We here at Crimson spend a considerable amount of time tracking the technology and developments of the payment industry. Last year has been called the Year Of The Breaches, due to the quantity and size of these occurrences. Beyond the general interest, we try to find out specifically what happened in each case, so that we can advise our clients and customers how to avoid these same pitfalls. This exercise has led us to some interesting conclusions.
- The number and magnitude of the breaches are climbing. Target had 110 million customer records stolen and Home Depot had over 56 million credit and Debit cards compromised. Now 43% of the top 500 retailers admit to a data breach within the last 2 years, and 60% of these had more than 1 breach in that time period.
- All breaches are caused by some vulnerability in the company's data access. Most breaches occur due to a weakness that had previously been identified, but not rectified. Even Target had introduced a chip and pin program 10 years ago but after 3 years saw little value in this initiative and stopped the rollout. This mandate is now back on with full support and far more cost.
- For the first time, we saw high executive turnover directly related to a breach. Organizations now realize that they need to understand what's in their data environment in order to protect it. PCI compliance alone doesn't do it. Target was certified PCI compliant.
- Letting a breach happen is one thing, but dealing with it correctly is quite a different matter. Consumers demand a clear and decisive response. Most organizations have a plan in place but if it has not been implemented and tested it is almost worse than no plan at all.
- Customers are now more reluctant to give up personal information, particularly if their data has been violated with a breach. The consumer must feel comfortable sharing information with the merchant. This demands the highest level of integrity for the brand. Open and honest communication is the key during any recovery process.
- When customers shun companies that have experienced a cyberattack, the cost of the breach can be devastating. According to the Ponemon Institute, the average cost of each lost or stolen record containing sensitive information is $201. They attribute 38% of this cost is due to lost customer business and 16% of it is due to legal expenses to defend against lawsuits and provide answers to various regulators.
- About one third of companies have purchased cyber insurance. These are usually companies with good IT security practices. Your likelihood of experiencing a material data breach over the next 2 years is 23% if you are a public organization or a retailer.
At Crimson we are focused on the security of sensitive payment transactions. We have moved beyond PCI compliance and are actively installing EMV ready solution with our customers. This chip and pin technology will not prevent a breach but will reduce fraudulent transactions. This is a key requirement for all merchants as the responsibility shift of October looms. Our leading clients are installing P2PE solutions for security in their payment processing systems. Even if encrypted data is stolen, it is useless to anyone not authorized. We have become good at payment transaction security over the last few years. At Crimson we have a solution for every size and budget. This year we will continue to work with our customers and partners to stay 3 steps ahead of the bad guys.