The PCI Fraud Argument Conundrum

Written by David Taylor
February 25th, 2009

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Why do retailers, service providers and financial institutions strive to achieve and maintain PCI compliance (assuming they do)? Mostly, they do it because it’s mandated by the card brands and their card acquirer. Too often lost in the coercive relationship that drives PCI, however, is the intent of the standards: fraud reduction. A few simple Google searches will confirm that the links between PCI compliance and fraud reduction are largely unexplored and unproven.

  • Connecting Breaches, PCI Compliance And Fraud
    As we’ve noted previously, being PCI compliant won’t stop breaches. It also won’t stop fraud. Standards, by their very nature, cannot be adjusted fast enough to incorporate the latest technological advances (by good people or bad people). And their implementation is always imperfect, even if a company manages to score 100 percent on the “PCI test.”

    However, if the focus of compliance is shifted to “detection” of a breach or any resulting fraud, the value of PCI controls becomes clearer. Don’t think of PCI as building a wall around your credit card or other confidential data. Think of PCI controls as enabling improved fraud and breach analysis.

  • Lots More Security Data For Analysis
    Very few organizations incorporate PCI controls data into their fraud analytics process. Sometimes it’s because the fraud analysts have a specific set of tools they use and these tools do not incorporate any awareness of (or data from) PCI controls. Other times it’s because the analysis of PCI controls data is too technically focused–whether a specific control is in place and whether it is detecting unauthorized access.

    The missing connection between the data that PCI controls generate and the fraud analytics process may be related to the usability or granularity of the PCI controls data. On the other hand, the connection may be missing because the fraud analytics process is run out of accounting and finance while PCI is being run out of IT or the compliance office. Whether the problem is technical, analytical or organizational, it would be very valuable to get people from all these divisions talking about how to use all the data that PCI controls generate to improve fraud and/or security breach detection.

  • Operationalizing PCI Compliance
    PCI compliance has not been “operationalized” by 95 percent of merchants. As such, even for those who have achieved compliance and (hopefully) are working to maintain it, the business value of PCI compliance is going unrealized. One reason is (and will continue to be) that PCI is too “technology focused” for business managers, accountants or internal auditors to want to own it or use the data its controls generate. This schism creates an opportunity for what we’re calling “PCI Analytics,” which is a type of tool or service that makes PCI controls data usable by business analysts for the purposes of fraud detection and risk management. Even though PCI requirement 12.1.2 requires a risk analysis, PCI controls themselves typically have little or no impact on any corporate risk analysis. This situation is true despite the fact that a lack of certain PCI controls almost unquestionably increases the material risk of potential security breaches an enterprise faces.

  • The Bottom Line
    We will increasingly focus our 2009 research on developing links between PCI compliance, fraud analytics and risk management because these links are key to demonstrating the business value of PCI compliance beyond avoiding fines and satisfying the demands of acquiring banks. Needless to say, if you have any involvement in, or even just an interest in, proving the business value of PCI compliance, please visit the
    PCI Knowledge Base. If you’d like to participate in our research, send an E-mail to

  • advertisement

    4 Comments | Read The PCI Fraud Argument Conundrum

    1. Luther Martin Says:

      It would be just as interesting to see how correlated the outcome of other audits are with the actual security of systems. What does an SAS 70 audit really tell you about security?

    2. Dave Taylor Says:

      Synching audit reports and security is tough, as you know, and I agree it will be worth researching. As for SAS 70 audits, I tend to be pretty negative on their effectiveness, even Type II. But your point is excellent.

    3. Bruce Sussman Says:

      I would take respectful exception to anyone who might be tempted to cast doubts on the effectiveness of SAS 70 audits. SAS 70 audits can be crafted to meet security objectives – it is up to the user community – that means the wholesale end users – to express their reuqirements to the servicer. If the servicer is not presented with a mandate for a meaningful security related control objective, they may take path of least resistance. It is up to the servicer’s customers to express what they need.

    4. David Taylor Says:

      The reason I tend to be negative on SAS 70 audits is that the company being audited has too much control (IMHO) over the nature and depth of the audit. You’re right that they can be made effective, but that is not what I hear from the companies that we’ve interviewed. Our view is taken from our research. I gather you’re a SAS 70 auditor, and I’m sure you and your company do an excellent job, but many companies are taking advantage of the flexibility inherent in the process. One of the reasons we like PCI assessments is that there is less room to “maneuver” for both the auditor and the auditee (if that’s a word).
      thx, Dave


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.