The card brands, Visa, MasterCard, JCB, American Express and Discover, are all mandating the universal and unquestioning acceptance and implementation of the PCI-DSS. The justification for this has always been presented as a means of ensuring the protection
Cardholder Data, whatever that means. None of the card brands have really explained what this "protection" actually means, or indeed how it works. Apparently, it is good enough to refer to security, card fraud and a "better safe than sorry" approach, without
ever actually explaining how the security strategies defined within the PCI-DSS prevent card fraud.
I am not going to argue why PCI-DSS is a complete waste of time and effort, other than to say that even if the whole world were to be secured to PCI-DSS standards, the "sensitive data" defined within the PCI-DSS - the PAN - is still freely available in the
public domain, on the front of the card and on the magstripe. If it is accepted that the PAN is "sensitive data", then this is a completely irrational approach, and I have no interest in attempting to convince experts who cannot see this otherwise.
In EMV-land, the implementation of the PCI-DSS is also irrational. In the UK, the number of magstripe transactions accepted at the point of sale is trivial: generally less than 1%. However, they originate primarily from the US, and appear to account for
well over half of all chargebacks. This would indicate a correlation between fraud, as indicated by the level of chargebacks, and magstripe, as indicated by the fact that the chargebacks are mainly coming from the US (and I know that the US banks shouldn't
be raising them because they are clearly fraudulent, but they are, which makes me think that the real fraud is much higher because they are coming from only a very small handful of banks). I don't think it unreasonable to ask what the implementation of the
PCI-DSS would do to prevent US magstripe fraud in the UK. No answer is not acceptable, but no answer is the answer being given by the card brands! So can anyone else answer this, rationally? It is my opinion that the implementation of the PCI-DSS will do
absolutely nothing to prevent this type of fraud, because it can't! The implementation of PCI-DSS is already widespread in the US, but whilst the level of home-grown fraud in the UK is falling year on year as the investment in EMV pays off, US magstripe fraud
is growing. Implementing the PCI-DSS in the UK is not going to make this fraud go away.
The only rational rationale presented by the card brands in support of the forced implementation of the PCI-DSS that I am aware of is the one that says quite strongly that it's in the contract, and if an organisation chooses not become PCI-DSS compliant,
then the organisation is effectively choosing not to accept cards. This argument is rational, from the perspective of any retailer in doubt over their obligations to the card brands, and has the added advantage of being very easy to understand, but ... it
is still irrational! So why are the card brands persisting in rationalising the irrational? There must be more to it.
Call me a conspiracy theorist if you like, but read on before judging. The PCI-DSS does make sense as a framework and as a set of guidelines. However, it makes no sense as a prescriptive mandate focused on protecting the PAN and other "sensitive data", because
the so-called "sensitive data" isn't sensitive under EMV, and the PAN isn't a risk vector either. I have not yet heard a coherent counter argument to this, and it's not for the want of listening.
The card brands have made it absolutely clear that the PCI-DSS will be implemented around the world, and that those regions where there has been considerable investment in EMV must now invest in the PCI-DSS to "protect" those regions where there has been
no investment. This is irrational; surely the rational approach would have been to mandate EMV in the undeveloped nations (I am employing the use of irony here - those who get it will know that I mean the US) instead of arguing, but not coherently, that even
in EMV regions the PAN still presents a risk if it is let out into the open.
I am no expert on the US legal system, but I have had a look. It seems to me that there are a number of bills, at varying stages in the bill lifecycle, that refer to the protection of personal data; there are also bills that are related to the cost of data
breaches and the cost of recompense. None of these bills refer directly to payment cards and card-related data, but there is a remarkable similarity between them and some of the principles of the PCI-DSS. It would also appear that the case for the PCI-DSS
was made in March 2009 by Bob Russo, the General Manager of the PCI Security Standards Council, and others, to the House Committee for Homeland Security, which I find very odd, or maybe it's all beginning to make sense?
Funding for the events of 911 have been attributed to credit card fraud, which means that credit card fraud has become a global issue for US Homeland Security: it is no longer a regional financial issue that can be resolved locally, like in the UK, and the
rest of the EMV world. It would appear that we now have an issue that can only be resolved globally by implementing a global card data security standard. The PCI-DSS is not, therefore, a solution to the losses that might be suffered by individual cardholders,
it is a "security" solution for the world. The PCI-DSS is really an anti-terror strategy and not a cardholder-focussed financial integrity strategy.
The problem is that whilst forcing the implementation of the PCI-DSS in an area where card fraud is at a ten-year low, and falling, might be irrational, the requirement for PCI-DSS isn't going to go away because the requirement isn't based on any rational
analysis of real-world card fraud vectors. It would appear that even though the card brands have repeatedly failed to present any valid arguments in support of the forced implementation of the PCI-DSS, they are still pushing the mandate. Perhaps this is
because they are not really doing the pushing, and the Committee for Homeland Security is not limited by rationality!
Blog updated: 29 May 2015 03:42:27