Professional Documents
Culture Documents
2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
Table of Contents
EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 PAYMENT SECURITY OWNERSHIP AND DRIVERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 PAYMENT SECURITY MANAGEMENT PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 PAYMENT SECURITY OPERATIONS: Staffing & Compliance Management . . . . . . . . . . . . . . 12 PAYMENT SECURITY COSTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 PAYMENT SECURITY MANAGEMENT TRENDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 REPORT AND SURVEY METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 RESOURCES AND SOLUTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 ABOUT CYBERSOURCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 ABOUT TRUSTWAVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Executive Summary
For most organizations, managing payment security efficiently and effectively continues to be a challenge. To help businesses understand management trends and practices among their peer group, CyberSource and Trustwave, in partnership with the Merchant Risk Council (MRC), commissioned the Payment Security Practices and Trends Survey. This report summarizes the surveys findings and provides insights and industry benchmarks as well as emerging industry trends.
Overview
Payment security entails managing and securing payment data across an organizations full order lifecycle, from the point of payment acceptance, through fraud management, fulfillment, customer service, funding and financial reconciliation, and transaction record storage. The presence of payment data at any of these points, whether on organization systems, networks or visible to staff, exposes the organization to risk. To combat this risk, the Payment Card Industry Data Security Standard (PCI DSS ) was created to help organizations protect their customers payment account information by providing increased controls around payment data and its exposure to compromise. As part of adhering to PCI DSS standards, all organizations that process payment data must perform an internal or external audit, and a network scan.
1
Report Highlights
A few highlights found in the survey and discussed in this report include: Brand Protection is Key Driver of Investment: The need to protect the organizations brand and its revenues was given as the primary driver for investment in payment security. Threat from External and Internal Sources Perceived as Equal: While the successes of external hackers often make headlines, employees can be an equally damaging source of risk. The survey found that organizations perceive the threats from internal and external sources as being nearly equal. Trend Towards Remote Data Storage: With the need to secure payment data and efficiently comply with PCI DSS, organizations are planning to shift their payment data security approach from an on-site strategy to a remote one. Those organizations that had already made the shift reported shorter time-to-compliance and fewer full-time equivalent employees managing payment security. Payment Security Cost and Complexity Expected to Increase: Most survey respondents expect that the technological complexity, cost, and resources required to manage payment security will increase over the next 24 months.
Ultimately, however, the efficacy of an organizations payment security management operation comes down to the approaches and practices applied to securing data in three core areas: Capture and Transmission (Data in motion): Practices related to securing payment data as it is captured and transmitted by multiple sales systems, sales staff and customer service representatives throughout the order lifecycle. Storage (Data at rest): Practices related to securing payment data as it is stored in multiple databases and desktop applications, written on slips of paper by call center staff, and even on tape if customer service calls are recorded. Back-office Tasks: Practices related to securing payment data used by staff during the performance of multiple back-office tasks, including fraud management, chargeback management and payment reconciliation. The structure of this report examines responding organizations practices and trends in each of these areas, with the goal of understanding payment security investment drivers, organization structure, and the resulting relative costs of these practices.
Note: The PCI DSS Security Standards Council defines four merchant or organizational levels2, based on annual transactional card volume processed. For this report, survey results were segmented into two groups: Level 1: organizations processing over 6 million global payment card transactions annually Level 2 4: organizations processing fewer than 6 million global payment card transactions annually Today, IT departments are most likely to have responsibility for payment security in both large and small organizations. However, the organizations number of annual transactions does matter: Finance tends to retain greater payment security ownership within Level 24 organizations. In fact, nearly a third (30%) of Level 24 organizations payment
2
Ownership varies by industry. Although respondents reported IT ownership in well over half of the organizations, in each industry sector surveyed, there were several notable exceptions. Finance is more commonly responsible for payment security in both educational (80%) and government (50%) services organizations (see Chart 4).
Motivation for investing in payment security also varied by department. Both IT and Finance departments security investments were mainly driven by brand and revenue protection (for approximately 70% of respondents). However, in the instances where Legal departments owned the practice, the driver was more often to avoid fines. Different motivators for each group are likely due to the inherent corporate responsibility. For instance, IT needs to maintain an overall security perimeter to keep hackers from infiltrating the infrastructure and harming the brand; Finance seeks to ensure that all financial aspects remain efficient and that revenue continues to be generated and properly recognized; Legal wants to ensure legal obligations are met and remain in accordance with state and federal laws.
Tarnished Brand
In the U.S., most states mandate that any organization suffering a breach must disclose it to the impacted individuals3. The media attention generated by a publicly disclosed breach can have a significant impact on the organizations brand reputation as well as on revenues. Statistically, in the first year of an occurence, more than 50% of the stories written about an organization are devoted to coverage of the breach4.
Customer Loss
Customers affected by a security breach are likely to lose confidence and change their future buying behavior. For instance, 55% of victims will have less trust in the organization, and approximately 30% will discontinue buying from that company in the future5.
