How Organizations Are Approaching New Payment Systems

| May 9, 2015

Sponsored by Experian and conducted by Ponemon Institute, the study of the Data Security in the Evolving Payments Ecosystem seeked to learn what individuals had to say about the new payments systems that are beginning to make it through to public use such as contactless smartphone point of sale (POS). Nearly 70% of the individuals questioned in the study said the pressures resulting from the migration to new payment systems would put the security of customer transactions at risk.

Contactless NFC Smartphone Payments

Contactless NFC Smartphone Payments

Payment System Survey

The 748 respondents of the survey were made up from IT based sectors such as IT security, product development, risk management, and other professionals that are involved in the payment systems within their organizations. Only about 50% indicated that they were slightly confident in the emerging payment systems security precautions and measures.

Greatest Risks

There was some startling results when the respondent of the survey were asked about the greatest risk in the payments ecosystem.

  • 34% said it would be online purchases
  • 25% said it would be through point of sale devices
  • 24% said it would be with mobile payments

When asked about effective their organization’ ability would be to deal with these risks, only 47% said either somewhat effective or not effective. A worrying statement considering that in some public organizations, these devices and methods of payments have already been rolled out, and are in use today.

Existing Security

There was a difference in opinion when the respondents of the survey were asked about who was responsible for the security of the new payments systems.

  • 45% said it was the banking industry
  • 40% said it was the credit card companies responsibility
  • 33% said it should be the job of regulators

When the respondents were asked who was responsible for protecting customer information and data following a security breach there was almost an equal split in the difference of opinion.

  • 75% said it was the company that lost the data responsibility.
  • 69% said it was the responsibility of the bank that had issues the payment cards involved

When questioned about what their own organization does following security breaches or services offered due to the result of such as breach there was a measure of confidence to allay fears of anyone thinking that there isn’t anything done when such an incident occurs.

  • 56% said they issued a new payment card following a breach
  • 29% indicated they conducted credit report monitoring
  • 24% said they offered fraud resolution services
  • 13% would respond with educational resources for consumers

From the respondents a surprising 22% said their organization had not suffered any such breaches. However something that did stand out about the amount of scope the industry has for better approaches following a data breach was that 38% of the respondents said they did not offer any of these services or approaches.

Effective Security Measures

When asked about their effectiveness is the result of data and security breaches, there was some home truths that stood out among the respondents.

  • 61% said their organizations were only somewhat or not effective
  • 69% responded that recent highly publicized security breaches had raised their awareness
  • 56% said their business had assessed their exposed risk to data & information
  • 53% had invested funds into enabling technologies
  • 41% had hired more security professionals within their organization
  • 39% said training and awareness of security had been increased to employees

The respondents were also asked about which data elements were for them, most important to protect. This includes all the data elements that we handle or deal with on a regular basis.

  • 68% said it was PIN codes or passwords
  • 63% responded that it was debit & credit card numbers & security codes
  • 32% had said social security numbers
  • 32% also said security numbers and usernames
  • 26% claimed email addresses
  • 16% said it was bank account numbers

How to improve Security Perception

In order to improve the confidence that individuals have on new payment systems, organizations should take the time themselves to become familiar with new payment systems and iron out any testing bugs prior to implementing them directly into customer contact areas. Companies should take steps to provide regular hands on training sessions regarding security and data protection, and the impact of this on the business directly. This should be conducted with all staff and especially front line customer facing staff.

Companies should also invest in enhanced security measures to better protect customer payment information, and be prepared to respond to individuals who are affected better by giving them identity theft protection and also fraud resolution services if a breach does actually occur. Industry as a whole must approach security problem solving collaboratively. If there was one thing that the majority of respondents to the survey broadly agreed on it was the need to have better collaboration to ensure the safety of the payments infrastructure with 85% all agreeing with this approach.



About the Author: