With acceptance of mobile and other new forms of payments expected to double in the next two years, a new global study shows a critical need for organizations to improve their payment data security practices.
This was one of the findings of a survey of more than 3,700 IT security practitioners, conducted by the Ponemon Institute on behalf of Gemalto.
According to the survey results, more than half (54 percent) of respondents said their company had a security or data breach involving payment data an average of four times in the past two years.
Worryingly, more than half (55 percent) said they did not know where all their payment data is stored or located.
"It was surprising to learn that more than half of the companies surveyed didn’t know where all of their sensitive payment data was stored," Jason Hart, vice president and chief technology officer for data protection at Gemalto, told eWEEK. "Clearly, not everyone is using a centralized approach to protecting important data. In fact, the report showed that no single department had total oversight of payment data security."
Ownership for payment data security is not centralized, with 28 percent of respondents saying responsibility is with the CIO; 26 percent saying it is with the business unit; 19 percent with the compliance department; 15 percent with the CISO, and 14 percent with other departments.
"The biggest issues with securing payment data and other sensitive data is the lack of knowledge about how exactly to do it and the skills gap that exists within most companies," Hart said. "People don’t know how to encrypt data from when it’s captured to when it’s stored. This is compounded by a lack of a centralized approach to data security across companies. Security is still regularly deployed in silos by individual business units and departments."
In addition, less than half of respondents (44 percent) said their companies use end-to-end encryption to protect payment data from the point of sale to when it is stored or sent to the financial institution.
"Payments will be increasingly protected by encrypted data on physical devices or chips thanks to the shift to EVM that took place last October, but fraudsters will just look to the next weakest link in the ecosystem," Hart said. "These payments will be increasingly protected by tokenization, which we have been discussing for years, but now looks to become more and more influential."
He noted the technology is already backed by major payment players like Visa, MasterCard, Amex and EMVCo and was adopted by Apple as one of the underlying technologies behind Apple Pay.
"In fact, 1.8 million tokens were issued by Chase and Bank of America in the first 6 months of Apple Pay, and it’s seen as a next step in securing Android based payments," Hart said.