Despite the many high-profile breaches that occurred over the past year, too many businesses have not adopted strong security practices and as many as a third don't have a clear understanding of where their sensitive data is stored or how it is protected.
Breaches such as the one that struck Target Corp. a year ago have catalyzed some major corporations into fast-tracking their shift to EMV-chip payment cards and adopting other new protections, but many companies have done little to improve their own security.
"Hopefully awareness has ticked up a little bit, but it is still disconcerting that there is a low level of awareness as to what is going on with fraud and what to do about it," said Greg Rosenberg, security engineer at Chicago-based Trustwave.
Trustwave will release its 2014 State of Risk Report, which assesses business awareness of risk factors and the processes they have in place to protect data, on Dec. 9. The report is based on a global survey of 476 information technology and security professionals in more than 50 countries. More than half of the businesses surveyed deal with payment card data in some form.
Thirty-three percent of respondents said their business has not commissioned a risk assessment to identify where valuable data moves or is stored or what controls, if any, are in place to protect it. Sixty-three percent said they do not have a "fully mature" method to control and track sensitive data, while 19% said they have no method at all.
Forty-five percent of businesses said their high-level executives take only a partial role in security matters, but Rosenberg viewed that as a positive sign.
"That was higher than I thought it would be," Rosenberg said. "In the payments industry, those business executives are being dragged to their processors' or acquirers' podium, so to speak."
Senior-level executives have more readily engaged in addressing the Payment Card Industry data security standards, even though "they don't like it for a variety of reasons," Rosenberg said.
"Many businesses don't believe they fit the risk profile or have any risk at all," Rosenberg added. "But the last year has seen us engage a lot more with merchants we never talked to before because of more breaches and more advancement of technology."
Businesses involved in accepting payments need many security measures and cannot solely rely on compliance to various standards governing the industry, Rosenberg said.
"They have to first identify how many pieces of sensitive data the business comes in contact with today and in the past, and determine who handles it, and applying some sort of value to that data," Rosenberg said.
At that point, a business can then determine the methods needed to protect that data. "That's really where you start with a risk assessment," he added.
The migration to EMV chip-based payment cards to eliminate card-present fraud in the U.S. might actually deter some businesses from focusing as much attention on needed tools like encryption and tokenization, Rosenberg said. "A lot of merchants don't realize that EMV is not designed to protect data after it has been input," he added.
Tokenization, in its various forms, converts payment card account numbers to a limited-use token that cannot be used to duplicate cards.
And much attention has been given to monitoring third-party vendors who have remote access to a merchant's payment network in the wake fraudsters engaging in retail breaches by stealing vendor credentials. The PCI council's upcoming 3.0 guidelines stress closer scrutiny of third-party vendors.
While 58% of businesses told Trustwave they use third parties to manage sensitive data, 48% said they do not have a third-party management program in place.
Those figures should make businesses take a closer look at how they are choosing third-party vendors and how they will monitor their activities, Rosenberg said.
"They are giving these vendors entrance into the environment and in many cases it can be like leaving a back window open or a door unlocked for fraudsters to get in," he added.
Indeed, the Target breach occurred because fraudsters were able to exploit credentials used by an HVAC vendor. (Trustwave was briefly sued by two banks following the Target breach, but those banks withdrew their suits after Trustwave said it was not involved).
Home Depot also revealed that its data breach, suffered between April and September, was the result of fraudsters using third-party vendor credentials to access the perimeter of the retailer's network.