The PCI Fraud Argument Conundrum
Written by David TaylorFebruary 25th, 2009
Why do retailers, service providers and financial institutions strive to achieve and maintain PCI compliance (assuming they do)? Mostly, they do it because it's mandated by the card brands and their card acquirer.
But too often lost in the coercive relationship that drives PCI, argued GuestView PCI Columnist David Taylor, is the intent of the standards: fraud reduction. A few simple Google searches will confirm that the links between PCI compliance and fraud reduction are largely unexplored and unproven.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
4 Comments | Read The PCI Fraud Argument Conundrum
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
February 25th, 2009 at 4:25 pm
It would be just as interesting to see how correlated the outcome of other audits are with the actual security of systems. What does an SAS 70 audit really tell you about security?
February 25th, 2009 at 4:47 pm
Luther,
Synching audit reports and security is tough, as you know, and I agree it will be worth researching. As for SAS 70 audits, I tend to be pretty negative on their effectiveness, even Type II. But your point is excellent.
February 28th, 2009 at 4:42 pm
I would take respectful exception to anyone who might be tempted to cast doubts on the effectiveness of SAS 70 audits. SAS 70 audits can be crafted to meet security objectives – it is up to the user community – that means the wholesale end users – to express their reuqirements to the servicer. If the servicer is not presented with a mandate for a meaningful security related control objective, they may take path of least resistance. It is up to the servicer’s customers to express what they need.
March 1st, 2009 at 8:34 am
The reason I tend to be negative on SAS 70 audits is that the company being audited has too much control (IMHO) over the nature and depth of the audit. You’re right that they can be made effective, but that is not what I hear from the companies that we’ve interviewed. Our view is taken from our research. I gather you’re a SAS 70 auditor, and I’m sure you and your company do an excellent job, but many companies are taking advantage of the flexibility inherent in the process. One of the reasons we like PCI assessments is that there is less room to “maneuver” for both the auditor and the auditee (if that’s a word).
thx, Dave