. Although card data is still described by merchants we speak with as being “all over the place,” this is one department that is definitely a “have not.”
Loss Prevention is a more tricky call. Some LP departments are also responsible for E-Commerce LP (i.e., fraud analysis) as well as physical security, so they do have “caseloads” that include verifying specific transactions with banks. This may be a manual process that is the “back end” to the fraud analytics group, which are the folks who use the automated tools.
In other cases, the fraud management organization is completely separate from LP. In such cases, LP can probably get away with having “only” the cardholder name, plus the first 6 and last 4 digits of the card number. This will be sufficient for most purposes, especially when the investigation is manual and they’re talking about a specific case with a bank.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
