Tokenisation may offer antidote to soaring cyber crime epidemic
As the number of cybercrime incidents increases, financial institutions and their corporate customers should take renewed steps to protect their data – including using tokenisation and hosted payments pages, according to a new report by Chase Paymentech.
Incidents of fraud, typically involving stolen bank account details, are thought to be on the rise. Last month a PwC survey in the US found that 75% of businesses surveyed had detected a security breach in the last year, while the average number of security intrusions was 135 per organisation. A separate study by security firm Trustwave in May found that 96% of applications have one or more serious security vulnerabilities.
The Chase Paymentech report, Is your customer payments data really that safe, found that the average loss from a data breach for companies in Germany, the US and UK now stands at $4.8 million, $5.4 million and $3.1 million respectively. The effect of data breaches can be divided into the loss of business, which accounts for 56% of the total in the US, and the cost of responding to the breach, which accounts for the remainder.
In response, the company is recommending two possible responses. Tokenisation involves replacing the primary account number and other sensitive data identifying a cardholder with alternative identifiers. The idea is to render the information worthless to any fraudster. Card brands including Visa, MasterCard and American Express have already stated their support for tokenisation as a way of cutting down on data breaches. Customers should ensure that the structure of their tokenisation system enables them to continue to track multiple uses of a particular customer or card, the report added.
However, tokenisation generally occurs after authorisation so it does not address the issues of security and compliance at the initial acceptance stage. According to Chase Paymentech, the second possible solution is to use a hosted payment page that can take the form of either a separate webpage or an individual order form that is hosted on a secure site. Because the payment data is not received or stored by merchants, the idea is to address PCI-DSS compliance requirements. Only 39% of retailers have yet introduced such a measure, according to the research.
Data held by a bank or other business within its own servers, business systems and applications is often at greater risk of being breached than data related to the payment system itself, noted the report. The growing number of applications using that data include customer relationship management systems, data warehouse analysis systems and particularly processes for repeat or recurring payments such as direct debit or standing order.
The causes of data breach were addressed by a Verizon Data Breach Investigations Report earlier this year, which found that over the past three years 67% of breaches in retail involve some form of malware and 76% involve hacking. Meanwhile, the study by Trustwave found that easily guessable passwords were the largest single cause of the problem. In 31% of cases, weak passwords were the entry point for cyber criminals. When checking compromised credentials, Trustwave found that “123456” topped the list of the most commonly used password followed by “123456789,” “1234” and then “password,” and that nearly 25% of the usernames had the same passwords stored for multiple sites.
However, according to Chase Paymentech data breaches arising from human error, system glitches or business process failures can be just as common. Examples highlighted by the research include data left unsecured on laptop computers, and data emailed to an employee’s home email address, which is generally less secure than the work environment.
One of the other major problems is that as more data moves within and outside a business, and especially when it is shared with supply chain partners, the process of tracking and securing it can become a challenge. Payment data is always required to be included in annual audits, so the report recommends that firms take care to avoid losing control. On 1 January updated PCI-DSS guidelines came into effect, bringing new provisions for mobile transactions, cloud computing, BYOD and the potential rise of malware on Linux platforms, which is often the operating system used by webservers. These rules underscore the importance of keeping track of data, the report added.