Earlier this month, my credit card number was compromised. My card was not missing or stolen and I was blissfully unaware that anything was wrong. Fortunately my credit card company noticed odd behavior and the fraud prevention department left a message on my home phone to return their call about suspicious recent activity.
In returning the call, I was informed about purchases that I indeed did not make: A dollar to iTunes, several thousand to Dell.com, several hundred to Sears.com and so on. In the end, it was just an annoyance to me as the card company reversed the charges and sent me a new card. About a week later, I was informed that the matter was resolved. Resolved? What happened? Was the person caught? Should I do something different to prevent this from happening again? No answers, just “resolved.”
This raised an interesting question in my mind; what do credit card companies do to “prevent” fraud?
In some respect, one could argue that by detecting suspicious behavior and freezing the credit line within 72-hours of the first abuse prevented future fraud. But detecting fraud and preventing fraud are still two very different things. The answer is that credit card companies do very little to prevent fraud. Their policy to reverse charges from stolen or lost cards does not contribute to careful and conscience consumer behavior, but does give consumers confidence to use the card. Simple plastic cards with readable numbers opens up the possibility that anyone who comes in contact with the card can copy the numbers (think about the waiter or waitress that takes the card out of sight).
Moreover, the cards are cheap to make and enable ubiquitous use -- such as consumers entering their numbers on all sorts of paper forms. The reality is that ease of use -- and encouraging more frequent use -- is more in line with credit card companies' bottom lines than preventing fraud. But it would be better if someone prevented the fraud. This is where merchants enter the picture.
The PCI DSS is all about prevention. These standards are the actions the merchant must take to protect the credit card holders, the credit card companies and the merchants themselves. Although it may be seen as costly, cumbersome or difficult, it must also be seen as vital and a cost of doing business. Just as a restaurant, retail store or other brick-and-mortar merchant should perform background checks on employees to limit fraud, online merchants must take the appropriate steps to prevent fraud.
And just as hiring good and ethical employees to work at a retail store has benefits beyond preventing credit-card fraud, ensuring good information security practices has benefits well beyond PCI compliance.
If detecting fraud and preventing fraud are two very different things, understand that security and compliance are two very different things. One is about implementing protection and the other about processes and documentation that provide proof. In fact, it's possible to accomplish one without the other. However, this misses the point and more importantly, misses an opportunity. Once it is accepted that compliance with PCI is a requirement to do business (and for organizations that accept cards, it is), then it should also be used as an opportunity to solve the issues you're required to comply with.
In other words, use this compliance mandate as an opportunity to improve processes and controls. Don't see it as a “check box” exercise. In particular, implement effective management and monitoring controls that will ease the burden of compliance while significantly improving the overall security posture.
Credit card fraud will never go away. Fraud detection will remain a component of the fight against fraud. And as pleased as I am that the recent fraudulent charges on my account were removed, I would prefer that more time be spent on prevention so that it doesn't happen again.
Use the compliance mandate as a real opportunity to fight the increasingly challenging prevention battle.