Loading...

Ponemon Study Looks at the Security of the Payment Card Ecosystem

Published: April 29, 2015 by Michael Bruemmer

Payments-security-study

Payments fraud and data breaches are top security challenges for corporations across every industry, but how do the threats relate to each other? Do the newest payments technologies increase the risk of a data breach?

We considered those and other pressing questions in our new study, “Data Security in the Payments Ecosystem,” conducted by the Ponemon Institute.

Recent mega breaches and third-party research illustrate the need to consider the inter-relatedness of payments security and data security. In 2012, 85 percent of all non-cash payments were card and ACH payments, constituting 67 percent of the total value of non-cash payments that year, according to the 2013 Federal Reserve Payments Study. And in 2013, 60 percent of organizations surveyed by the Association for Financial Professionals reported they’d been exposed to actual or attempted payments fraud.

In light of those statistics, our payments study aimed to explore if the security of personal data is tracking with the rapid evolution of new payment methods and advances in existing payments technologies. Our findings were mixed. While survey respondents exhibited a high level of understanding of data breach risks, it’s clear from their responses that more needs to be done to secure data in the payments ecosystem.

Participating organizations included retailers, financial institutions, payment processors, credit card brands, regulators, consumers and other stakeholders involved in payments. On average, these organizations experienced three data breaches in the past two years, involving an average of 8,000 customer records. Checks, credit or debit cards, e-payments, mobile payments, e-Wallet and virtual currency were among the payments methods employed by these organizations.

Among the payments insights to emerge from our survey were:

  • Half do not trust the security of emerging payment systems.
  • Nearly half (47 percent) aren’t confident in their organization’s ability to deal with payment risks.
  • They don’t view themselves as primarily responsible for ensuring the security of payments; 45 percent said that onus falls on banking institutions, and 40 percent on credit card companies.
  • On a positive note, 50 percent said the banking institutions they hold responsible for security are also the most innovative in developing new payment systems solutions.

When considering how payments security relates to data breaches, companies were largely aware of the potential inter-relatedness of the issues. The majority felt that payments innovations such as virtual currencies, mobile payments, near field communications and e-Wallets were the innovations most likely to increase the risk of a data breach. And many organizations face a challenge trying to balance easy, convenient implementation of new payment methods with security. While 66 percent agreed that authentication risks present challenges to implementation of new payment methods, 68 percent said the pressure to migrate to those systems worsened security risks.

Following a data breach, 61 percent of companies said their data breach response was less than effective, and only 29 percent offered affected consumers credit report monitoring. Yet 57 percent said that offering protective services to breached customers was worth the cost, and 61 percent said providing consumers with identity theft protection post-breach is a best practice.

Clearly, companies are aware of the potential link between payments fraud and data breaches, but are also cognizant of the fact that more needs to be done to secure their organizations and their customers. The Data Security in the Payments Ecosystem is available for free download from Experian Data Breach Resolution.