Digital Transactions Authoritative, insightful and timely information for payments professionals
Fear of the damage that a data breach can inflict on a brand, rather than of network fines, drives organizations to invest in compliance with the Payment Card Industry data-security standard (PCI), a study released on Tuesday says. Some 69% of the mostly online organizations surveyed cited brand protection as their chief reason for spending on payment security, compared to 26% that ranked avoidance of fines first. “Other” reasons were cited by 5%.
But the primary breach threat is just as likely to come from within as from hackers, the survey also reveals. One-third of respondents cited their own employees as the most likely source of a data leak, while another 33% said hackers and the final third ranked insiders and hackers equally. Large merchants and other organizations—those classified in Level 1 by the card networks for PCI-compliance purposes—were more likely to cast a wary eye on their own employees, with 38% citing them as the likely source of a breach.
These results, which come from a survey conducted in December and January by CyberSource Corp., a Mountain View, Calif.-based risk-management unit of Visa Inc., and Trustwave, a Chicago-based provider of PCI-compliance solutions, could indicate a harder, more clear-eyed view of data security than was the case until recently, officials with the survey sponsors say. Rote compliance merely to avert fines may be yielding to a recognition of the havoc a breach could inflict on customer loyalty, stock valuation, and reputation, they say. “Some people have gotten past that bank-fine thing and are on to bigger and better goals,” James Paul, senior vice president of global compliance services at Trustwave, tells Digital Transactions News.
An epidemic of breaches over recent years, striking both large and small processors and merchants, may have much to do with that change in attitude. While merchants such as TJX Cos. Inc., which suffered a massive breach that was disclosed early in 2007, have seemingly gone back to business as usual, they are still dealing with the fallout years later. “The impact is a little deeper than the statistics show,” says Paul. “I don’t think anyone [at TJX] would say this [breach] was a minimal impact on their business.” If nothing else, the incident lingers in public memory, often surfacing in connection with the affected company. “It never dies,” Paul says.
Both Paul and Rosa Luis, a solutions manager at CyberSource who also spoke to Digital Transactions about the survey, concede that citing brand protection rather than fear of fines sounds like a more noble survey response. “That’s the PC way of answering the question,” Luis says. But she points out that respondents were anonymous, and answers varied widely depending on the department respondents came from. Some 70% of IT and finance managers were most concerned with brand, for example, while legal-department denizens were more likely to fear fines.
Meanwhile, the worries about organizations’ own staff caught the survey sponsors by surprise, coming as they do amid frequent headlines about external hackers. “We don’t hear a lot about the internal threat,” says Luis. “Even though [organizations] may believe data are safe behind a firewall, those data are readily available to employees.” It’s not uncommon, for example, for call-center staff to jot credit card numbers down on scraps of paper as they take calls, she says. This exposure is greater with smaller organizations. Forty-five percent of Level 2 organizations said call-center sales staff had access to account numbers, while 34% of Level 1 organizations did.
But back-office staff, especially those engaged in manual review, chargeback management, or account updating, can also be a source of leaks. Some 32% of Level 1 organizations said raw card data were visible to order-review staff; among smaller organizations, the fraction was 24%. It’s a problem smaller organizations, at least, are working on. Level 2, 3, and 4 organizations expected to reduce their back-office exposure rate to 18% within two years. Level 1 organizations said their rate of exposure would decline by just one percentage point, to 31%.
The online survey garnered responses from 117 organizations with operations in North America. Lines of business included educational, government, and non-profit pursuits as well as online retail.
