What a new survey on payment solutions reveals about your security leadership

Insights from a new briefing with some commentary on how it impacts your ability to lead security efforts through the evolving payment ecosystem

money game
Lewis Minor (cropped) (Creative Commons BY or BY-SA)

Navigating our organizations through rapidly changing payment ecosystems necessarily creates pressure to protect more information through more pathways.

It also creates an opportunity for leadership.

Experian Data Breach Resolution just released a report on “Data Security in the Evolving Payments Ecosystem” (link for the full report). What initially caught my attention was the promise to some of the questions I posed in Does chip-and-PIN actually solve the problem? Find out by asking these questions.

Surveys are helpful. Even if they only capture current sentiment, they provide us a window into what others in similar situations are thinking and doing (or at least what they aspire to). For me, the briefing provides an opportunity to draw on the experience of the company and explore different conclusions.

When Michael Bruemmer, vice president of Experian Data Breach Resolution, and I talked through the findings, I was impressed by his candor. Better, he shared some additional insights and information valuable for security leaders to consider and share with others.

Here are the highlights from our conversation.  

Chip + Pin - does it help or hurt? And why it doesn’t matter anymore

Without a doubt, Chip and Pin is polarizing. It also is becoming part of our new reality and experience.

Executives are concerned about keeping pace with the security of new payment technologies, and their lack of confidence in being able to prevent a data breach

  • 59% said C&P is an important part of their payment strategy.
  • Yet, barely over half (53%) believe C&P will decrease or significantly decrease the risk of a breach
  • 59% expect mobile payments in stores to increase the risk of a breach

“One of the interesting themes that emerged from this study was the lack of clarity around the impending liability shift in October for merchants to adopt EMV chip and PIN technology. Despite industry reports suggesting the technology will help prevent payment card fraud, only 53 percent of respondents thought it would actually decrease the risk of a data breach. We expect payment breaches to persist, and companies still need to be prepared to respond to a breach and protect customers.” -- Michael Bruemmer, vice president of Experian Data Breach Resolution

What does it mean?

Like it or not, we’re implementing some form of Chip + PIN (many are defaulting to chip + SIGN). The technology was forced as a response to breaches impacting payment cards. It’s an attempt to do something to stem the tide. In the end, it might reduce card present fraud while driving an increase in card not present fraud.

At this point, debating Chip + PIN holds little value.

Chip + PIN is just the first in a series of efforts to figure out how to improve the protection (and perception) of our payment systems. We also have to factor in virtual currencies, mobile payments, and other advancements.

How about this tidbit:

Sixty-four percent of survey respondents believe it is more challenging to secure payment card information that other personally identifiable information.

Does this match your experience? What does the push into new methods of payment mean for our customers?

Does the pressure of new payment methods put customer data at risk?

“Companies in the payments industry face a huge challenge in securing emerging technologies like virtual currencies, mobile payments and e-wallets. While the industry has always prioritized the implementation of new technologies for customer convenience, in today’s landscape, it is critical that they equally emphasize the security of new technologies to protect customer data.” -- Michael Bruemmer, vice president of Experian Data Breach Resolution

As Starbucks struggles with fraud in online accounts and gift cards, they might agree. The survey respondents agreed, too.

Companies are feeling pressure to adopt emerging payment systems to keep consumers satisfied

  • 68% said pressure to migrate to new payment systems puts customer data at risk
  • 53% prioritize customer convenience over security.
  • 43% are concerned about loss of reputation due to a breach

A recurring frustration in IT/Security is the need for more executive awareness, support. This survey suggests we’re getting attention:

Sixty-nine percent of survey respondents said media coverage of payment breaches over the past year caused their organizations to re-evaluate and prioritize security.

Companies are seeing increased attention from the c-suite, with 67 percent of survey respondents saying their executives are more supportive of enhanced security measures to protect payment information.

The challenge is the balance between customer convenience (especially when it comes to their ability to give your company money) and the appropriate level of protection (what we commonly call security).

This survey underscores that we’re under pressure to adopt new systems without a clear understanding of the risks or methods to reduce those risks.

Instead of getting more frustrated, consider how this creates two leadership opportunities:

  • Figure out how the systems work to protect the right stuff
  • Understand what consumers expect, and prepare to meet their expectations

It’s clear the attention on security generates support for increased budgets, new technology, and larger teams. In the process, our focus needs to shift from finding ways to capture attention to demonstrating the leadership necessary to earn our place in the executive suite.

Leadership opportunity #1 -- What are we protecting anyway?

In the context of the evolving payment ecosystem, our organizations need to make and collect revenue. Do we understand the system(s) implemented? Do we know how it works?

Frequently, the answer is a bit murky. Therein lies the leadership opportunity.

Be the leader who helps bring clarity to the pathways necessary to collect and process payments. You don’t need a PCI assessment on your horizon to check out the advice from 3 experts teach you how to properly scope your PCI assessment. Pay attention to their insights on how to determine your payment(s) environment(s).

In the process of learning, work to create simple and effective visualizations of processes. That’ll help bring other leaders into the discussion. It also helps you get a handle on where to focus assets and efforts.

Leadership opportunity #2 -- align the organization response with consumer expectations

We’re expected to prevent, detect, and respond to data breaches and other security problems. The leadership opportunity is ensuring the broad response of the organization is matched to the needs and desires of your consumers.

Consider the importance of offering credit/fraud/identity monitoring services in the wake of a breach. Have you ever wondered how many consumers actually take advantage of the offer for free monitoring?

I did.

I asked Michael Bruemmer for some evidence-driven insights.

While the numbers aren’t generally published, the industry average runs around 10%. In some cases (including the publicly disclosed experience in South Carolina), the number trends higher, almost to 40%.

Seems odd, right?

While the standard for response includes offering the monitoring, only a small percentage of people take advantage of it.

I pressed a bit deeper, then, and learned that the two things consumers expect in the wake of a data breach include a central call center and “ID theft protection.”

According to Experian’s recent study, "Is Your Company Ready for a Big Data Breach?,” businesses rank identity theft protection products and access to a call center as the two most important services a company should provide customers following a breach

According to Experian’s consumer survey, “The Aftermath of a Mega Breach: Consumer Sentiment,”63 percent of consumer respondents believe that organizations should be obligated to provide identity theft protection, 58 percent credit monitoring and 67 percent compensation such as cash, product or services

The leadership opportunity is making sure your organization is prepared to meet the expectations of consumers. This is above and beyond your efforts to prevent, detect, and properly respond to any breaches.

These insights help select partners and solutions in advance.

Bring together the right leaders from marketing, sales, HR, legal, and the executive suite. Paint the picture of what a breach is like for consumers. Explore the importance of communication and advance planning.

If this is already happening without you, step back to figure out why.

The path forward: build better systems

While the evolution of payments is sometimes challenging, it also presents opportunities. Companies are exploring ways to offer more convenience to consumers while increasing the robust nature of the process and underlying system.

With a healthy rate of change comes the opportunity to explore better ways to improve security. In some cases, it becomes a selling point. Sometimes it’s more focused on improving the security of the process.

Either way, how do you improve the ability of your organization to collect money and process payments? How are you designing, implementing, and supporting systems and processes that make it easier for people to do their jobs while protecting sensitive information?

While some might conclude this study reveals a continued struggle with these issues, it’s really a signal that we need stronger IT/Security leadership.

Use the findings and evidence from this report and others to engage your team, leaders in your organization, and our industry in productive dialogue. Provide value and earn recognition as a valuable contributor to the executive team instead of just a technical resource.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)