Merchants are slowing data security funding as threats accelerate

Register now

Retailers are decelerating data security spending, even as attacks become more sophisticated and merchants emphasize the types of multi-channel shopping that draws attackers.

The percentage of U.S. retail firms that plan larger security budgets in 2019 dropped to 62% in 2019, compared to 84% in 2018, according to Thales e-Security.

The balancing act between new shopping technology and safety is one of the culprits as improving customer experience in an e-commerce age while shielding consumers from cyber crime is weighing on retailers.

"Information overload and compliance are certainly significant issuers for merchants today, both large and small," said Paul Kuykendall, CEO of Seattle-based Merchant Risk Council.
Still, nothing really happens "too fast" in the payments industry, Kuykendall added. "Generally, the issue is the cost of implementation and the availability of internal resources to code and test solutions."

Companies reporting a decrease in security spending rose to 12% from 8% in 2018, while those declaring the budgets would stay about the same were at 26%, compared to 7% a year earlier, Thales reports. U.S. retailer spending on security remains higher than the global average, as 53% of merchants worldwide said their spending would increase, compared to 67% in 2018.

"Still, the entire payments ecosystem is moving toward safety and security with more convenience for the consumer," Kuykendall said. "Merchants need to keep abreast of technical advancements and be willing to implement changes to secure the transaction while giving their customers a great experience."

The spending slowdown comes as 42% of U.S. retailers contend their companies are on the leading edge of digital transformation and aggressively disrupting their markets.

"The year-over-year slowdown in security spending is worrisome, since we know that the threat landscape is not slowing down and retailers remain a key target," said Julie Conroy, research director and fraud expert with Boston-based Aite Group.

The high percentage of companies that are increasing security spending can be misleading, given that an increase in multi-channel technology creates incrementally greater risk. More than three-fifths, or 64%, of companies across all industries that spend more than 10% of their IT budget on security say they have experienced at least one breach and, of those, 34% say they experienced a breach in the past year.

"The budget conversation differs from retailer to retailer, with large born-in-the-cloud retailers investing more and devoting greater focus to effect change," Thales said in a report that detailed its study of 1,200 IT executives. "Smaller, brick-and-mortar based retailers can struggle to match their spend levels in comparison."

Retail encryption rates are low, with between 25% and 36% of retailers saying they encrypt data for sensitive use cases. U.S. retailers, however, generally use encryption at higher rates than their global counterparts, with nearly 40% saying they use full disc encryption within company data centers.

Encryption technologies have been available for more than a decade, Conroy added. "It's distressing to see that a relatively low percent of retailers have deployed these technologies or plan to do so," she said.

Regulatory updates from the Payment Card Industry security standards council, or PSD2's Strong Customer Authentication requirements also complicate technology resources.

When regulations change merchants will often "operate somewhat in the dark," Kuykendall said. "Their acquirers and payment gateways are not always prepared with the most up-to-date information about what precisely needs to be done."

In addition to less spending on security, U.S. retailers were more confident than others in terms of believing they have adequate security. Thales researchers said this indicates complacency in terms of what it takes to secure data properly. Globally, 88% of retailers said their security was adequate in their new technology deployments, while 94% in the U.S. felt that way.

The increasing complexity in retail data environments is a top barrier to data security, the report noted. More than 90% of U.S. retailers say they have two or more platform-as-a-service or software-as-a-service environments in operation. Eighty-four percent said they had 10 or more such services in place.

As mobile payments become a more important part of retailers' online channels, the concerns about those payments also rise. More than 60% of U.S. and global retailers cite the potential exposure of payment card information as a main concern, as well as more than 50% fearing fraudsters would use mobile payment apps for new account fraud.

More than 40% expressed similar concerns for Internet of Things developments, feeling there is not enough security in place to protect sensitive data generated through an IoT device.

For reprint and licensing requests for this article, click here.
Security risk Data breaches Retailers Payment processing