Highly publicized payment card breaches affected millions of consumers in 2014. In the wake of these breaches, retailers, financial institutions, payment processors and credit card brands responsible for delivering these systems in the United States are facing more scrutiny than ever before and are meeting at a crossroads in the security conversation.
The discussion will only get more intense with continued innovation in the field. The payments
industry is undergoing a revolution led by emerging technologies including mobile payments and wallet technologies, virtual currencies and the deployment of chip and PIN technology. The
potential benefit of these new technologies is significant, but it remains to be seen if security risks will prove to be a major barrier to adoption.
Ponemon Institute and Experian® Data Breach Resolution are pleased to present the findings of Data Security in the Evolving Payments Ecosystem. The study explores the impact of mega
payments breaches on security and response, as well as the current levels of confidence in the
security of emerging payments technologies. Organizations in this study had an average of three data breaches in the past 24 months involving an average of 8,000 customer records.
As Figure 1 shows, 68 percent of survey respondents say pressure to migrate to new payment systems puts customer data at risk. Respondents are most positive about EMV chip and PIN cards. Fifty-nine percent of respondents cite it as an important part of their organization’s payment strategy and 53 percent of respondents believe chip and PIN cards will decrease or significantly decrease the risk of a data breach.
While some respondents doubt the ability of “chip and PIN” to address the current security issues with card payments, they also believe their companies face new threats posed by continued innovation in payment technologies. In fact, 59 percent of respondents expect data breach risk to increase through the use of mobile payments at point of sale in stores, and 54 percent believe near field communications technology will increase the risk of suffering a breach.
While risk and security concerns loom, large and new technologies are being
deployed because they offer vastly improved customer convenience.
Throughout our study, we found a large percentage of companies are likely to
keep moving forward with deployment of new technologies despite concerns about
security. More than half of respondents say customer convenience was a higher
priority to their organization than security.
In addition to concerns over the ability to secure the next generation of payments
technologies, there is also uncertainty about the ability of breached companies to
properly manage a security response.
Throughout the industry, organizations continue to be deficient in governance and security practices that could strengthen their data breach preparedness. Only 16 percent of respondents feel companies are very effective in breach response, which suggests much room for improvement in responding to the aftermath of a major incident. Left facing all these questions and the uncertain of new technologies, the industry can agree on one thing: the need for action.
While unprecedented threats and new security challenges may seem daunting, the payments
industry is taking steps to respond and focus more on security. Companies are prioritizing
customer needs in their security planning and investing time and resources in improving security.
Sixty-nine percent of companies say media coverage of breaches, including those in the
payments industry, over the past year caused their organizations to re-evaluate and prioritize
It’s receiving much more attention at the highest levels of organizations with 67 percent of
respondents noting their C-level executives are more supportive of enhanced security measures to protect payments information. Forty-five percent of respondents said they were increasing their budget and 54 percent are investing in new technologies.
Along with improving security, companies also recognize their responsibility and the importance of protecting their customers after an incident occurs and improving incident response planning. A majority of companies (61 percent) provide identity theft protection and fraud resolution services as a best practice. While 56 percent are re-evaluating and improving incident response planning for a breach, leading to greater communication and guidance to affected customers.
The study surveyed 748 US-based individuals in IT and IT security, risk management, product
development and others involved in the payments systems within their organizations. For
purposes of this research, payments ecosystem refers to the collection of retailers, financial
institutions, payment processors, credit card brands, regulators, consumers and other
stakeholders who ensure the smooth flow of payments and other transactional information.