Only 26% of respondents said that they have increased credit card security in order to avoid penalties for PCI DSS non-compliance, according to the online survey of e-commerce merchants.
In addition, a majority of respondents said they felt the threat of payment data theft from inside employees was about equal to the threat from external hackers.
“People are seeing the threats from internal and external forces as the same”, said Rosa Luis, solution management for payment security at CyberSource. “That makes a lot of sense, because the data is readily available and easy to access for internal employees. So if you have credit card information on your network, employees have much more visibility into that than the external hacker”, Luis told Infosecurity.
In addition, the survey found that over the next two years more merchants expect to move credit card data from their networks to third-party vendors as a way of reducing security risks and data storage and compliance costs.
“Companies are moving toward implementing remote strategies for payment security. Rather than keeping data internally in their systems or capturing and transmitting data internally, they are moving to having a PCI DSS-certified third party service provider do that for them”, Luis said.
Merchants that outsource their credit card data processing and storage spend less on infrastructure, the survey found. Three-quarters of PCI DSS Level 1 merchants that have removed payment data from their networks spend less than $500,000 on their payment security infrastructure; only 60% of those that keep data in-house can make that claim.
Merchants that do not capture, transmit, or store data inside their own network tend to employ fewer personnel, validate PCI DSS compliance more quickly, and operate at a lower overall cost of payment security management, the survey found.
“Companies that are using a remote strategy, and not doing things internally, are actually having much more success in reaching PCI DSS compliance in a shorter period of time. So 87% of the companies that are using a remote strategy are complying in 20 weeks or less, whereas only 79% of companies that are using an on-site strategy are complying with PCI DSS is the same amount of time”, Luis noted.
Luis explained that tokenization is a strategy that merchants are increasingly using in order to avoid storing credit card information in-house. Tokenization takes a credit card number and turns it into a surrogate value that represents the card number, but with no ability to determine the number from the surrogate value.
“Tokenization takes the credit card number and camouflages it….The payment information is routed directly to the service provider; the service provider performs the authorization…and then provides a token to the merchant. So whenever the merchant needs to perform further transactions for that customer, it uses the token rather than the credit card number. This is a way to get credit card data out of their system”, Luis said.
“If a hacker does get access to the merchant’s database, all he is getting is a token which is not useable. He is not able to sell the information or perform transactions using the token”, she added.