PCI DSS and Fraud
May 31st, 2010 by Jesper Kråkhede
I have worked several years with PCI DSS and even if I am not as experienced as some QSAs I know I do have a kind of experience they don´t, working with security from a business angle. In one assignment we were looking into several possibilities to make the client PCI DSS compliant. One of those routes was to implement a payment service provider everywhere payments were handled. At first glance this looked like the best solution. There was an added annual cost of 1.2 M€ but that should be matched towards the 40 M€ it would cost to changes the systems to become compliant.
So, what was the deal breaker here? Fraud. The payment provider could of course handle credit card fraud in all ways possible and imaginable but what about fraud specific for this industry? Nope. In case my client couldn´t use credit cards for investigating fraud between different payments they expected fraud costs to rise with 2-8 M€ annually. Now the 40 M€ looks much more promising.
Finally when we looked at the solutions to become compliant we found yet many more ways to decrease the cost hitting ROI much faster than imagined in the first place.