Stock Valuation
Organizations can lose from 0.63% to 2.10% in stock price value when a security breach is reported. This equates to an average market capitalization loss of $860M to $1.65B per incident6.
3 4 5 6
National Conference of State Legislatures; http://www.ncsl.org/default.aspx?tabid=13489 Factiva; September 2006; Source: http://www.continuitycentral.com/news02793.htm Javelin Strategy and Research; June 2008; Source: http://www.tawpi.org/uploadDocs/Data_Breach_survey.pdf CMO Council; September 22, 2006; Secure the Trust of Your Brand
Level 24 organizations typically have smaller, less complex infrastructures than Level 1 organizations, and therefore are less likely to invest heavily in solutions that require on-site maintenance and IT expertise. Rather than build a proprietary solution in-house, these companies tend to deploy third-party solutions that host the payment data fields, providing secure capture and transmission of the payment data so it never enters the organizations network. In addition, the initial deployment of PCI DSS requirements was focused primarily on Level 1 organizations. Remote strategies were not readily available at that time. The Level 1 organization often invested in on-site strategies to meet the initial requirements, perhaps delaying their migration to remote strategies today.
Over half of the organizations surveyed report that their call center staff has visibility to raw payment data. Similarly, of those that have face-to-face sales staff, 40% report payment data remains visible to staff. However, when segmenting by organization level, Chart 9 shows that Level 1 are less exposed to raw payment data during customer interactions than Level 24 organizations. In addition, 45% of smaller companies with call center staff are exposed to full account information.
BEST PRACTICE
Create a more secure payment environment by minimizing staff interaction with raw payment data. While exchange of payment data is necessary for call centers and customer-facing staff during the order process, payment information can be handled using a hosted payment acceptance solution that bypasses your environment (reducing PCI DSS scope), or via a separate payment interaction solution such as IVR (interactive voice response) and DTMF (dual-tone multi-frequency) that is hosted outside your environment, connecting customers directly with payment service providers.
For many companies, payment data is decentralizedused by several different departments and systems, and housed in multiple databases across the organization. With payment data spread throughout, payment security can become complex. To simplify payment security management, some are centralizing their payment systems infrastructure, where sales systems and access to payment processors are tied to a central management, reporting, and administration infrastructure across all sales channels. Over two-thirds of the survey respondents reported employing a centralized platform. Another 15% reported they would be centralizing in the next two years. However, 9% of organizations still reported employing decentralized systems with no plans to change.
Level 24 are more likely to use a remote storage strategy than larger (Level 1) organizations, which currently tend to store the data on their own networks. The survey found that 43% of Level 24 organizations and 38% of Level 1 organizations use a remote strategy (see Chart 11).
BEST PRACTICE
To better manage payment data and reduce the impact of a breach, centralize your payment data and substitute primary account numbers (PAN) with payment tokens generated by a PCI-DSS certified service provider. Centralized platforms enable reduced costs and complexity of managing security across multiple sales channels, allowing operation with fewer staff and reduces, and reduces points of vulnerability. Tokenization enables elimination of data from your environment, making it unavailable to staff or hackers, yet still transact billing and returns as you normally do.
10
BEST PRACTICE
Reduce staff exposure to payment data by populating customer records with a payment token. Raw payment data is no longer required as tokens can be formatted to include identifying information without exposing payment data. In instances when personal data visibility and automated account data updating is required, outsource the operation to a qualified third-party.
11
BEST PRACTICE
To reduce the time and resource investment required to validate PCI DSS compliance, seek to reduce the scope of the overall audit by reducing the number of systems that must be included in the audit. Removing payment data from your environment and lowering instances in which staff interact with the data will contribute to a reduction in scope for PCI DSS requirements 1, 3, 4, and 9 (for definitions of all 12 requirements, see the Glossary).
12
Extended Validation
An Extended Validation (EV) secure sockets layer (SSL) certification provides a more stringent validation process than the typical SSL certification, assuring customers that their data is safe with the seller during the purchase process. Certificates protect an organizations transactions with its customers by encrypting sensitive data during transmission from customer to seller, including payment card numbers. See Figure 1 for an example of EV SSL certification representation. Figure 1: EV SSL-Certified Website
Of the 30% of organizations that use EV SSL, most reported using the approach to increase consumer shopping confidence (63%). In addition, Chart 16 shows that slightly more Level 24 organizations (68%) adopted EV SSL than Level 1 organizations (63%).
BEST PRACTICE
No single point solution can provide complete security and PCI DSS validation. Ensure the highest level of payment security and compliance status by deploying multiple security controls, which also address compliance with the PCI DSS 6.6 requirement.
13
14
Personnel Costs
Using reported FTE and industry data for personnel costs (includes salary, benefits, training expenses, and related personnel management costs), estimates of personnel costs were derived for each strategy and organizational level. Level 1 with an on-site strategy, on average, spend nearly $1.7M annually on personnel costs compared to those using a remote strategy, which spend approximately $1.1M a difference of nearly $0.6M per year (see Chart 19). Level 24 with an on-site strategy spend, on average, a little over $1.5M versus those using a remote strategy that spend $1M annually a difference of nearly $0.5M (see Chart 19).
According to the data compiled in this survey, Level 1 organizations using an on-site strategy will spend, on average, nearly 75% more per year on payment security than those organizations using a remote strategy. The same trend holds for Level 24 organizations, albeit on a smaller scale. Level 24 organizations adopting an on-site approach spend $0.3M more annually on payment security versus those adopting a remote approach.
15
16
17
18
19
Conclusion
Despite the expectation that cost, resource requirements, and technical complexity will increase over the next 24 months, managers continue to seek ways to boost efficiency in each area. And the reason is clearinadequate protection of customer payment data can have a detrimental effect on the organizations business. The payment data management strategy deployed must help reduce complexity, resource dependency, and costs while increasing efficacy and reducing PCI DSS scope. Survey results indicate a general trend for many organizations to move towards a remote payment security strategy. While an on-site strategy is currently preferred by larger organizations, organizations using this strategy also report higher investments in systems and devices, a higher level of staffing, and longer time frames to validate compliance. Organizations using remote strategies report lower expenses in these areas and the ability to achieve PCI DSS validation in a shorter time frame.
20
21
Trustwave
Trustwave is a global provider of payment security and PCI DSS compliance solutions.
Payment Security:
Trustwaves End-to-End Encryption and Tokenization solutions protect payment card data in motion and while stored to simplify security infrastructure and reduce the scope of PCI compliance.
Fraud ManagementClose your threat window while keeping good customers happy. When faced with multiple ongoing and changing fraud threats, the ability to quickly detect and deter these attacks without impacting your customers has a direct bearing on your bottom line. CyberSource Decision Manager provides automated fraud screening, rule console, case management system and analytics.
22
Additional Sources
Stock prices, Yahoo! Finance, www.finance.yahoo.com ComputerWorld, One Year Later: Five Takeaways From the TJX Breach. January 17, 2008. Vijayan, Jaikumar CyberSource, Enterprise Payment Security 2.0. 2011. Glaser, David CyberSource, A Managers Guide to Comparing the Cost of Payment Security Strategies. 2010. Anderson, Lisa, and Huang, Yu-Ting CyberSource, CyberSource Enterprise Payment Security Solutions. 2009 Trustwave, Payment Card Trends and Risks for Small Merchants: A Supplement to Trustwaves 2011 Global Security Report. 2011. Trustwave, 2011 Global Security Report. 2011.
23
Glossary of Terms
On-site strategy: Payment data is managed and secured during capture, transmission, and storage using your own staff, systems and infrastructure that could be owned, leased, or licensed by your company. Remote strategy: One or more service providers manage payment data security on your behalf. This could include technologies such as hosted payment tokenization or end-point encryption with remote data storage, and hosted payment acceptance where the cardholder data is captured directly by the payment network via a hosted order page or interactive voice response system. Payment data: Data that facilitates the payment transaction process. Includes credit or debit card numbers, name, address, and telephone number. Organization Level, as defined by the PCI Security Standards Council Level 1: Merchants processing over 6 million transactions annually across all channels. Level 2 - 4: Merchants processing less than 6 million transactions annually across all channels. Tokenization: Replacement of sensitive data with a unique identifier that cannot be mathematically reversed.
Glossary of Terms
Encryption: Conversion of data into a form that cannot be easily understood by unauthorized personnel. Requires a key to decode the data. Hosted Payment Acceptance: A PCI DSS-certified third party hosts the payment data fields displayed on your website, then captures, transmits, and stores that data outside your network. Payment Service Provider: Entity that offers organizations online services for accepting electronic payments through a variety of payment methods including credit card, bank-based payments, and online banking. PCI DSS Requirement 6.6: For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least manually and after any changes Installing a web-application firewall in front of publicfacing web applications PCI DSS Requirements: See Chart 31
24
About CyberSource
CyberSource, a wholly-owned subsidiary of Visa Inc., is a payment management company. Over 330,000 businesses worldwide use CyberSource and Authorize.Net brand solutions to process online payments, streamline fraud management, and simplify payment security. The company is headquartered in Mountain View, California with international offices in Reading, U.K.; Singapore; Tokyo; and Middle East. CyberSource operates in Europe under agreement with Visa Europe. For more information, please visit www.cybersource.com or email info@cybersource.com.
CyberSource Europe
CyberSource Ltd Phone: +44 (0) 118 929 4840 Fax: +44 (0) 870 460 1931 Email: uk@cybersource.com
CyberSource Japan
CyberSource KK (Japan) Phone: +81-3-5774-7733 Fax: +81-3-5774-7732 Email: mail@cybersource.co.jp
About Trustwave
Trustwave is a global provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with todays challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions including SIEM, EV SSL certificates and solutions including WAF, NAC, SIEM and EV SSL certificates. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit https:// www.trustwave.com.