Why PCI Has Not Reduced Fraud

Written by David Taylor
June 17th, 2009

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base and a former E-Commerce and Security analyst with Gartner.

One of the most persuasive ROI arguments used to justify spending thousands (even millions) of dollars on PCI compliance was that implementing all those PCI-mandated security controls would help reduce fraud, as well as security breaches.

Merchants have been encouraged to balance their spending costs against the savings due to having fewer breaches and less fraud. In the end, PCI compliance would translate into profits for the merchant due to fewer chargebacks, less internal fraud and a lower risk of security breaches. Great theory. But, like most theories, it’s hasn’t quite worked out that way.

  • The PCI Connection to Fraud Management is Tenuous
    It’s striking how little impact PCI-mandated controls have had on fraud and risk managers. Much of this because of how these managers do their jobs and the tools they use. Even before PCI, these managers had a toolkit of products and services that helped them identify potentially fraudulent transactions or actions.

    For E-Commerce merchants, the decision whether to cancel potentially fraudulent transactions had been made based on AVS (address verification), CVV (card verification value), velocity checks, Verified by Visa, MasterCard SecureCode, and other, newer transaction analysis tools, rather than based on PCI mandated system logs, access control records, or any of the system monitoring tools.

    Many risk managers find the PCI controls valuable in catching cases of internal fraud, such as by call center employees or IT department employees. But the main task of fraud management – reducing external fraud – is not really helped, on a day-to-day basis, by PCI-mandated controls or the reporting tools that are available to monitor these controls. I see this as an opportunity, rather than a criticism.

    There is a real need for fraud analytics that integrate PCI controls and are designed specifically for the fraud management department, rather than for the IT management department. If anyone is aware of tools that can connect PCI controls with fraud monitoring, please let me know.

  • PCI is Still an Annual IT Project
    PCI compliance statistics are meaningless when it comes to measuring whether PCI is having a positive impact on how a retailer manages its business. Some merchants simply treat PCI compliance as a project, which they run out of the IT department. The commitment to compliance is strong within IT and even though employee training about PCI basics is in place, many operations groups don’t see the value from compliance.

    Sometimes they don’t see the value because they aren’t invited to the meetings. Other times, it’s because they don’t get the reports. Mainly, it’s because no one has sat down with them and made the “translation” of the PCI controls into information they can use to help them do their job.

    No one has forced—or “encouraged”—them to do more than simply be careful in how they handle credit card data. In short, the business value of the PCI-mandated controls is a “by-product” of compliance.

    The only way to understand the relationship between compliance and the benefits of the mandated controls is on a job-by-job basis. This is another opportunity. It’s less a software opportunity and more a training opportunity.

    In addition to training employees about PCI compliance itself, PCI managers should also expend effort to understand how key managers – such as fraud and risk managers – do their job, and then determine the types of reports they would benefit from and work to help these managers understand how to interpret the reports.

    Helping business managers see daily benefit from PCI-mandated reporting will help move PCI beyond the “IT project” status it occupies in many large and midsize companies.

  • The Bottom Line
    Our research on PCI and Fraud Management will continue at least throughout the summer, and if you are involved in this area, we’d certainly like to get you involved in the program, because we believe the results will benefit you and your company. If you want to discuss this topic, please visit the PCI Knowledge Base if you want to view our research. If you want to have a personal discussion about this, just send me an E-Mail at

  • advertisement

    2 Comments | Read Why PCI Has Not Reduced Fraud

    1. Tom Mahoney Says:

      I’m having a problem getting my head around the concept that PCI reduces fraud for the merchant in compliance. Maybe in a remotely peripheral sense if a few of the hacked cards resulting from non-compliance are used against the merchant from whom they are stolen.

      I don’t see any other ROI for an individual merchant unless they are breached and were not in compliance. Then, the ROI in the form of avoided fines can be significant.

      I’m not against PCI compliance and I’d agree that overall it can certainly reduce fraud collectively for the merchant community. But to say that it will reduce fraud for the merchant in compliance is a stretch.

      Tom Mahoney, Director

    2. joel weise Says:

      I think this position is hard to quantify with respect to an actual security ROI – PCI s/b viewed within the context of a larger defense in depth strategy (and especially collectively for the community at large). as such and with any batch of stats one can argue both ways – I for one see value in PCI – if and when it is applied correctly, i.e., when driven by a risk based approach.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.