Shopper Login | 877-574-6682

PCI & Credit Card Investigations

Have PCI Standards Affected Your Ability to Investigate Credit Card Fraud?

When the Payment Card Industry (PCI) standards came into effect June 2005, retailers began to implement the means to protect the visibility of a credit card or debit card number throughout their company-wide systems. While in the throes of implementation, many loss prevention departments waited to determine how their company's chosen method of protection would impact their ability to investigate this method of retail theft.

A few years have passed since these developments, and we thought it would be interesting to poll several loss prevention departments to determine the impact, if any, that PCI standards have had on investigations into credit or debit card fraud.

Our informal poll asked a few questions surrounding the loss prevention department's ability to detect fraud and the time it now took to complete an investigation. We thank all those LP professionals who took the time to respond to our questions as they provided an interesting insight into how they are handling these standards in their efforts to combat loss.

A few LP departments reported that they do have difficulty in accurately detecting credit cards that may be involved in fraud. For these departments, masking the numbers with the exception of either the last four or the first six and last four digits caused too many false positives and therefore a severe inability to detect fraudulent scenarios.

Some professionals stated that they were able to properly investigate potential fraud, but had to communicate with other departments to obtain the actual card number, which took some additional time for their investigation.

While a few exceptions of difficulty have occurred, most professionals stated that the protections implemented by their company did not impede their ability to investigate fraud, nor did it take any additional time beyond a little research to find the actual card number.

Although the overall results were mixed, they also revealed a few interesting factors that may assist those departments that are having difficulty handling credit card investigations.

Factor #1: How the Data Is Protected

Those who chose either a hashing or encryption standard to protect the account number seemed to have the least amount of difficulty when investigating fraud. Hashing or encryption techniques replace each account number with a unique sequence to ensure that different credit card numbers are not duplicated. For many, the initial impact felt was the difficulty in establishing trust that the encryption process worked. Once that faith was established, the loss prevention department could conduct investigations without issue.

Those retailers who reported ineffective investigations often used masking or truncation as their chosen method. Hiding or replacing the actual digits with an "X," with exception of the last four or the first six and last four digits, seemed to cause some of their reports to show multiple card numbers as being the same. These "false positives" of potential fraud made the investigation process so cumbersome that some retailers have given up on investigating credit card fraud altogether.

Factor #2: The Ability to Access Real Data

It was also noted that those who have access to the actual card number, whether it be through a decryption tool or through another department, had a much easier time facilitating a credit card fraud investigation.
Some retailers who do have the card numbers masked in their LP systems, but also have access to the actual card number from another systemic tool, did find less difficulty in investigations. Loss preventions professionals at these retailers said that while it added an additional step in the investigation process, the ability provided by another systemic tool to quickly access the actual number did make some of the reporting difficulties bearable. For those having difficulties with investigating fraud due to security provisions, I offer the following tips:

  • Meet with your IT team and show them the process that you go through to investigate fraud. Demonstrate the difficulties you have and ask them for suggestions.
  • Discuss options with your loss prevention systems vendor partner. Most have developed modules to work with PCI compliance and may be able to offer a new solution or some specific queries that can help.
  • Talk to your Sales Audit and Finance departments to see if another system may be available to assist in your investigations. Receipt Capture systems may not provide the actual card number but may help you further your investigation.
  • Talk to others who may use the same loss prevention or data analysis systems. Possibly show those restricting your access how successfully others are using the same systems but different encryption techniques.

Pass along to others in your company whitepapers or best practices that discuss others' success while staying true to PCI compliance.


What Does the Future Hold?

The standards set forth in the original PCI DSS standard are just the beginning. A new version is slated to be released sometime in October, and it is still undetermined how this version will affect retailers. Some companies have decided to put into place further controls that protect sensitive data, including gift card account numbers and other customer information.

As loss prevention departments continue to uncover larger schemes involving the use of credit cards, debit cards and gift cards, only time will continue to tell whether or not we get "handcuffed" in our abilities to investigate fraud by the standards established across our industry.


Subscribe to email list!

Try Our Blog!

Talk with a member of the LPI Team!





LP Innovation