New research by the Ponemon Institute commissioned by Gemalto is showing there is a critical need for organisations to improve their payment data security practices, with only 44 percent of respondents actually using end-to-end encryption on payment data.
The survey of more than 3,700 IT security practitioners from more than a dozen major industry sectors also revealed that a full one-third of those surveyed said compliance with the PCI DSS is not sufficient for ensuring the security and integrity of payment data.
PCI DSS is the information security standard which organisations that handle branded credit cards from the major EMV card schemes must follow if they process payment data. Validation of compliance is performed annually, either by an external Qualified Security Assessor that creates a Report on Compliance for organisations handling large volumes of transactions, or by Self-Assessment Questionnaire for companies handling smaller volumes.
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. In other words, the PCI DSS isn't the enforcing body, the banks are. And there are hefty fines for non-compliance.
Speaking to SCMagazineUK.com, Nigel Hawthorne, European spokesperson for Skyhigh Networks, said, “Sadly, this [research] indicates that we need more 'naming and shaming' of organisations that lose consumer data to make them take this more seriously. The payment card organisations should revoke the ability of non-compliance organisations to take their payment cards.”
The researches said: “54 percent said that payment data security is not a top five security priority for their company with only one-third (31 percent) feeling their company allocates enough resources to protecting payment data.”
Hawthrone said, “This is why the regulation to notify data protection authorities and the consumers themselves if their data goes astray has been included in the new EU GDPR - knowing of a problem is the first step to fixing it.”
In the study, over half (54 percent) of those surveyed said their company had a security or data breach involving payment data, on average four times in the past two years.
Other findings on security investments, practices and procedures include:
55 percent said they did not know where all their payment data is stored or located.
Ownership for payment data security is not centralized, with 28 percent of respondents saying responsibility is with the CIO, 26 percent saying it is with the business unit, 19 percent with the compliance department, 15 percent with the CISO, and 14 percent with other departments.
59 percent said their company permits third party access to payment data and of these only 34 percent use multi-factor authentication to secure access.
74 percent said their companies are either not PCI DSS compliant or are only partially compliant.