A few weeks ago, someone sent me this article from the Merchant Risk Council about the history of PCI compliance, and wanted to get my opinion on it. And boy-oh-boy do I have opinions on it (part of me feels like I’ve been waiting years for someone to ask me). I talked about this briefly with Karisse Hendrick on the Fraudology Podcast (Bridging Cyber and Fraud: Insights from a Career Chameleon) but I think it’s worth expanding upon here, too.

Basically, the article says PCI-DSS was created to address fraud problems by leveraging security standards. 

It’s totally a true statement, but the framing is a bit weird: they jump straight from "we needed to solve fraud problems" to talking about PCI's security controls (and the need for standards) without explaining the connection. Why apply security solutions to fraud problems? What's the actual relationship there? 

The Simple Version (And Why It's Not Actually Simple)

Yes, PCI-DSS was created to address fraud problems. But it's not exactly because fraud spiked, although CNP (Card Not Present) fraud was spiking around that time. (Also relevant…CNP was growing so rapidly because before there was ecommerce, all that CNP volume was primarily mail and telephone orders (MOTO)...not growing particularly quickly.) There’s more to it.

So, while fraud rates spiked, what was also happening is that this new breed of merchants –   e-commerce merchants – were also getting breached. They were getting breached for the bad actors to capture card data (often unencrypted card data at that). And then the card data that was stolen was being used to commit fraud, of course. But here's the part that is underdiscussed: the security problem that caused the breach at the e-commerce site was paid for in fraud losses by OTHER merchants and card issuers.

Think about it this way - if CD Universe got breached (it did), it wasn't necessarily CD Universe that experienced the fraud from that stolen data. It was other merchants down the line, plus the card companies themselves eating those losses.

So what incentive, really, did e-commerce merchants have to button-up their cardholder data protection? From a pure business perspective: not much. The costs of a breach at your site get absorbed across the entire payment ecosystem, but the costs of preventing that breach? Those are all yours.

Payments is famously an example (a glorious example!) of a network market. And the interdependencies here around security, fraud, and costs of managing security/fraud is a classic Negative Network Externality, and PCI-DSS was basically the (payment) industry's attempt to fix it.

Important side note: Today when you search for PCI, search results use PCI and PCI-DSS interchangeably. And when you check online sources, the PCI Council says it was established in 2004. But the card brands working together on security standards under the “PCI” umbrella actually predates DSS by a margin - it’s how the network was able to facilitate card manufacturing security requirements, PIN/PED standards, key management in the ATM infrastructure..etc (I mention these specifically because I worked on them prior to 2004). (A similar annoying (to me) shorthand that developed is CVV vs CVV2, but I digress from my digression)

PCI-DSS as Minimum Viable Due Diligence

So, the standard was meant to demonstrate kind of a bare bones minimum due diligence around data security, scoped down specifically to cardholder data. It wasn't some grand cybersecurity vision - it was meant to be a pragmatic solution to an incentive alignment problem.

Think of it as forcing internalization of externalized costs, but with a compliance framework instead of a Pigouvian tax (though honestly, the fines function pretty similarly - just after the fact versus before the fact).

There were a couple of bonuses here to go this route:

• Fraud due to stolen, compromised card data could be kept to manageable levels (a win for OTHER merchants and for the issuers/networks).

• While cost of accepting credit card payments might go up for compliant merchants (needing to both secure the card data and demonstrate compliance), those merchants would still be able to accept credit cards.

• Better security of card data should mean less breaches —> keep consumer sentiment high enough to keep shopping online (remember, this was while e-commerce was still nascent)

• E-commerce continues to grow, important to merchants AND the payment industry

And now from where we’re sitting about 20 years later, we see this did pan out. Roughly.

The Academic Question

Also let’s keep in mind this wasn't just industry folks winging it, they were working from a long history of standards development, liability shifts, and compliance frameworks to address weird incentive alignment problems (see remark above about the ATM infrastructure upgrades, and also consider chip card rollouts). There was also a lot research happening around this time trying to quantify the relationship between security investment and security outcomes. In my own academic perusing at that time, I think Kevin Soo Hoo wrote the best paper from those days around 2000/2001 when he was at @Stake (and/or Stanford?) - we were trying to come up with references that demonstrate the impact of security investment to preferred risk outcomes (here’s the paper as a .pdf - How Much Is Enough? A Risk-Management Approach to Computer Security)

There are a bunch of papers that attempt similar analyses presented at places like WEIS (Workshop for Economics in Information Security), though they tend to focus more broadly on cybercrime rather than fraud specifically. I also did a paper for them called "Defending Debit" that I think is a pretty good contribution to the canon (though it was written in a 48-hour haze of policy wonk indignation, so your mileage may vary).

Why This Still Matters

Understanding the real origins of PCI-DSS helps explain why security and fraud prevention sometimes feel like they're having completely different conversations. PCI wasn't designed as a comprehensive security framework - it was designed as the minimum viable standard to address a specific market failure.

We still see this pattern everywhere in cybersecurity. The entities best positioned to prevent security problems often aren't the ones bearing the costs when those problems materialize. PCI is just one example of how standards emerge to patch these misalignments, but it also shows the limitations of compliance-focused approaches.

The intersection between security solutions and fraud problems remains surprisingly under-explored, considering how much both industries have grown. There's definitely more work to be done understanding the economic incentives that drive both domains and how they interact.

But hey, at least now you know enough about the origins of PCI to understand why security controls have always and will always play a role in fraud prevention. But as with many payments-industry related folktales, the most interesting part of the story is the economic one (in this case, the incentive structure around investment in proper data security).

find more cartomancy [what’s out there]

coming soon

▶️ I’ll be attending and speaking at this year’s Black Hat USA. Will I see you there? I’ll likely be hanging out at the summits (CISO, AI, & Financial Services), checking out the new ventures booths on the show floor, and checking out the AI/ML/Data Science, Human Factors, and Policy tracks.

• Cyber Fraud Fusion -Tuesday, August 5 | 2:25pm-2:55pm ( Four Seasons Ballroom )

• Strategic Track | AI vs AI: Defending Against the Rise of AI-Generated Fraud -Tuesday, August 5 | 4:10pm-4:35pm ( Oceanside A, Level 2 )

on demand

▶️ It was lovely to talk all things payments & fraud with my recently re-connected friend Karisse Hendrick on her Fraudology podcast.

▶️ About Fraud’s PJ Rohall and I sat down to talk about how we’re “Fighting Back” against fraud.

▶️ I had so much fun with my talk (entitled “Watching the Detectives: Scam Artistry, Deep Fakery, Fraudsters, Frame-ups & Other Highlights of the High Speed Card Chase“) at BSides Knoxville’s 2024 event (their 10 year anniversary!). This presentation was a year ago but I’m still getting lots of questions & feedback.