A Rudyard Kipling poem reads, "If you can keep your head when all about you Are losing theirs and blaming it on you," and ends, "Yours is the Earth." This quote was brought to our attention by Richard McCammon, VP of integrated solutions at Delego, as his introduction on episode 154 of Coffee Talk with Game Changers "Data Security in the Age of Credit Card Breaches."
The host of Voice America's podcast Bonnie Graham asked McCammon why he chose the Kipling quote, and among a few other reasons, McCammon explained that these words fit the current landscape of payment card security. Essentially, both merchants and cardholders can go a bit crazy after being the victims of a data breach, McCammon posited, and as consumers have their data stolen multiple times and merchants worry about becoming the blame for an incident, those who remain calm and logical can prosper and make it through attacks unscathed.
That was just one of the many insightful answers from a variety of questions discussed on the recent Coffee Talk with Game Changers podcast. McCammon was joined by two other industry experts as well: Hillel Zafir, co-founder and president of HMS Technology Group, and Frank Richter, head of SAP's global order-to-cash process management team. Together they took an hour to explore ideas including but not limited to PCI compliance, cybercrime, data breach costs, the current landscape of data protection and what merchants can do to keep consumers happy. You can listen to the podcast here, and below are some of the most important topics discussed:
The current conditions
Despite the variety of technologies and systems used, the general process for payment processing involves three layers. The gateway layer is the transaction itself, specifically the card swipe, the acquirer is the organization that processes the payment and the top layer is the banks and their interactions with Visa, MasterCard and other major industry players. This is where the problem lies, Zafir posited.
"The three layers of payment processing leave data vulnerable."
Between each of the three payment processing layers, data is traveling across the Internet completely vulnerable to a man-in-the-middle or similar interception-like attack. However, even when data isn't speeding through systems, it's at rest in corporate data centers and at risk of theft, Zafir explained. Right now, there are different tools to secure each layer, but as complexity increases, like when using payment cards in other countries, McCammon used as an example, it's more difficult to protect information. This is also a problem for small merchants that don't have direct connections to banks and therefore must rely on multiple processors.
So, to help cut down of bank-end processes and procedures, industry leaders started to focus on the consumer. McCammon explained that technologies such as EMV, 3DSecure and two-factor authentication are all there to protect the cardholder, but these tools also require their input, making the consumer a critical piece of the payment processing puzzle. The only problem is that consumers don't care, Zafir pointed out, because they can always dispute charges with no lasting effects. This creates an interesting scenario where customers blame merchants but they still refuse to take on responsibilities themselves. The current goal in the industry, according to McCammon, is to get cardholders engaged.
The 'elephant in the room'
Merchants, banks and consumers need to work fast, however, as cyberthreats loom around every corner. McCammon stated that 79 percent of multinational companies have experienced a breach, but only 50 percent of retailers are PCI compliant. This leaves room for cybercriminals to develop attacks and figure out the inner workings of payment processing systems. After all, McCammon explained, fraud techniques have always adapted to the times.
Take the introduction of EMV in Canada for example. McCammon said that in Canada between 2004 and 2013, fraud increased by 145 percent and card-not-present fraud jumped from 37 percent to 70 percent, despite EMV becoming the norm in 2007. As merchants and payment processors move from one security element to another, "crooks remain one step ahead," and attacks grow in "frequency and magnitude," according to McCammon.
The cost of PCI compliance
The fact of the matter is that cybercriminals are in the business of hacking, and merchants have a company to run, product to sell or service to provide and no time to devote to cybersecurity. The solution is to invest in technologies that not only fulfill PCI compliance but go beyond those requirements.
The host of the Voice America podcast, Graham, reported that some analysts claim PCI compliance is unreasonable to deal with, while other sources indicated that just complying with PCI can cost around 38 percent of a company's budget. Furthermore, when factoring in the cost of maintaining that high level of security, Graham stated that the statistic jumps to between 50 and 60 percent.
Richter explained that while SAP doesn't face problems such as those, the cost of compliance can be considered an investment into customer relationships and trust.
"There is a perception that prevention costs a lot of money, but that's wrong."
However, after some discussion and debate, all three podcast guests agreed that there is a perception that prevention costs a lot of money, but in reality, Target faced spending levels that approached $148 million, according to The Wall Street Journal. Zafir noted that there are costs due to damage control, stock drops, reputation loss and then there are plenty of fines. He suggested that spending could indeed reach the billions in some cases, while McCammon was quick to point out that most businesses spend more than $90 on protecting each cardholder after a data breach.
"The total cost – based on some studies that are done – are somewhere around the $200 mark per card that [is] compromised," McCammon explained. "So if you take something – a 3 million credit cards – that have been ripped off or hacked, then you're talking serious dollars."
McCammon added that spending like that can completely ruin a small e-commerce business, but with a proactive approach, all would be well in regard to budgets. Every manager has a company to run, and security should only be a part of it. By understanding the risks of payment processing and implementing solutions before becoming the latest data breach victim, organizations will spend less overall.
As for the future of payment processing, McCammon estimated that by 2020, data breaches and payment processing security will still be a conversation that the industry is having. However, in the short term, McCammon posited that merchant, processors and banks will get cardholders more engaged and involved in protecting their payment and personal information.
This year, McCammon explained, EMV will be rolled out and two-factor authentication will catch on, wrapping consumers up in data protection trends. Then, combined with Apple Pay and near-field communication technology, he expects everyone to be more aware of fraud and cybersecurity practices. By 2018, McCammon predicted that the cardholder will be completely involved, and three-factor authentication might be the norm.
To hear the podcast "Data Security in the Age of Credit Card Breaches" for yourself and to learn more about data security from Delego VP Richard McCammon and other industry veterans Hillel Zafir and Frank Richter, you can visit VoiceAmerica.com or check it out here: http://www.voiceamerica.com/episode/82779/data-security-in-the-age-of-credit-card-breaches.
Is Your Business Secure?