We’re in the midst of a dark time for the payments industry. In 2013, Target lost 40 million payment cards, which started a snowball effect of large scale data breaches that have affected The Home Depot, P.F. Chang’s and Sony Pictures. And sadly, we here at Rippleshot are beginning to see the subtle indicators of more massive data breaches that have yet to be discovered and publicly announced. And there are hundreds of smaller data breaches that will go undetected for months, even years.
After discussing with industry experts from various financial institutions, retailers and payment processors, there are five data security misconceptions that are consistently plaguing the payments industry. We take a look at each misconception and expand on how each topic can hinder an organization's data security standards.
“I'm too busy to think about this. It's too expensive.”
With what seems like a new data breach being announced every other day, its imperative that organizations, regardless of their size, have an information security policy in place for future reference. It may seem like a daunting task to ensure the safeguarding of an entire organization's sensitive information, but the effects of a data breach on an organization are long lasting and detrimental to future growth.
In the Ponemon Institute’s 2014 Cost of a Data Breach Study, the average cost paid for each lost or stolen record has increased by more than 9 percent in the last year from $136 in 2013 to $145. And with 43% of companies in the United States having experienced a data breach in the past year, it’s no longer an option for organizations to sit by and hope that they aren’t in a cybercriminal’s sights.
"I'm PCI compliant/Have a firewall, so a data breach can't happen to me."
Following some of the largest data breaches in recent history, more and more security experts are beginning to question the effectiveness of security standards such as the Payment Card Industry Data Security Standard (PCI DSS) and other security applications.
Formed in 2006, the PCI Security Standards Council is tasked with setting the minimum security standards for companies that accept credit and debit cards for payment. The current PCI standards that retailers abide by should be viewed as a benchmark for said companies to follow. This point was made more evident following the 2013 data breach affecting online retailer NoMoreRack.com.
In October of 2013, security firm Trustwave had completed a security audit of NoMoreRack.com’s network systems and found nothing of concern that would affect their current PCI compliance standing. Nearly five months later, Brian Krebs had published a story indicating that several banks across the United States were beginning to see fraudulent spending on cards that were all used at NoMoreRack.com between November and January of 2013.
Without constant monitoring of their network systems, NoMoreRack.com believed they were in the clear for nearly 3 months, while their customers' sensitive payment data was being stolen. Following the data breach at Home Depot, which compromised the payment card information of nearly 56 million of its customers, it was later discovered that Home Depot was not following a variety of general security guidelines. Some of which included using a version of Symantec antivirus software dating back to 2007, performing vulnerability scans at only a small number of tits locations and failing to constantly monitor their network for possible intrusions.
"I'm too small for hackers to bother with."
For a small to medium-sized business owner, there is a common misconception that their businesses are not targets for cybercriminals for a variety of reasons. Whether that’s because small to medium-sized businesses don’t possess enough assets, or they are located in a less populated area that processes less credit and debit card transactions, it’s not the case. For these very same reasons, cybercriminals make a concerted effort to target SMBs and often, the aftermath is much worse when compared to the mega retailers.
In a recent U.S. House Committee on small business cyber-security challenges, recent figures show that nearly 20 percent of cyber-attacks that result in a data breach affect small businesses with less than 250 employees. And of those small businesses affected by a data breach, 60 percent of them fold within six months.
"If a data breach happened at my business, I would catch it quickly."
According to FireEye’s M-Trends 2014: Beyond The Breach report, payment card data breaches, on average, go undetected for more than 229 days. And rarely do retailers detect their own data breach, often hearing from law enforcement or the payment network.
In Trustwave’s 2014 Global Security Report, 71% of the respondents that suffered a data breach did not detect the data breach internally.
"Even if a data breach did happen, nothing will happen to my business."
With 43 percent of companies suffering from a data breach in the past year, organizations need to start asking themselves when they will fall victim to a data breach and not if. If you’re lucky, your organization already has cyber insurance to help offset the massive costs associated with a data breach. If not, the true cost of a data breach will begin to add up from the moment of detection. In the Ponemon Institute’s 2014 Cost of a Data Breach Study, post-breach expenses which includes everything from remediation and legal costs to setting up call centers and identity protection services, averaged nearly $1.6 million in the United States for 2014.
But these costs don’t take into effect how consumer-spending habits change following a data breach. Despite suffering from “data breach fatigue,” consumers are still concerned when it comes to the security of their personal and financial data. In a study conducted by KRC Research, 76 percent of respondents said they would no longer use their payment cards at any outlet where their personal data was compromised. And 38 percent indicated that they would stop shopping at the affected retailer altogether.
In an ever-changing payment landscape, the best way for an organization to safeguard and protect its sensitive data and that of it’s customers is to implement an ecosystem of technologies that as a whole is greater than the sum of its parts. These various technologies can help catch fraudulent spend quicker and empower organizations to stop a data breach before it occurs. To learn more about the emerging technologies that are defining the payment fraud ecosystem to come, download our whitepaper below: