Nearly 70 percent of individuals questioned in the “Data Security in the Evolving Payments Ecosystem” study – which was sponsored by Experian and conducted by Ponemon Institute – said that pressure to migrate to new payment systems puts the security of customer transactions at risk.
Additionally, only half of respondents – 748 U.S.-based IT, IT security, risk management, product development and other professionals involved with the payments systems in their organizations – indicated they are at least somewhat confident in the security of emerging payment systems.
In order to improve confidence, companies should take the time to become familiar with new payments systems prior to implementation, Michael Bruemmer, vice president of Experian Data Breach Resolution, told SCMagazine.com in a Friday email correspondence.
When asked about the greatest risk in the payments ecosystem, 34 percent of respondents said online purchases, 25 percent said point-of-sale devices, and 24 percent said mobile payments. Furthermore, 47 percent rate their organization's ability to deal with these risks as somewhat effective or not effective.
“A few steps companies can take to improve security posture include regular security training for employees, having a well-practiced data breach response plan in place, and support from C-level executives,” Bruemmer said.
So, who is responsible when it comes to the security of payments systems? Altogether, 45 percent of respondents said the banking institution, 40 percent said credit card companies and 33 percent said regulators.
When it comes to who is responsible for protecting customer data following a breach, 75 percent of respondents said the company that lost the information, and 69 percent said banks that issued the payment cards involved in the incident.
“[Companies] should invest in enhanced security measures to protect payments information, and be prepared to protect customers with identity theft protection and fraud resolution services in the event a breach does occur,” Bruemmer said.
More than half of respondents, 56 percent, said their organization issues a new payment card following a breach. With regard to other services offered, 29 percent said credit report monitoring, 24 percent said fraud resolution services that do not include credit monitoring, and 13 percent said educational information for consumers. 22 percent of respondents said their organization has not suffered a breach, and 38 percent said none of the above is offered.
In the end, 61 percent of respondents said companies are somewhat or not effective when it comes to responding to breaches. However, 69 percent said that highly publicized breaches have increased awareness of security payment processes and systems.
In response, 56 percent of respondents said their organization has assessed risks to personal information, 53 percent said funds were invested in enabling technologies, 45 percent said security budgets increased, 41 percent said more security personnel was hired, and 39 percent said training and awareness of employees increased.
Regarding which data elements are most important to protect, 68 percent of respondents said passwords or PIN codes, 63 percent said debit card numbers and security codes, 63 percent said credit card and security numbers, 32 percent said Social Security numbers, 32 percent said usernames, 26 percent said email addresses, and 16 percent said bank account numbers.
“There is broad consensus around the need for increased collaboration to solve the security issues facing the industry, with 85 percent of respondents believing greater collaboration is important to ensure the security of current and future payments infrastructure,” Bruemmer said.