New research by the Ponemon Institute commissioned by Gemalto is showing there is a critical need for organisations to improve their payment data security practices, with only 44 percent of respondents actually using end-to-end encryption on payment data.
The survey of more than 3,700 IT security practitioners from more than a dozen major industry sectors also revealed that a full one-third of those surveyed said compliance with the PCI DSS is not sufficient for ensuring the security and integrity of payment data.
PCI DSS is the information security standard which organisations that handle branded credit cards from the major EMV card schemes must follow if they process payment data. Validation of compliance is performed annually, either by an external Qualified Security Assessor that creates a Report on Compliance for organisations handling large volumes of transactions, or by Self-Assessment Questionnaire for companies handling smaller volumes.
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. In other words, the PCI DSS isn't the enforcing body, the banks are. And there are hefty fines for non-compliance.
Speaking to SCMagazineUK.com, Nigel Hawthorne, European spokesperson for Skyhigh Networks, said, “Sadly, this [research] indicates that we need more 'naming and shaming' of organisations that lose consumer data to make them take this more seriously. The payment card organisations should revoke the ability of non-compliance organisations to take their payment cards.”
The researches said: “54 percent said that payment data security is not a top five security priority for their company with only one-third (31 percent) feeling their company allocates enough resources to protecting payment data.”
Hawthrone said, “This is why the regulation to notify data protection authorities and the consumers themselves if their data goes astray has been included in the new EU GDPR - knowing of a problem is the first step to fixing it.”
In the study, over half (54 percent) of those surveyed said their company had a security or data breach involving payment data, on average four times in the past two years.
Other findings on security investments, practices and procedures include:
55 percent said they did not know where all their payment data is stored or located.
Ownership for payment data security is not centralized, with 28 percent of respondents saying responsibility is with the CIO, 26 percent saying it is with the business unit, 19 percent with the compliance department, 15 percent with the CISO, and 14 percent with other departments.
59 percent said their company permits third party access to payment data and of these only 34 percent use multi-factor authentication to secure access.
74 percent said their companies are either not PCI DSS compliant or are only partially compliant.
When asked if he thinks the the Report on Compliance should be done more often rather than the current yearly test, Hawthorne said, “As a consumer, I would be happier to know that someone failing the test loses their right to process card transactions and think that a lot more transparency would help us make informed decisions about who we trust with our payment data. If the card issuers published lists of retailers who's ability to take cards was revoked, we'd have greater confidence that this is taken seriously throughout the industry.”
The study said that acceptance of new payment methods such as mobile, contactless and e-wallets will double over the next two years. Respondents are predicting that in two years time, mobile payments will account for 18 percent of all payments.
IT professionals are already reporting a mountain of issues when it comes to securing payment data accepted through traditional methods, and as a result of new technologies in payments, they are likely to face even more difficulties in securing the newer payment methods.
The study found that nearly three-quarters (72 percent) of those surveyed believe these new payment methods are putting payment data at risk and 54 percent do not believe or are unsure their organisation's existing security protocols are capable of supporting these platforms.
In a blog post on the Gemalto website, Jean-Francois Schreiber, senior vice president for identity, data and software services at Gemalto said, "Looking forward, as companies move to accept newer payment methods, their own confidence in their ability to protect that data is not strong. The majority of respondents felt protection of payment data wasn't a top priority at their companies, and that the resources, technologies and personnel in place are insufficient. Despite the trend to implement newer payment methods, those in the 'IT security trenches' don't feel their organisations are ready. It is clearly critical for companies to look for and invest in solutions to close these data protection gaps, expeditiously".
Commenting by email to SC, Jeremy King, International Director at the PCI Security Standards Council said, "This report from Gemalto and Ponemon Institute is a great wake up call for Europe. PCI Security Standards Council has been saying for several years that organisations in Europe are being breached and need to focus on security.
"The findings of 54 percent organisations suffering a data breach is consistent with the findings of a UK government survey which indicated 90 percent of UK firms suffered a data breach in 2014 and on average organisations suffered 14 breaches per year.
"Companies are not focused on data security. For too long it has been seen as an IT problem rather than a company problem. Companies need to integrate people, processes and technologies to raise the bar on cardholder data security, starting with C-level executives.
"European regulators have also recognised that companies are not focused on data security. Hence the number of regulations being released. Specifically PSD 2, EBA securing internet payments and the General Data Protection Requirements.
"One common theme of all of these is to have good levels of security. And most importantly, for the first time regulations are demanding breach notification. Something that has been sadly lacking in Europe and which has enabled many companies to hide the fact that they have been breached.
"The Council recognises that the Standards are a baseline for security. So, yes, companies can do more. However, a study by Verizon shows that 99.9% of breaches show a lapse in basic security practices, which indicates that most organisations are still not taking data security seriously. Unfortunately the EU regulators are fed up with this and are now forcing them to," he concluded.
When implemented in an ongoing basis, PCI Standards are the most effective set of security requirements, he said. Unfortunately too many organisations view compliance as a checkbox activity. It is essential that organisations understand that security is not a one-off event but a continuous program. Only if organisations fully adopt the Standards as a continuous security program will they provide a high level of security.
P2PE is not mandatory, it is optional for merchants. Also in 2015 PCI released v2 of the P2PE Standards which focused on simplifying the approval process. Many vendors are now working toward a V2 approval, which will simplify the process for merchants, and should help drive up adoption globally.
High-Tech Bridge's CEO, Ilia Kolochenko, commented, "Mobile finance is a very innovative, creative and fast-growing domain where the competition is very high. When you need to launch a new mobile payment app quickly, PCI (and any other) compliance will probably be your lowest priority. Moreover, many start-ups just don't have the cash for cyber-security, and so mainly care about their growth and ability to secure additional funding. Obviously, in such conditions, it's hard to focus on security at all.
"I think that PCI DSS compliance, if properly and integrally implemented and maintained, assures a pretty good level of security. People may believe that PCI DSS is not enough on its own, as many PCI compliant companies have been breached, but if we look deeper, almost all of the hacked PCI compliant companies were not entirely compliant with all PCI DSS requirements."To read the entire study and country-specific data findings, click here.