A recent survey [PDF] of 3,773 IT and IT security practitioners worldwide has found that 55 percent of respondents said they don’t know where all of their company’s payment data is stored or located, and 80 percent said that kind of uncertainty presents a very high (42 percent) or high (38 percent) risk to that data.
The survey, conducted by the Ponemon Institute on behalf of Gemalto, also found that 54 percent of respondents said their company had suffered a security or data breach involving payment data — the average company had four such breaches in the past two years alone.
Respondents were located in the United States, United Kingdom, Germany, France, Belgium, Netherlands, Japan, India, Russian Federation, Middle East and South Africa, and represented industries including communications, entertainment and media, financial services, government, healthcare, hospitality, IT services, retail, technology, transportation, and utilities.
When asked who has ownership of payment data security, responses differed widely — 28 percent of respondents said the responsibility lies with the CIO, 26 percent said it lies with the business unit, 19 percent with the compliance department, 15 percent with the CISO, and 14 with other departments.
Fully 54 percent of respondents said payment data security is not a top five security priority for the company. Only 31 percent of respondents said they feel their company allocates enough resources to protecting payment data.
Fifty-nine percent of respondents said their company permits third-party access to payment data. Of those, only 34 percent use multi-factor authentication to secure that access.
Only 44 percent of respondents said their company uses end-to-end encryption to protect payment data from the point of sale to when it’s stored and/or sent to the financial institution.
And fully 74 percent of respondents said their company is either not PCI-DSS compliant, or is only partially compliant.
Jean-Francois Schreiber, senior vice president for identity, data and software services at Gemalto, said in a statement that the findings should be a wakeup call for business leaders. “Given what was found with traditional payment methods and data security, companies involved with payment data must realize compliance is not enough and fully rethink their security practices, especially since a full one-third of those surveyed said compliance with PCI DSS is not sufficient for ensuring the security and integrity of payment data,” he said. “The financial fallouts from data breaches, and the damages to corporate reputation and customer relationships will carry even greater potential risk as newer payment methods gain adoption.”
Respondents expect mobile payments to increase from 9 percent of all payments today to 18 percent in two years. Fourteen percent of respondents currently accept mobile payments, and 51 percent have plans to do so in the future.
Still, 72 percent of respondents said they expect new payment platforms such as mobile, contactless and e-wallets to put payment data at risk, and 54 percent don’t believe or are unsure if their company’s existing security protocols can support those platforms.
“Looking forward, as companies move to accept newer payment methods, their own confidence in their ability to protect that data is not strong,” Schreiber said. “The majority of respondents felt protection of payment data wasn’t a top priority at their companies, and that the resources, technologies and personnel in place are insufficient.”
“Despite the trend to implement newer payment methods, those in the ‘IT security trenches’ don’t feel their organizations are ready,” Schreiber added. “It is clearly critical for companies to look for and invest in solutions to close these data protection gaps, expeditiously.”