Quite a lot has been written recently about the difficulty of quantifying ROI from PCI programs. In fairness, while those concerns are quite legitimate, it doesn’t mean that PCI compliance does not (or cannot) help reduce fraud.
It just means that the nature of the standard, current metrics, software tools, reporting and established business procedures haven’t been adapted to incorporate the types of controls and reporting that PCI enables. In short, merchants have focused most of their effort (and spending) on getting compliant, but hardly any effort has been focused on the “business by-products” of compliance, such as fraud reduction. Some examples:
Of all the PCI DSS requirements, 3.2, which prohibits the storage of track data, is perhaps the most important in stopping external credit card fraud. Because track data can be used to recreate credit cards, the elimination of this data is critical to reducing the ease with which organized crime (i.e., “fraudsters”) can commit credit card fraud.
Requirement 3 is also critical for reducing both internal and external card fraud because it (along with the US Fair Credit Reporting Act, aka FACTA) is responsible for card numbers no longer appearing on printed receipts. These receipts come from credit card terminals, publicly visible terminal displays, call center applications and thousands of other places where individuals could casually or intentionally copy these individual numbers and use them later to commit card fraud (e.g., in a card-not-present transaction).
One of the few PCI DSS requirements that is specifically directed at reducing external fraud is 6.6, which is designed to eliminate certain well-known security vulnerabilities, specifically those identified by OWASP. Considering that these vulnerabilities can be used to extract massive quantities of data from poorly designed web applications, this requirement is especially important as a tool to prevent external fraud.
The principle of least privilege, which is built into the 7.1 access control requirements of PCI DSS, have significantly reduced the number of persons who have access to card data. In addition, by eliminating shared passwords per requirement 8.1, the standard significantly reduces the chances that a employee or contractor can steal data undetected by using generic ID’s, such as “night_cashier” or “tech_support.”
The PCI DSS requirements regarding data management, key management, software development and other areas mandate a separation of duties, so that no single privileged employee can steal large volumes of card data without the knowledge or approval of another person. This makes internally generated fraud much more difficult. Collusion among multiple employees is extremely rare, compared with situations where a single disgruntled employee can exploit his/her access to commit fraud or steal large volumes of credit card data.
The physical security controls in requirement 9 may actually be more important in reducing external fraud than most people seem to give them credit for. As awareness of PCI and data security in general has grown, social engineering of customer service representatives, administrative assistants, or retail store employees to give up information has become much more difficult.
In addition, PCI requirements have resulted in far fewer of these employees having access to the data in the first place, further reducing the chances of fraud.
I didn’t mean for this list to be exhaustive. In fact, I’m hoping that our readers will think of other examples of how PCI compliance helps reduce fraud and email them to me, or add them to this column via the comment feature. If you want to discuss this topic, please visit the PCI Knowledge Base if you want to view our research. If you want to have a personal discussion about PCI and its value in reducing fraud, just send me an E-mail at [email protected].