Mega data breaches affecting companies in verticals like retail and healthcare have put the fear of god into payment vendors and their customers – moving data security to the top of the agenda.
Or at least that’s the common wisdom. The truth may be somewhat different, at least according to data from credit monitoring agency Experian and The Ponemon Institute. A survey conducted by the two firms found that customer convenience, not security, is still the consideration that drives investment in “innovative” technologies.
The study surveyed 748 professionals in information security, risk management, product development and related roles about the payments systems used within their organizations. Respondents came from across the payments ecosystem, including retailers, financial institutions, payment processors, credit card brands, regulators, consumers and other stakeholders, according to a report released by Ponemon.
The report tested IT pros’ feelings about emergent payment technologies – from BitCoin to NFC-based payments and e-wallet features. Most, the respondents agreed, would create security challenges and increase the likelihood of a breach. That’s a possibly worrying signal for vendors like Apple and Google who have staked a future on replacing the credit card.
But the survey also underscored industry biases that also work against efforts to improve the security of the payments system. Notably, a strong majority – 67 percent – agreed that “customer convenience in innovative payments systems is critical,” but those same respondents didn’t feel the same way about security. Just 24 percent said that the need for enhanced security in new payment methods outweighed the cost of its implementation. That kind of thinking is known to have prevailed at companies like Target, which experimented with secure “Chip and PIN” credit cards as early as 2001, before abandoning the experiment because of its perceived inconvenience for shoppers.
The Ponemon data, combined with statistics such as the 66 percent of those surveyed who agreed or strongly agreed that “authentication risks make it difficult to implement new payment methods” and the half of respondents who reported “minimal” or “no” collaboration with partners in the payment ecosystem to improve security, begins to give a sense of why it has been so hard for industries to embrace new payment technologies.
In fact, respondents to the survey were nonplussed about the risk that breaches may pose to the financial health of their companies. “Shareholder legal action and stock price declines following a data breach are not a concern,” the report concluded. Sixty six percent of respondents say legal action initiated by shareholders is only somewhat of a concern or no concern at all. Only 23 percent of respondents say their organization would be somewhat concerned and 35 percent of respondents say they are not concerned at all.
The big message of the Ponemon and Experian report may caution about our expectations for how much change will result from the last two years of mega data breaches. If anything, the report makes it clear that IT professionals who work in the payments ecosystem aren’t particularly hopeful about the industry doing an about face on security. Their pessimism may be a sign that the future for payments security isn’t as bright as some of us hoped.
Paul F. Roberts is the Editor in Chief of The Security Ledger.
Data Protection Vendor Evaluation Toolkit
The toolkit contains an RFI-RFP criteria template and a corresponding vendor evaluation scorecard.
Related ArticlesWill SCOTUS Spokeo Ruling Deny Justice To Data Breach Victims?
The suit against professional tracking service Spokeo didn’t involve a data breach, but the ruling this month by the Supreme Court in Spokeo’s favor could have big implications for breached firms and their customers.FCC, AT&T Reach $25M Settlement Over Insider Data Breach
FCC is on the data breach case, fining AT&T $25M for an insider data breach that took place from 2013-2014.Carded: Hack of Medical ID Card Provider Affects 3.3M
The hack of Newkirk Products, a little known provider of medical ID cards, underscores the dangers third parties pose to regulated health data.