Ask anyone in the payments industry how they are feeling about technology innovation, and you will get a mixed response. Many are embracing new customer convenience options such as mobile payments, virtual currencies, and the deployment of chip and PIN – yet, a new survey found a majority of executives believe pressure to migrate to these new payments systems puts customer data at risk.
According to Experian Data Breach Resolution’s report, “Data Security in the Payments Ecosystem,” retailers, financial institutions, payment processors and credit card brands responsible for delivering new payments systems in the U.S. are at a security crossroads. While the potential customer benefit of new technologies is significant, it remains to be seen if security risks will serve as a corporate barrier to adoption. Faced with the fallout of several large payment breaches over the last year, executives are faced with even more scrutiny to protect customer data.
In the following slideshow, Michael Bruemmer, vice president, Experian Data Breach Resolution, examines six key study takeaways for security decision-makers to consider when evaluating new payment technologies, exploring the impact of recent mega breaches on data breach response, as well as the path forward on how businesses can work together to improve security while delivering customers the payment options they want.
Improving Customer Payment Security
Click through for six key study takeaways for security decision-makers to consider when evaluating new payment technologies, as identified by Michael Bruemmer, vice president, Experian Data Breach Resolution.
High Stakes Security
In the wake of last year’s payments breaches, the stakes are high for professionals tasked with securing customer data. Sixty-nine percent of executives surveyed said media coverage of payment breaches over the past year caused their organizations to re-evaluate and prioritize security – and they should. Research from IBM indicates companies are attacked an average of 16,856 times per year, and threats are not going away any time soon.
It is good to see businesses prioritizing security, but more needs to be done. Companies should have a well-practiced data breach response plan in place, invest in regular security training for employees, and increase industry collaboration on how to secure new technologies. Only 39 percent indicated that their companies are investing in employee training despite the fact that employee negligence is a primary contributing factor for data breaches.
New Payment Technologies
New payment technologies bring promise, but increase risk.
Professionals in the payments industry are approaching new innovations with caution and are concerned that introducing untested technology will increase the risk of a breach. For reference, 59 percent of executives in the payments sector expect mobile payments in stores to increase the risk of suffering a breach, and more than half (54 percent) expect near field communications technology to increase security risk.
Even while security concerns loom, new technologies are being deployed because they offer vastly improved customer convenience. Throughout the study, Experian Data Breach Resolution found that a large percentage of companies are likely to keep moving forward with deployment of new technologies despite concerns about security. More than half of respondents say customer convenience was a higher priority to their organization than security. This is a red flag for security professionals as it could open the company up to more risk. Educating C-level executives and board members of potential security risks is a good first step before adopting new technologies. Careful consideration should also be made when adopting new technologies to ensure that consumer data is secure through the transition.
Chip and PIN
Companies don’t view chip and PIN as a silver bullet to solving data breaches.
Despite reports that chip and PIN payment cards are the most successful in reducing fraud, surprisingly only 53 percent of professionals in the payments sector believe it will actually decrease their risk of suffering a data breach. As companies work to adopt EMV deployment in time for the October liability shift, retailers should be on high alert as hackers will look to capitalize on companies making the transition, and those who are left behind. Because the October 2015 deadline to adopt the new technology was publicly announced, cyber thieves have likely already identified vulnerabilities they can target in the infrastructure. Businesses will also want to be wary that consumers may get a false sense of security with the new technology.
Responsibility for protecting customers is unclear.
Amidst a shifting regulatory landscape and the upcoming liability shift in October, the study found ambiguity in who should be held responsible for ensuring the security of consumer data. Respondents found the two stakeholders most responsible for ensuring the security of payments systems are banking institutions (45 percent of respondents) and credit card companies (40 percent).
While these organizations can affect change, organizations shouldn’t rely solely on banks and credit companies to protect consumers. In the event of a data breach, companies should take steps to proactively communicate with their customers about how to protect themselves and detect fraud. Experian Data Breach Resolution was pleased to see most of the survey respondents recognize their responsibility to protect their customers, as 61 percent indicated they provide identity theft protection and fraud resolution services as a best practice following a breach.
Security concerns are leading to action.
Facing unprecedented threats and new security challenges, the good news is that the payments industry is taking steps to respond. In response to recent breaches, 45 percent of payment companies have increased their security budget. Sixty-seven percent of survey respondents said their C-level executives are more supportive of enhanced security measures to protect payments information. Businesses need to continue down this path by ensuring that the security discussion starts at the board level, and recognize that no technology will be a cure for all data breach threats.
Industry collaboration is key to the path forward.
Addressing security concerns around current and emerging payments systems isn’t the job of a single company or stakeholder. There is broad consensus around the need for increased collaboration to solve the security issues facing the industry, with 85 percent of respondents believing greater collaboration is important to ensure the security of current and future payments infrastructure. Yet, collaboration today remains nascent, with only 24 percent of insiders saying there is significant collaboration across the industry.
To successfully protect payments data and consumers’ personal information, the industry must embrace collaboration as the path forward, while continuing to invest in data breach response planning.