An interesting phenomenon has occurred in the world of privacy data breaches, and specifically PCI DSS card holder data breaches, in that fraud (acts committed intentionally by insiders or through thefts that are suspected of fraud) has almost completely been forgotten. Not to say that one does not consider fraud generally in an organization’s basic risk register, but more so realizing that perhaps a level of perception bias may have enveloped the world. This perception bias is truly an example of a complacency effect that arises in most risk manager’s minds. This complacency bias is reinforced by the overwhelming amount of successful hack attacks on organizations. To business this is an important risk that must be addressed prudently throughout the organization.
An excellent set of resources is available through the Association of Certified Fraud Examiners (ACFE) where there are numerous articles and guides addressing many kinds of threats in an organization. I raise this issue, as I recently conducted a research effort that evaluated the threats to organizations, retailers specifically, and how the control environment should be appropriately tuned. A thorough analysis (using in part the excellent Privacy Rights ClearingHouse Data Breach Data) highlighted that although online attacks are more fruitful to attackers, there are nearly three times as many incidents under the fraud umbrella. The implications of this data is different for each organization, but must be considered with each risk management effort. As part of a fraud strategy, organizations should take serious consideration of SAS 99. Below is a table from the research:
PCI DSS specifically requires controls that align with ACFE and AICPA fraud prevention practices. The usage of PCI DSS control – Access Authorization, Separation of Duties, and clear job responsibilities all support the prevention of fraud in an organization.
Over time I will expand this article, as I find more data and expand on what core controls of PCI are beneficial for preventing Fraud. There is also a richer breakdown on SAS 99 at IT Compliance and Controls for those interested.
I would be interested to hear examples where Fraud played a role in a data breach, and what areas of the PCI DSS standard were critical in the detection or mitigation of the fraud.
James DeLuccia IV