The Gestalt of PCI
February 21st, 2007 Posted in Banking, Card Brands, Compliance, Credit Card Fraud, Government, Merchant, PCI DSS, Service Provider
Michael Farnum wrote on “Here’s why PCI DSS exists” and his analysis is correct but needs some clarification. He writes in response to a Boston Globe article on the Stop & Shop credit card compromise. The debate is over who pays (or writes off) the cost of credit card compromises and fraudulent transactions.
According to one person quoted by the Boston Globe, “The credit card company eats it.” This is (kinda) not true.
Another blogger writes, “the PCI standards weren’t created to help consumers, they were created to protect the credit card companies from fraud and to transfer the risks from the credit card companies to merchants and merchant banks.” This is cynical and NOT true.
Michael has it partially correct when he says:
If the consumer was responsible for fraudulent charges, the credit card companies would not put any real effort into stopping this type of crime, and we would be responsible for protecting our own data. But since the credit cards are responsible, the economic driver to be more proactive on security is clear.
In order to really understand why PCI DSS exists we have to understand the state of human emotion. Someone once told me, “there is price and there is cost.” Let’s explore these a little more.
Cost of Credit Card Fraud
Who pays for fraudulent transactions? There are too many details to get at the heart of this question but in broad general terms the Issuing Bank pays the majority of the cost, the Acquiring Bank pays a lesser amount, and the Merchant pays the least. (The Merchant carried a high liability due to cost recovery programs and lawsuits, but they pay indirectly not directly.)
So the Issuing Bank is the one who eats the cost of credit card fraud but they are not in a (direct) position to prevent it. This creates a disconnect because before the PCI DSS there was no incentive for the Merchants, Service Providers, and Acquirers to secure credit card data. Why should they? It was the Issuers who payed for it.
The PCI DSS was introduced to make those who store, process, or transmit your credit card information directly responsible for its safety and security. The funny thing is that the “credit card companies” meaning the card brands/associations such as Visa/MasterCard make money regardless of credit card fraud. It is only Discover/American Express who act as both Issuers and Acquirers that “eat it”.
Price of Credit Card Fraud
Remember, there is a difference between ‘cost’ and ‘price’. The price of credit card fraud is a reduction in consumer confidence. People are more scared of using their credit card on the Internet than they are about using it in a retail store. The reality is that it is (usually) safer to make online transactions than brick-and-mortar. Imagine how well online businesses would be doing, or how much better they would be doing, if people had a higher confidence in online shopping!
If credit card compromises rise and continuously appear in the news it will eventually erode consumer confidence in the use of credit cards. This would directly impact merchants, both online and offline, as well as credit card programs and initiatives.
This is a price far greater, but less direct, than that of simply dollars lost due to the fradulent use of credit cards. The PCI DSS not only secures the data, but in doing so it helps rebuild the consumer confidence in credit cards and their safe use.
Private Industry Standards
The one thing I totally agree with Michael about is where he says this:
FYI, I am thrilled that this is a private industry standard and not something the government tried to build. HIPAA, SOX, GLBA, etc. are proving to be ineffective for the most part, so one more regulation to try to solve this problem is not needed or wanted.
Most people never understand this point. I hear merchants constantly complain about having to comply with PCI, but that is because most don’t understand how easy it is when compared with things like SOX or GLBA.
I have walked into merchants and seen audit rooms devoted full time to SOX work. In fact many of them have the words “SOX Audit Room” etched in metal beside the room. I want someone to show me a company that has a “PCI DSS Room”. It’s nowhere near as difficult, arduous, or costly as other government mandated regulations.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
7 Responses to “The Gestalt of PCI”
By Mark Mac Auley on Feb 22, 2007
PCI to me is a proactive mechanism for the credit card companies to help do the right thing for banks, for consumers and for the trillion dollar business they’re in.
The larger issue is that identity information has value, more so than account information, and if you get both - Yahtzee!
Since the cards are the binding mechanism, they in essence sit in the middle of the PCI world and I believe it’s the right place from which to do something.
By datasecurity on Feb 22, 2007
Credit cards, as they say, is where the money is at. So are bank account numbers and any method that gains access to financial funds (i.e. PayPal account, online merchant accounts, etc.)
The card associations/brands are doing some great work and taking heat for not moving fast enough. But this is an imperfect science. Every time a compromise occurs people say they are not doing enough, but when compromises do not occur they complain they are pushing too hard.
Peoples’ perceptions of risk, compliance, and security sometimes matter more than the actuality behind them. Bruce Schneier talked at RSA about the fact that you can:
What the card associations are doing is trying to balance the desires of the merchants, banks, and cardholders while making everyone feel good about the process. This is not an easy task and one for which you never get the credit you deserve.
By Alex Bakman on Feb 23, 2007
A great article to help people understand the ins and outs of PCI DSS. I do want to add on the point of “who pays?”.
The sad part is that ultimately it is consumers, people like us, who have to pay. Our economy, 2/3 of it, is based on consumer comsumption and credit cards have helped facilitate the consumption. The ease of use helps people shop. If consumer confidence begins to suffer..we are in trouble
By datasecurity on Feb 23, 2007
In a philosophical way we all pay, but this is like saying that we all suffer from war; it’s true but hard to quantify. I am not disagreeing, only reminding the individual consumer that they (usually) have zero liability on fradulent credit card purchases.
When asked who ‘pays’ in the philosophical sense I usually say, the people who don’t pay their credit card off each month. They are the ones who finance the industry.
By Nigel Mellish on Feb 23, 2007
“Another blogger writes, “the PCI standards weren’t created to help consumers, they were created to protect the credit card companies from fraud and to transfer the risks from the credit card companies to merchants and merchant banks.†This is cynical and NOT true.”
You both have it wrong. The PCI standards were created when Wal Mart threatened to not accept a particular credit card brand. Mastercard SDP and the others were created because of GLBA pressures banks face. THose companies, like TJX and DSW before them, have no interest in the PII of a few hundred thousand people.
By datasecurity on Feb 23, 2007
Nigel, I understand what you are saying but I partially disagree.
Yes, the FDA was created after books like The Jungle by Upton Sinclair.
Yes, the SEC was created after the stock market crash of 1929.
No, PCI was not created as a result of the Wal-Mart suit.
PCI, CISP, AIS, and other credit card security compliance programs are a result of things like TJX and DSW as you mention. As compromises increase the consumer population begins to take notice. If this happens, slowly your elected representatives take notice and pass laws that regulate the industry. Programs such as PCI are meant to pro-actively manage the threat of credit card fraud and bring it under control before the Federal government regulates it as with SOX and GLBA.
I can guarantee you that MasterCard’s SDP program had nothing to do with GLBA. They are not even related in their scope or coverage. SDP addresses Internet vulnerability scanning only while GLBA addresses “safeguarding customer information” through the use of risk assessments.