Global study shows “increasing security risks” to payment data and “lack of confidence” in securing mobile payment methods

With the acceptance of mobile and other new forms of payment methods expected to double in the next two years, a new global study highlights a “critical need” for organisations to improve their payment data security practices on an urgent footing.

The survey* of over 3,700 IT security practitioners from more than a dozen major industry sectors was conducted by The Ponemon Institute on behalf of Gemalto, the specialist in digital security.


According to the independent study, over half (54%) of those surveyed said their company has suffered from a security or data breach involving payment data on four occasions (on average) in the past two years.

This isn’t surprising given the security investments, practices and procedures highlighted by the surveyed respondents. For example, 55% said they don’t know where all of their payment data is stored or located. Ownership for payment data security isn’t centralised, with 28% of respondents suggesting responsibility rests with the CIO, 26% stating this lies with the business unit, 19% with the Compliance Department, 15% with the CISO and 14% pinpointing other departments.

54% of respondents explained that payment data security isn’t a Top Five security priority for their company, with only one third (31%) believing that their business allocates enough resources towards protecting such data.

59% said their company permits third party access to payment data. Of these, only 34% use multi-factor authentication to secure access.

Less than half of the respondents (44%) outlined that their companies use end-to-end encryption to protect payment data from the Point of Sale to when it’s stored and/or sent to the financial institution.

Also, 74% said their companies are either not PCI DSS compliant or are only partially compliant.

‘Wake-Up Call’ for business leaders

“These independent research findings should serve as a wake up call for business leaders,” said Jean-Francois Schreiber, senior vice-president for Identity, Data and Software Services at Gemalto.

“Given what was found with traditional payment methods and data security, those companies involved with payment data must realise compliance isn’t enough and fully rethink their security practices, particularly since 30% of those surveyed said compliance with PCI DSS isn’t sufficient for ensuring the security and integrity of payment data. The financial fall-out from data breaches, and the damage subsequently done to corporate reputation and customer relationships, will carry even greater potential risk as newer payment methods gain adoption.”


According to the study, acceptance of new payment methods such as mobile, contactless and e-Wallets will double over the next two years. While respondents state that mobile payments account for just 9% of all payments today, in two years’ time they expect this ratio to increase to 18%.

Given the issues IT professionals are reportedly facing in securing payment data currently being accepted through the traditional methods, companies are likely to face even more difficulties in securing new payment methods.

In fact, the study finds that nearly three quarters (72%) of those surveyed believe these new payment methods are placing payment data at risk, while 54% don’t believe – or are otherwise unsure – that their organisation’s existing security protocols are capable of supporting these platforms.

Closing data protection gaps

“Looking forward,” continued Schreiber, “as companies move to accept newer payment methods, their own confidence in their ability to protect that data isn’t so strong. Most respondents feel protection of payment data isn’t a top priority at their companies, and that the resources, technologies and personnel in place for doing so are insufficient. Despite the trend towards implementing newer payment methods, those in the ‘IT security trenches’ don’t feel that their organisations are ready. Clearly, it’s now critical for companies to look for, and then invest in solutions designed to close these data protection gaps.”

*The survey was conducted by The Ponemon Institute on behalf of Gemalto and involved 3,773 IT and IT security practitioners in the UK, the US, Germany, France, Belgium, the Netherlands, Japan, India, the Russian Federation, the Middle East and South Africa. Industries represented include communications, entertainment and the media, financial services, Government, healthcare, hospitality, IT services, retail, technology, transportation and the utilities. All respondents are familiar with – and involved in – their companies’ approach towards securing payment data. Most respondents are involved in setting priorities and selecting vendors and contractors in their companies’ payment ecosystem

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts