For most organizations, managing payment security efficiently and effectively continues to be a challenge. To help businesses understand management trends and practices among their peer group, CyberSource and Trustwave, in partnership with the Merchant Risk Council (MRC), commissioned the Payment Security Practices and Trends Survey. This report summarizes the survey’s findings and provides insights and industry benchmarks as well as emerging industry trends.
Payment security entails managing and securing payment data across an organization’s full order lifecycle, from the point of payment acceptance, through fraud management, fulfillment, customer service, funding and financial reconciliation, and transaction record storage. The presence of payment data at any of these points, whether on organization systems, networks or visible to staff, exposes the organization to risk. To combat this risk, the Payment Card Industry Data Security Standard (PCI DSS1) was created to help
organizations protect their customers’ payment account information by providing increased controls around payment data and its exposure to compromise. As part of adhering to PCI DSS standards, all organizations that process payment data must perform an internal or external audit, and a network scan.
Ultimately, however, the efficacy of an organization’s payment security management operation comes down to
the approaches and practices applied to securing data in three core areas:
- Capture and Transmission (Data in motion): Practices related to securing payment data as it is captured and transmitted by multiple sales systems, sales staff and customer service representatives throughout the order lifecycle.
- Storage (Data at rest): Practices related to securing payment data as it is stored in multiple databases and desktop applications, written on slips of paper by call center staff, and even on tape if customer service calls are recorded.
- Back-office Tasks: Practices related to securing payment data used by staff during the performance of multiple back-office tasks, including fraud management, chargeback management and payment reconciliation.
The structure of this report examines responding organizations’ practices and trends in each of these areas,
with the goal of understanding payment security investment drivers, organization structure, and the resulting relative costs of these practices.
A few highlights found in the survey and discussed in this report include:
- Brand Protection is Key Driver of Investment: The need to protect the organization’s brand and its revenues was given as the primary driver for investment in payment security.
- Threat from External and Internal Sources Perceived as Equal: While the successes of external hackers often make headlines, employees can be an equally damaging source of risk. The survey found that organizations perceive the threats from internal and external sources as being nearly equal.
- Trend Towards Remote Data Storage: With the need to secure payment data and efficiently comply with PCI DSS, organizations are planning to shift their payment data security approach from an on-site strategy to a remote one. Those organizations that had already made the shift reported shorter time-to-compliance and fewer full-time equivalent employees managing payment security.
- Payment Security Cost and Complexity Expected to Increase: Most survey respondents expect that the technological complexity, cost, and resources required to manage payment security will increase over the next 24 months.