Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« International Fraud Awareness Week is here | Main | Remote deposit capture: If you expand it, will fraud come? »

November 14, 2011

Evidence for PCI’s effectiveness in the fight against fraud

Despite the PCI Council's best efforts and laudable goals, the effectiveness of its data security standard, PCI DSS, is frequently questioned. This standard is sometimes disparaged as expensive and ineffective. One critic has even decried the standard as a "false god." Such criticisms have stuck in part because it is difficult to know how many breaches would have occurred if it weren't for the PCI standard, and supporters have essentially been left to argue a counterfactual. The PCI Council has long maintained that no organization that has been breached has been found to have been compliant at the time of the breach, but the claim has never been fully validated.

Contrary to the claims of PCI DSS critics, however, Verizon has collected some data that support the value of PCI. The Verizon 2011 Payment Card Industry Compliance Report provides evidence that PCI compliance is effective at preventing breaches, and that the most compliant organizations are the least likely to be breached. The Verizon report provides a detailed analysis of compliance and breach threats across their client portfolio. The report reviews the cases of annual audit clients to assess compliance across the 12 PCI DSS requirements. The report also lays out the authors' retroactive assessment of the compliance of organizations that used the firm's forensic services after they suffered a breach.

The report ends up offering two very different perspectives: that of organizations proactively pursuing PCI compliance and that of organizations reacting to a breach that may not have previously emphasized compliance. The study sample consists of more than 100 reports from primarily American and European companies, and is the second year that this study was published (see the 2010 report here.)

Figure 3: Distribution of testing procedures met at IROC

At first glance, the report's findings seem discouraging because only 21 percent of organizations are found to be fully compliant at the beginning of the audit. However, the researchers assessed each organization's compliance across each requirement, and found that a further 37 percent were compliant across 90 to 99 percent of requirements.

Verizon conducted these assessments to help clients identify gaps and prepare them for their annual audit process. Once Verizon issued their Initial Reports of Compliance, the organizations then worked to fill all gaps and achieve full compliance. Of course, achieving full compliance is not a simple task. Full PCI compliance is extremely complex and requires ongoing testing and updates, and many organizations succumb to complacency and fatigue between audits. They may not respond to changing circumstances, and in fact the researchers found that compliance levels sometimes deteriorated over the course of the year.

Table 3: Percent of organizations meeting PCI DSS requirements

The complexity of achieving full compliance is one reason the PCI Council released the Prioritized Approach to compliance in 2009. These guidelines are intended to help firms with limited resources tackle the most effective security requirements first. Unfortunately, the researchers found no evidence that organizations had implemented this prioritization, which raises the concern that companies are not taking a strategic approach to the compliance process.

In the second half of the Verizon report, the researchers tried to tease out how breached companies are attacked and what characteristics made them most vulnerable. They found that breached companies were less likely to meet individual PCI requirements, and scored overall worse than nonbreached clients by a 50 percent margin on average. Additionally, every threat action identified by the forensic team could have been prevented with full PCI compliance.

Jen Mack, the director of Verizon's PCI Services, believes that the Verizon report shows that PCI is effective. She says, "It's clear the standards provide protection for card data if organizations implement them correctly and maintain them throughout the year." Verizon's report does provide strong evidence that PCI DSS is an effective tool for preventing breaches and combating fraud. Since data breaches are repeatedly recognized as a major threat to the payments industry, it is critical to leverage tools like PCI DSS. How can the PCI Council encourage increased compliance among merchants and other organizations? Will increased recognition of the standard's effectiveness lead to greater adoption?

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

November 14, 2011 in data security , fraud , payments risk | Permalink


At a time when consumer trust of financial institutions is at an all time low, companies that deal with consumer information should be taking a proactive approach to their security. The protection of consumer data is of utmost importance and the reputation of their brand hangs in the balance. Conducting audits internally or hiring a third party do do so on a regular basis to ensure companies are meeting PCI standards will help them stay vigilant about their security and regain their customers' trust.

Posted by: Cassie Fulton | December 6, 2011 at 05:10 PM

Whether PCI is effective in reducing fraud or not is not the issue. The question is whether it is COST EFFECTIVE. More specifically: Could a different approach achieve the same or better results, at lower cost?
Many experts consider PCI to be too expensive and difficult to implement for what it has achieved--and much less effective than could be accomplished using a more practical "risk based" approach.
The PCI program was poorly planned and is poorly managed, and has been co-opted by the QSA industry, which generates immense revenues from the ever-expanding scope and complexity.
The card brands do not seem to care about the expense, however, as the vast majority of the cost for PCI must be borne by the merchants.
The fact that "no organization has been found to have been compliant at the time of a breach" only underscores the problem, and speaks to the fruitlessness of merchants' efforts toward PCI compliance.

Posted by: Security Sam | November 16, 2011 at 04:37 PM

The fight against fraud is not an easy one and the fact that the number of breaches has been decreasing lately is down to the hard work from various parties, including the PCI Security Standards Council.
PCI DSS reassures consumers that cyber crime is taken seriously by the whole industry and that their card details will not be compromised.

Posted by: PayPoint.net Merchant Services | November 15, 2011 at 09:26 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad