IS YOUR CUSTOMERS PAYMENT DATA REALLY THAT SAFE? A Chase Paymentech Paper
A data breach has the potential to cost retailers millions in lost customers and sales. In this paper we discuss a number of possible threats to your customers data as well as some simple measures that can be employed to help better secure your customers payment details. The introduction of Payment Card Industry Data Security Standards (PCI-DSS) ten years ago has made a significant contribution to protecting customers and e-commerce retailers alike from increasingly sophisticated criminals determined to steal personal information 1. E-commerce sites remain the primary target for data breaches, accounting for 48 per cent of incidents investigated annually 2. Why? Because payment information is the kind of data that criminals can most profitably sell and convert into cash 3. The rapid growth in e-commerce and m-commerce has created additional risks for retailers. In a bid to understand shopping behaviour and anticipate customers needs, it has become more important for retailers to analyse data. This can result in sensitive personal details about customers and their payment cards being stored and used in more places within an organisation and possibly also shared with partners in the supply chain. In this short white paper, we take a look at three business risks affecting e-commerce retailers in today s data-rich environment and consider some techniques that could help form an essential part of an effective data security strategy. 2 3
GROWING BUSINESS RISKS Millions 1. GROWING FINANCIAL RISK OF A DATA BREACH Worryingly, the number of companies suffering from data breaches has increased in recent years 4 despite record levels of PCI-DSS compliance 5. Even large, high profile retailers have fallen victim to malicious attacks, which have grown in complexity and sophistication in recent years. Such data breaches can result in the loss of millions of customer payment card details, passwords and other personal information. The average loss from a data breach for companies in Germany, the US and UK now stands at US$4.8 million ( 3.67 million), US$5.4 million and US$3.1 million ( 2.04 million) respectively 6. The proportion of the total cost resulting from a loss of business ranges from 36 per cent in Germany to 56 per cent in the US with the remaining costs spanning the need to investigate and respond to each data breach 7. Total average cost of UK data breaches: 8 2.5 2.0 1.5 1.0 0.5 0.0 2007 2008 2009 2010 2011 2012 2: DATA, DATA EVERYWHERE Successful multi-channel retailers rely on data analytics to generate customer insights, which can enable them to deliver a more personalised and relevant customer experience. However, the analysis of customer transactions and behaviour can make it both more costly and difficult to secure payment data as it moves around a retail business. Data held by a retailer within its own servers, business systems and applications (known as at rest ) is often at greater risk of being breached than data related to the payment system itself ( in transit ) 9. The growing number of applications using this data, whether at rest or in transit, can include customer relationship management, ERP, customer loyalty, data warehouse analysis, one-click purchasing and repeat or recurring payments. To be payment data compliant, all of this data, even if it is encrypted, must be included in annual audits wherever it resides. As more data moves within and outside a business (in particular data which may be shared with supply chain partners), the process of tracking and securing this data can become unsustainable. This can lead to greater effort, resources and time being spent every year in order to stay PCI- DSS compliant. 3: NEW TECHNOLOGY THREATS WITHIN THE BUSINESS According to the Verizon Data Breach Investigations Report, over the past three years 67 per cent of retail and hospitality breaches involve some form of malware and 76 per cent involve hacking 10. However, data breaches arising from human error, system glitches or business process failures can be just as common. For example, data being left unsecured on a lost laptop, or data being emailed to an employee s home email which is generally less secure than an individual s work environment. The latest version of the PCI-DSS guidelines, which came into effect on 1 January 2014, includes new provisions for the growing levels of mobile transactions, the increased use of cloud computing and virtualisation, employees using their own devices at work and the potential rise of malware on Linux platforms (the operating system frequently used by today s webservers) 11. These recent developments in retail technology and computing can make it more challenging to secure payment data or monitor and track the flow of data around a business. In some cases, a data breach is not noticed for weeks, months or even years at a time 12 and the longer it takes to discover a breach, the greater the likelihood of increased damage and cost to the firm and its customers. 4 5
HELP IS AT HAND The increased complexity of PCI- DSS compliance may lead many retailers to consider alternative ways to secure their payment data and reduce the annual burden of PCI-DSS compliance. Two methods in particular are recognised as valuable and effective ways to achieve this goal. TOKENISATION: PROTECTING YOUR STORED DATA This technology addresses cardholder data at rest by replacing the primary account number and other sensitive data with alternative identifiers (or tokens). Once completed properly, this means that valuable payment card information is rendered worthless to any fraudster. The use of tokenisation can enable many systems that handle customer data to be eliminated from the scope of PCI-DSS compliance, saving time, effort and scarce resources. However, the chosen tokenisation approach must be compatible with your existing payment applications, business systems and processes, enabling the data to be accessible and beneficial to your business. Card brands such as Visa, MasterCard and American Express are committed to tokenisation as a way of stemming the rising tide of costly data breaches while nearly half of e-tailers recently surveyed by Chase Paymentech 13 recognised that tokenisation is useful in PCI-DSS compliance. HOSTED PAYMENT PAGE: PROTECTING YOUR ACCEPTANCE DATA While tokenisation generally occurs after authorisation, it does not address issues of security and compliance at the initial acceptance stage. One effective solution at the initial acceptance process is the use of a hosted payment page that can take the form of either a separate webpage or an individual order form that is hosted on a secure site. Customers enter their confidential payment data directly into this secure environment and the transaction proceeds as usual. Because the payment data is neither received nor stored by the merchants, this solution can help address PCI-DSS compliance requirements. In our survey, 65 per cent of retailers recognised that hosted payment pages were useful to PCI-DSS compliance, yet only 39 per cent of them already use a third-party hosted payment page 14. WHICH SOLUTION IS RIGHT FOR MY BUSINESS? Since business environments and system architecture vary greatly, it is advisable to discuss with your acquirer which solution will work best for you to compliment your business model. Is your tokenisation process compatible with your data analysis? Ensure that the structure of your tokenisation system enables you to continue to track multiple uses of a particular customer or card as part of any big data initiatives. Is the architecture of the tokenisation system scalable? Your level of PCI compliance depends on the volume of transactions. As your company grows, this may impact on the architecture design of your solution. What information will the token contain? Some systems enable a complete customer profile to be included within the token so that the customer name, address, email address, AVS country code, amount, order description and order ID, as well as the cards expiration date and other payment information, are securely available for data analysis. Will tokens need to be single-use (one-time tokens) or multi-use? If you want to track the behaviour of individual customers, you may need to use the same token every time the card is used especially if you have extensive customer relationship management or loyalty programme applications. Will your chosen hosted payment page share a consistent brand with the rest of your e-commerce site? The latest hosted payment solutions use dynamic designs that are automatically updated to ensure a single and seamless customer experience. Can you customise or personalise your hosted payment page? Ensure that you are able to change the functions within the hosted payment page to reflect the rest of your site, such as first name or the card brands you offer. Does your payment provider enable you to automatically update expired cards? Such functionality enables customers to complete their checkout by updating current account numbers and expiry dates that have changed without having to contact your customer. TO LEARN MORE ABOUT HOW YOU CAN KEEP UP WITH YOUR MULTI-CHANNEL CUSTOMERS, PLEASE CONTACT: UK 0845 399 1120 or visit: www.chasepaymentech.co.uk 6 7
FOR FURTHER INFORMATION ABOUT PCI-DSS COMPLIANCE AND DATA SECURITY, VISIT: PCI Security Standards Council: Data Security Standard - Requirements and Security Assessment Procedures Version 3.0 (November 2013) Visa: Best Practices for Tokenization Version (July 2010) PCI Security Standards Council: Information Supplement - PCI DSS Tokenization Guidelines (August 2011) Mastercard Press Release: MasterCard, Visa and American Express Propose New Global Standard to Make Online and Mobile Shopping Simpler and Safer (October 1, 2013) EMVCo: EMV Payment Tokenisation Specification Technical Framework (March 2014) PCI Security Standards Council: Information Supplement: PCI DSS Cloud Computing Guidlines (February 2013) Chase Paymentech, the global payment processing and merchant acquiring business of JPMorgan Chase & Co. (NYSE: JPM), is a leading provider of payment, fraud and data security, capable of authorising transactions in more than 130 currencies. Chase Paymentech provides payment expertise that helps sustain and power longterm growth. We also offer advice on how to mitigate against the risk of data theft and minimise your PCI-DSS obligations with security solutions that will protect your customers account details. In 2013, Chase Paymentech processed 35.6 billion transactions with a value of $750.1 billion. References Chase Paymentech Europe Limited, trading as Chase Paymentech, is a subsidiary of JPMorgan Chase Bank, N.A. and is regulated by the Central Bank of Ireland. Registered Office: EastPoint Plaza, Second Floor, EastPoint Business Park, Dublin 3, Ireland. Registered in Ireland with the CRO under. No. 474128. Directors: Shane Fitzpatrick, Kevin Moran, Daniel Charron (US). The information herein or any document attached hereto does not take into account individual client circumstances, objectives or needs and is not intended as a recommendation of a particular product or strategy to particular clients and any recipient of downloadable document shall make its own independent decision. This downloadable document and the information provided herein may not be copied, published, or used, in whole or in part, for any purpose other than expressly authorised by Chase Paymentech Europe Limited. 2014, Chase Paymentech Europe Limited. All rights reserved. 1 Verizon 2014 PCI Compliance Report 2 Trustwave: 2013 Global Security Report (2013) figure 3 3 Verizon 2014 PCI Compliance Report Page 6 4 Ponemon Institute: 2013 Cost of Data Breach Study: Global Analysis (May 2013) 5 Verizon 2014 PCI Compliance Report 6 Ponemon Institute: 2013 Cost of Data Breach Study: Global Analysis (May 2013) figure 3 7 Ponemon Institute: 2013 Cost of Data Breach Study: Global Analysis (May 2013) figures 15-18 8 Ponemon Institute: 2013 Cost of Data Breach Study: United Kingdom (May 2013) figure 2 9 Verizon: 2014 PCI Compliance Report page 21 10 Verizon: Research Report Threat Landscape Retail, Accommodation and Food Services (2013) 11 Verizon 2014 PCI Compliance Report Page 26 12 Verizon: 2013 Data Breach Investigations Report (2013) figure 5 66% of breaches took months or even years to discover 13 Dynamic Markets: CNP Payment Challenges in 2014 (March 2014) 14 Dynamic Markets: CNP Payment Challenges in 2014 (March 2014)