Payments industry not completely sold on security of chip-and-PIN

April 29, 2015
Respondents to new survey also express concerns about mobile payment technologies

Despite the push by retailers in the U.S. to make the migration from traditional magstripe payment terminals to ones that are enabled with chip-and-PIN technology, the results of a new study conducted by the Ponemon Institute show that a large number of those involved in the payments ecosystem (retailers, financial institutions, payment processors, credit card brands, etc.) don’t believe that the switch will necessarily result in greater security for consumer data.

In fact, while 59 percent of respondents polled for the “Data Security in the Evolving Payments Ecosystem” report indicated that chip-and-PIN was an important part of their payment strategy moving forward, only 53 percent believe that the technology will decrease or significantly decrease the risk of a data breach.

The study, which was sponsored by Experian Data Breach Resolution and surveyed nearly 750 individuals involved in IT and IT security, risk management and product development, also found that the emerging trend of mobile payments has introduced a new threat paradigm into the equation. With the advent of solutions like Apple Pay, retailers and others in the payment ecosystem are worried that this will provide a new opening for hackers to take advantage of as 59 percent said they believed that mobile payments in stores will increase the risk of a data breach.

Even the transition to more secure payment technologies, in and of itself, is worrying to many throughout the industry as 68 percent said felt the migration put consumer data at risk. According to Michael Bruemmer, vice president, Experian Consumer Protection, the results of the study really show how retailers and other in the payments industry are really struggling to come to grips with how to effectively implement some of these newer systems.

“There needs to be a lot more industry dialogue, as well as a balance between lightning quick innovation on the payments side with security on the other side that can protect companies and consumers,” said Bruemmer. “Also, while there is a focus on consumer convenience, there has to be careful consideration taken when using these systems so that even though you can’t prevent a breach 100 percent of the time; the security has to be commensurate with the innovation and the system’s implementation itself so you don’t have gaps.”  

While no technology is a panacea, Bruemmer thought a higher number of people would have expressed more confidence in the ability of chip-and-PIN to prevent breaches. Perhaps one of the study’s most surprising findings was that 53 percent of organizations said they prioritized customer convenience over security, despite the fact that 43 percent of respondents were concerned about the loss of reputation their company could suffer if they should fall victim to cyber thieves.

“There is a ton of pressure in a competitive environment on consumer convenience, particularly in retail. All of our clients, when they talk about anything they do in the stores with consumers it’s about consumer convenience and customer satisfaction,” explained Bruemmer. “From our perspective, consumer satisfaction and consumer convenience can only be achieved with the appropriate level of security. To make it easy without making sure it is secure is not fulfilling the promise.”           

Given the number of high-profile breaches that have occurred over the past few years and the millions of Americans that have been affected by them, the focus on safeguarding consumer data is at an all-time high.   

“These payment card breaches are rising to a level where not only is it going to the boardroom, but consumers are really noticing this, especially in this last year where you had a number of mega-breaches make headlines. The stage is set there,” added Bruemmer.

However, some companies are still not adequately investing in data breach preparation and response. Only 39 percent indicated that their companies are investing in employee training despite the fact that employee negligence is a primary contributing factor in most data breaches.

“I think there is not enough collaboration going on between retailers in how to tackle some of these issues, which applies not only to sharing cybersecurity threat information amongst retailers but also security innovations. It shouldn’t be something that is used as a competitive advantage. It should be something that is a basic standard for all retailers that they have this security regardless of the brand or location,” said Bruemmer. “The other thing I would say is there is great need for security professionals to be placed in senior executive positions and having a CISO with access to the board and I think the industry is lacking in some cases with that.”  

The results of the study were not all gloom and doom; however, as there were also a number of findings that show some organization are on the right track when it comes to mitigating and responding to breaches. The issue is receiving much more attention from the C-suite as 67 percent of respondents said their senior management is more supportive of implementing enhanced security measures. Nearly 45 percent said that their organizations were increasing their security budgets and 54 percent indicated that they are investing in new technologies.     

Bruemmer said there are three areas where the industry has really shown improvement: First, the recognition that security starts at the board level and works its way down; second, more organizations realize the importance of having a plan in place ahead of time for responding to breaches; and finally, they know that there is a lot more work to be done to protect customer information and that implementing new technology will not be a cure all for data breach threats.    

“I think this (study) is a great wake-up call for the industry to look hard at what they’re doing and make sure they are investing in the right new technologies and that they are putting security on the same level as innovation, hiring more security staff and collaborating with each other,” concluded Bruemmer.  “There are some very good themes that came out of this research. I think if people just take these to heart and look at their weaknesses, I think all of them can put organizations further along not only in security and privacy, but also in data breach preparation and response.”