Why PCI Has Not Reduced Fraud
Written by David TaylorGuestView Columnist David Taylor is the Founder of the PCI Knowledge Base and a former E-Commerce and Security analyst with Gartner.
One of the most persuasive ROI arguments used to justify spending thousands (even millions) of dollars on PCI compliance was that implementing all those PCI-mandated security controls would help reduce fraud, as well as security breaches.
Merchants have been encouraged to balance their spending costs against the savings due to having fewer breaches and less fraud. In the end, PCI compliance would translate into profits for the merchant due to fewer chargebacks, less internal fraud and a lower risk of security breaches. Great theory. But, like most theories, it’s hasn’t quite worked out that way.
It’s striking how little impact PCI-mandated controls have had on fraud and risk managers. Much of this because of how these managers do their jobs and the tools they use. Even before PCI, these managers had a toolkit of products and services that helped them identify potentially fraudulent transactions or actions.
For E-Commerce merchants, the decision whether to cancel potentially fraudulent transactions had been made based on AVS (address verification), CVV (card verification value), velocity checks, Verified by Visa, MasterCard SecureCode, and other, newer transaction analysis tools, rather than based on PCI mandated system logs, access control records, or any of the system monitoring tools.
Many risk managers find the PCI controls valuable in catching cases of internal fraud, such as by call center employees or IT department employees. But the main task of fraud management – reducing external fraud – is not really helped, on a day-to-day basis, by PCI-mandated controls or the reporting tools that are available to monitor these controls. I see this as an opportunity, rather than a criticism.
There is a real need for fraud analytics that integrate PCI controls and are designed specifically for the fraud management department, rather than for the IT management department. If anyone is aware of tools that can connect PCI controls with fraud monitoring, please let me know.
PCI compliance statistics are meaningless when it comes to measuring whether PCI is having a positive impact on how a retailer manages its business. Some merchants simply treat PCI compliance as a project, which they run out of the IT department. The commitment to compliance is strong within IT and even though employee training about PCI basics is in place, many operations groups don’t see the value from compliance.
Sometimes they don’t see the value because they aren’t invited to the meetings. Other times, it’s because they don’t get the reports. Mainly, it’s because no one has sat down with them and made the “translation” of the PCI controls into information they can use to help them do their job.
No one has forced—or “encouraged”—them to do more than simply be careful in how they handle credit card data. In short, the business value of the PCI-mandated controls is a “by-product” of compliance.
The only way to understand the relationship between compliance and the benefits of the mandated controls is on a job-by-job basis. This is another opportunity. It’s less a software opportunity and more a training opportunity.
In addition to training employees about PCI compliance itself, PCI managers should also expend effort to understand how key managers – such as fraud and risk managers – do their job, and then determine the types of reports they would benefit from and work to help these managers understand how to interpret the reports.
Helping business managers see daily benefit from PCI-mandated reporting will help move PCI beyond the “IT project” status it occupies in many large and midsize companies.
Our research on PCI and Fraud Management will continue at least throughout the summer, and if you are involved in this area, we’d certainly like to get you involved in the program, because we believe the results will benefit you and your company. If you want to discuss this topic, please visit the PCI Knowledge Base if you want to view our research. If you want to have a personal discussion about this, just send me an E-Mail at David.Taylor@KnowPCI.com.
June 17th, 2009 at 10:26 pm
I’m having a problem getting my head around the concept that PCI reduces fraud for the merchant in compliance. Maybe in a remotely peripheral sense if a few of the hacked cards resulting from non-compliance are used against the merchant from whom they are stolen.
I don’t see any other ROI for an individual merchant unless they are breached and were not in compliance. Then, the ROI in the form of avoided fines can be significant.
I’m not against PCI compliance and I’d agree that overall it can certainly reduce fraud collectively for the merchant community. But to say that it will reduce fraud for the merchant in compliance is a stretch.
Tom Mahoney, Director
Merchant911.org
June 18th, 2009 at 11:06 am
I think this position is hard to quantify with respect to an actual security ROI – PCI s/b viewed within the context of a larger defense in depth strategy (and especially collectively for the community at large). as such and with any batch of stats one can argue both ways – I for one see value in PCI – if and when it is applied correctly, i.e., when driven by a risk based approach.