There is no shortage of opinions within the payments industry regarding PCI-DSS (Payment Card Industry Data Security Standards), and these opinions are largely driven by perspective. Issuers support PCI-DSS and demand improved compliance since they are the ones that absorb the brunt of fraud losses and operational damage control in the wake of data compromises. Merchants and acquirers appear less supportive of the standards and continue to assert concerns about complex requirements and costly compliance.
Visa and MasterCard are in the awkward position of trying to enforce compliance while straddling a two-sided business model that requires serving both merchants and issuers. Furthermore, other issues the card companies are juggling, like interchange rates, create a greater divide between these two groups and crowd out constructive discussion and real progress on PCI-DSS.
The end result of this is that there is a significant amount of work remaining to be done. Visa has introduced merchant incentives for PCI-DSS compliance, and recently announced that 96% of its largest merchants have confirmed that they are not storing magnetic stripe data. Magnetic stripe data is a key element in a counterfeiter's ability to commit fraud. Additionally, "Card Not Present" fraud, which is growing faster than counterfeit, is still in play for non-compliant, compromised merchants. Visa's efforts benefit all issuers, but non-storage of magnetic stripe data does not equal PCI-DSS compliance. Less than half of the largest merchants have validated PCI-DSS compliance. To be fair, a large portion of this group of merchants is in remediation–close but they are not there yet.
Recommended For You
Industry compliance enforcement efforts to date have rightly focused on the largest concentrations of data, merchants with annual transactions levels in the millions and large third party processors. In response, hackers are adjusting their tactics by attacking mid-size to small merchants. PCI-DSS currently requires large merchants and third-party processors to validate compliance annually. Nonetheless, this annual compliance validation is a snapshot in time, so changes or lapses in a merchant's IT environment could reopen doors for hackers at any time. Issuers are required to be compliant, but currently are not required to validate their compliance. How long will it be before issuers become targets?
Bottom line, PCI-DSS is a critically important part of the fight against fraud, but it is not the silver bullet. The industry owes itself and consumers an environment where data is secure, however we need to recognize that data security will always be one piece of an integrated risk management plan.
This risk management plan needs to include: 1) use of the latest fraud prevention technology within your credit union and/or requirements for this technology support from your service provider; 2) educating members in how to recognize fraud and protect themselves against it; and 3) the continued development of new risk technology that will protect data or render the data, if exposed, worthless.
Neural networks and pattern recognition technologies are essential in dealing with the fast moving dynamics of modern fraud. Technologies like Falcon and Visa Advanced Authorization not only identify fraudulent events in real time, but can be continuously updated with characteristics of new fraud.
As essential as these tools are, fraud technology can only go so far. Staffs of experienced, well-trained professionals are required to identify and confirm fraudulent events and in some cases, execute event specific actions and update fraud management software. Credit and debit service providers that offer around-the-clock staff coverage deliver significant advantages because changes or spikes in fraud can be detected and addressed as they happen, which is often on weekends or after regular business day hours.
Credit unions also need to assume responsibility for educating their members about key fraud deterrents, including: the need to shred paper documents, use online banking to eliminate a paper trail and avoid the significant incidence of fraud at the mailbox, as well as keeping private information (including account numbers and passwords) secured. This needs to be an ongoing effort utilizing multiple delivery channels. Your members will appreciate your efforts to educate them and will become your first line of defense against fraud.
Credit unions will need to be prepared to weigh in as the industry considers new technology to insure all of their needs are met.
Each credit union needs to develop and manage its own plan to protect itself and its members against fraud. Fraud management is much like money management. An individual with a financial advisor or a broker does not turn over their savings and then walk away. It is the responsibility of the investor to track results and make sure their advisor is acting in their best interest.
Likewise it is the responsibility of credit union managers to be aware of the latest trends, technologies, and techniques for fraud management–even if these functions are outsourced. Managers also need to make sure their service providers have the expertise and are employing the resources required to minimize the occurrence of fraudulent activity within their membership and their institution.
It is clear that PCI-DSS compliance needs to be improved and that data security is critical to the continued health of the payments industry. All industry players need to drop the rhetoric and get on with an honest, productive effort to find ways to make PCI-DSS successful. PCI-DSS is, and will remain, one of the critical elements in winning the fight against fraud.
Credit unions need to achieve compliance with PCI-DSS and develop a comprehensive fraud prevention plan that includes fraud prevention technology and educating members about their role in limiting fraud exposure. It's important to remember that while fraud represents a risk, it is a manageable risk. Credit unions need to continue to expand and promote their card portfolios, since these products have repeatedly proven their ability to deliver excellent financial returns while building stronger relationships with members.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
