With the acceptance of mobile and other new forms of payment methods expected to double in the next two years, a new global study highlights a “critical need” for organisations to improve their payment data security practices on an urgent footing.
The survey* of over 3,700 IT security practitioners from more than a dozen major industry sectors was conducted by The Ponemon Institute on behalf of Gemalto, the specialist in digital security.
According to the independent study, over half (54%) of those surveyed said their company has suffered from a security or data breach involving payment data on four occasions (on average) in the past two years.
This isn’t surprising given the security investments, practices and procedures highlighted by the surveyed respondents. For example, 55% said they don’t know where all of their payment data is stored or located. Ownership for payment data security isn’t centralised, with 28% of respondents suggesting responsibility rests with the CIO, 26% stating this lies with the business unit, 19% with the Compliance Department, 15% with the CISO and 14% pinpointing other departments.
54% of respondents explained that payment data security isn’t a Top Five security priority for their company, with only one third (31%) believing that their business allocates enough resources towards protecting such data.
59% said their company permits third party access to payment data. Of these, only 34% use multi-factor authentication to secure access.
Less than half of the respondents (44%) outlined that their companies use end-to-end encryption to protect payment data from the Point of Sale to when it’s stored and/or sent to the financial institution.
Also, 74% said their companies are either not PCI DSS compliant or are only partially compliant.
‘Wake-Up Call’ for business leaders
“These independent research findings should serve as a wake up call for business leaders,” said Jean-Francois Schreiber, senior vice-president for Identity, Data and Software Services at Gemalto.
“Given what was found with traditional payment methods and data security, those companies involved with payment data must realise compliance isn’t enough and fully rethink their security practices, particularly since 30% of those surveyed said compliance with PCI DSS isn’t sufficient for ensuring the security and integrity of payment data. The financial fall-out from data breaches, and the damage subsequently done to corporate reputation and customer relationships, will carry even greater potential risk as newer payment methods gain adoption.”
According to the study, acceptance of new payment methods such as mobile, contactless and e-Wallets will double over the next two years. While respondents state that mobile payments account for just 9% of all payments today, in two years’ time they expect this ratio to increase to 18%.
Given the issues IT professionals are reportedly facing in securing payment data currently being accepted through the traditional methods, companies are likely to face even more difficulties in securing new payment methods.
In fact, the study finds that nearly three quarters (72%) of those surveyed believe these new payment methods are placing payment data at risk, while 54% don’t believe – or are otherwise unsure – that their organisation’s existing security protocols are capable of supporting these platforms.
Closing data protection gaps
“Looking forward,” continued Schreiber, “as companies move to accept newer payment methods, their own confidence in their ability to protect that data isn’t so strong. Most respondents feel protection of payment data isn’t a top priority at their companies, and that the resources, technologies and personnel in place for doing so are insufficient. Despite the trend towards implementing newer payment methods, those in the ‘IT security trenches’ don’t feel that their organisations are ready. Clearly, it’s now critical for companies to look for, and then invest in solutions designed to close these data protection gaps.”
*The survey was conducted by The Ponemon Institute on behalf of Gemalto and involved 3,773 IT and IT security practitioners in the UK, the US, Germany, France, Belgium, the Netherlands, Japan, India, the Russian Federation, the Middle East and South Africa. Industries represented include communications, entertainment and the media, financial services, Government, healthcare, hospitality, IT services, retail, technology, transportation and the utilities. All respondents are familiar with – and involved in – their companies’ approach towards securing payment data. Most respondents are involved in setting priorities and selecting vendors and contractors in their companies’ payment ecosystem