Secure Payments, PCI DSS, Regulatory Compliance Blog

Chip-PIN vs. PCI DSS

March 25th, 2007 by datasecurity Posted in Chip PIN, Credit Card Fraud, Europe, PCI DSS

pin.jpgWe had a post a while back about the most recent APACS fraud numbers (released twice a year.) Many of us were curious why they did not include a reference to PCI. So I emailed Sandra Quinn their Director of Corporate Communications with the single question:

“I assume that the APACS feels that Chip-and-PIN has reduced fraud more than PCI/AIS?”

To which she replied, “Very much so”. (She said I could quote her on that.)

But, I really enjoyed reading a much longer and detailed message she sent including some of the following details:

The key thing is that the £1.1 bn banking sector investment in chip and PIN has seen fraud at retailers decrease from a high point of £218.8m in 2004 to £72m now. That’s an impressive decrease but obviously chip and PIN isn’t a silver bullet for all card fraud which is why we support a multi-layered approach - PCI-DSS is part of that as is online banking security systems, like VbV and MSC, and the move to dynamic customer authentication.

She also corrected our comments on their stance on government intervention:

This relates to legislation currently going through the UK legislative process (the Serious Crime Bill) where we have been lobbying MPs and members of the House of Lords (the UK upper legislative House) for some changes.

“In our view, improved data sharing within organisations, between organisations, within sectors and between the public and private sectors is key to improving the ability of the UK to tackle the challenge of fraud. APACS has been lobbying for several years for wider data sharing between the public and private sectors and we believe there is an opportunity to make significant gains for both sectors in the short term. We see this issue as the major priority in the fight against fraud.

Exercises have already been run by CIFAS (the body that provides an enabling mechanism for the sharing of fraud information between private sector organisations) using samples of data provided by government departments. The high level of match between address details used in frauds against both public and private sectors illustrated the benefits of sharing this information - once an address or other detail such as a telephone number are identified as having been used fraudulently, then
subsequent frauds can be prevented. The results from this exercise clearly demonstrated the importance of greater sharing of this type of data.

We urge the Government to do everything it can to promote such data sharing in the short term, which implies government departments making use of an existing structure, most obviously CIFAS, to start sharing the data as soon as possible. This would also be more cost effective than starting a new system from scratch.

We share the primacy concern of this data being protected from being deliberately, negligently or maliciously compromised and would welcome the opportunity to work with the Information Commissioner on a set of guidelines to clarify the basis on which information should be shared.”

Finally she provided some interesting statistics titled “Card Fraud 2006 Snapshots”.

slide1.PNGslide2.PNGslide3.PNGslide4.PNG

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 1 Trackback(s)

  2. Nov 24, 2008: PCI Blog - Compliance Demystified » Blog Archive » Gartner misses the point of PCI

Sorry, comments for this entry are closed at this time.