As many as 55% have no idea where their payment data is stored.
As many as 28% of respondents in a global survey said the responsibility of payment data security lies most with the CIOs, while another 15% said they must be with the chief information security officers (CISOs). The survey on payment data security was conducted among more than 3,700 IT security practitioners from more than a dozen major industry sectors. The research, conducted in 12 regions including India was done by the Ponemon Institute on behalf of digital security firm Gemalto.
A major issue that the research uncovered was the concern about location of storage of payment data. As many as 55% respondents said they did not know where all their payment data is stored or located. This is despite the fact that every four out of five respondents feels that the inherent risk in not knowing the location of one’s payment data is either very high or high!
As many as 54% respondents say their organization has had a breach involving payment data in the past two years. On average, these organizations have had approximately four such breaches in the past two years, finds the study.
One of the counter-intuitive findings is that most (42%) professionals feel the data is most vulnerable to security threats when it is stored while only 25% felt it is most vulnerable at the point of sale. The rest 33% thought the data is most at risk when in transit between their companies and financial institutions/payment processors.
Only less than half are confident that their organizations’ security protocols are capable of supporting next generation payment platforms.
As many as 54% said that payment data security is not a top five security priority for their company with only one third (31%) feeling their company allocates enough resources to protecting payment data.
Less than half of respondents (44%) said their companies use end-to-end encryption to protect payment data from the point of sale to when it is stored and/or sent to the financial institution. Every three out of four respondents said their companies are either not PCI DSS compliant or are only partially compliant.
On being asked what security measures are there to protect data, firewall and anti-virus, expectedly topped the list, while data loss prevention (DLP), SIEM and threat monitoring are used by less than 40% of companies.
"These independent research findings should be a wakeup call for business leaders," said Jean-Francois Schreiber, Senior Vice President for Identity, Data and Software Services at Gemalto. "Given what was found with traditional payment methods and data security, companies involved with payment data must realize compliance is not enough and fully rethink their security practices, especially since a full one-third of those surveyed said compliance with PCI DSS is not sufficient for ensuring the security and integrity of payment data. The financial fallouts from data breaches, and the damages to corporate reputation and customer relationships will carry even greater potential risk as newer payment methods gain adoption," added Schreiber.
According to the study, acceptance of new payment methods such as mobile, contactless and e-wallets will double over the next two years. While respondents say mobile payments account for just 9% of all payments today, in two years they expect this ratio to increase to 18% of all payments. Given the issues companies IT professionals reported to face in securing payment data accepted today through traditional methods, companies are likely to face even more difficulties in securing new payment methods, the company said.