This rise in data breaches and their resulting cost have companies asking Am I doing enough to protect my data? As breaches are expected to continue escalating, taking the proper steps to protect your data has never been more relevant or important.
While all sensitive data is at risk, payment card data remains one of the easiest types of data to convert to cash, and therefore the preferred choice of criminals.As payment card data becomes more important with cards supplanting cash, there is a clear path of action for businesses that can help prevent the compromise of payment card data: the Payment Card Industry Data Security Standard (PCI DSS).
The PCI SSC is responsible for the management, education and awareness of security standards including the PCI DSS, which provides guidelines to keep sensitive cardholder data safe from exploitation. Compliance is mandatory for any business that transmits, processes or stores payment card data; even if its just one transaction.
Failure to be compliant to PCI DSS regulations may result in fines and the loss of a merchants license to accept card payments. Unfortunately, compliance with PCI DSS is far from universal. For example, according to the Verizon 2014 PCI Compliance Report, 64.4% of organizations in 2013 failed to restrict each account with access to cardholder data to just one user.
We recommend a careful, well-designed outsourcing strategy for both the management of security technologies and business processes. The aforementioned Verizon PCI Compliance Report recommends that your choice of provider should be made not just on IT security knowledge, but on business and payment-industry knowledge as well.
Leveraging tokenization technology is also a best practice approach for securing sensitive data in enterprise systems and applications. Its a common misperception that tokenization and encryption are equal. Tokenization works by replacing payment card numbers with a surrogate, or token, ensuring sensitive data is never stored in your environment. The real data is stored off-site in a secure data vault. The technology captures card data and tokenizes it before it enters enterprise systems, ensuring raw cards never even touch those systems. At its core, tokenization is protecting data throughout every point along the transactionwhile it is at rest and in transit.
Because of this, tokenization greatly reduces risk of breach, operational expenses and customer churn all of which ultimately improves an organizations bottom line. Not only are you limiting your risk of a costly data breach by deploying a tokenization solution, but you can also reduce, and even remove systems from the scope of your annual PCI audit, saving you time and money. Utilizing a tokenization technology enables companies to eliminate systems from PCI Audit Scope, minimize PCI compliance costs, drastically Reduce Risk and secure personally identifiable information
An additional option some companies are turning to in order to protect themselves from breaches is the purchase of insurance. Last year, cyber insurance policies sold to retailers, hospitals, banks and other businesses jumped 20%, according to Marsh LLC, a New York-based insurance brokerage firm that tracks the market. But companies should be aware of what the policy covers as many might not cover all of the costs and risks a company faces. Credit card companies, for example, often sue the organization that has been hacked for the cost of all the consumer card replacements that need to be issued. Some policies dont cover this expense.
The bottom line? Businesses must look at data breaches not from the if, but from the when perspective. Its time for executives in every branch of the C-suite, in every industry that takes cards-not-present payment from customers or that handles sensitive personal information, to pay attention to the potential loss of business, the compliance requirements and both short and long term risks of a data breach.
Asif Ramji is president and CEO of Paymetric, an electronic payments technology company.