IT security pros lack the confidence and knowhow to protect payment data – research
54% of surveyed IT professionals said their companies had a data breach involving payment data an average of four times in past two years
With acceptance of mobile and other new forms of payments expected to double in the next two years, a new global study shows a critical need for organisations to improve their payment data security practices.
In a study by Gemalto of more than 3,700 IT security practitioners, over half (54%) said their company had a security or data breach involving payment data an average of four times in the past two years.
This is not surprising when further findings of the study are examined, including 55% of respondents saying they did not know where all their payment data is stored or located.
>See also: Top 6 cyber security predictions for 2016
The research found in most businesses ownership for payment data security was not centralised – 28% of survey respondents said responsibility is with the CIO, 26% with the business unit, 19% with the compliance department, 15% with the CISO, and 14% with other departments.
More than half (54%) of respondents said payment data security is not a top five security priority for their company, with only one third (31%) feeling their company allocates enough resources to protecting payment data.
Worryingly, 59% said their company permits third-party access to payment data and, of these, only 34% utilise multi-factor authentication to secure access.
Less than half of respondents (44%) said their companies use end-to-end encryption to protect payment data from the point of sale to when it is stored or sent to the financial institution.
And 74% said their companies are either not fully PCI DSS compliant or are only partially compliant.
“These research findings should be a wake-up call for business leaders,” said Jean-Francois Schreiber, senior VP for identity, data and software services at Gemalto. “Given what we’ve seen with traditional payment methods and data security, it’s time that companies realise compliance is not enough and fully rethink their security practices.
“The growing financial fallouts from data breaches and damages to corporate reputation and customer relationships can now carry even greater potential risk as newer payment methods gain adoption.”
New payment methods
According to the study, acceptance of new payment methods such as mobile, contactless and e-wallets will double over the next two years.
While respondents say mobile payments account for just 9% of all payments today, in two years they expect this to increase to 18% of all payments.
Given the threats companies have faced in securing payment data accepted through traditional methods, companies are likely to face even more difficulties in securing new payment methods.
In fact, the study found that nearly three quarters (72%) of those surveyed believe these new payment methods are putting payment data at risk and 54% do not believe or are unsure their organisation’s existing security protocols are capable of supporting these platforms.
“Looking forward, as companies move to accept newer payment methods, their confidence in their ability to protect that data is not strong,” said Schreiber. “The majority of respondents felt protection of payment data wasn’t even a top priority at their companies, and that the resources, technologies and personnel in place are insufficient.
“Despite the trend to implement newer payment methods, those in the ‘IT security trenches’ don’t feel their organisations are ready.”