2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
-
Upload
gabriel-bellon-de-carvalho -
Category
Documents
-
view
221 -
download
0
Transcript of 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
1/25
Payment SecurityPractices andTrends Report
2011MERCHANT PRACTICES, TRENDS,AND BENCHMARKS
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
2/25
2Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
EXECUTIVE SUMMARY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
PAYMENT SECURITY OWNERSHIP AND DRIVERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
PAYMENT SECURITY MANAGEMENT PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
PAYMENT SECURITY OPERATIONS: Stang & Compliance Management . . . . . . . . . . . . . . 12
PAYMENT SECURITY COSTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
PAYMENT SECURITY MANAGEMENT TRENDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
REPORT AND SURVEY METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
RESOURCES AND SOLUTIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
ABOUT CYBERSOURCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
ABOUT TRUSTWAVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Table o Contents
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
3/25
3Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
For most organizations, managing payment security eciently and eectively continues to be a challenge. To help businesses
understand management trends and practices among their peer group, CyberSource and Trustwave, in partnership with the
Merchant Risk Council (MRC), commissioned the Payment Security Practices and Trends Survey. This report summarizes the
surveys ndings and provides insights and industry benchmarks as well as emerging industry trends.
1 PCI DSS Security Standards Council; https://www.pcisecuritystandards.org/
Executive Summary
OverviewPayment security entails managing and securing payment
data across an organizations ull order liecycle, rom the
point o payment acceptance, through raud management,
ulllment, customer service, unding and nancial
reconciliation, and transaction record storage. The presence
o payment data at any o these points, whether on
organization systems, networks or visible to sta, exposes the
organization to risk.
To combat this risk, the Payment Card Industry Data
Security Standard (PCI DSS1) was created to help
organizations protect their customers payment accountinormation by providing increased controls around payment
data and its exposure to compromise. As part o adhering to
PCI DSS standards, all organizations that process payment
data must perorm an internal or external audit, and a
network scan.
Ultimately, however, the ecacy o an organizations
payment security management operation comes down to
the approaches and practices applied to securing data in
three core areas:
Capture and Transmission (Data in motion): Practices
related to securing payment data as it is captured and
transmitted by multiple sales systems, sales sta andcustomer service representatives throughout the order
liecycle.
Storage (Data at rest): Practices related to securing
payment data as it is stored in multiple databases and
desktop applications, written on slips o paper by call
center sta, and even on tape i customer service calls
are recorded.
Back-ofce Tasks: Practices related to securing
payment data used by sta during the perormance
o multiple back-oce tasks, including raud
management, chargeback management and payment
reconciliation.
The structure o this report examines responding
organizations practices and trends in each o these areas,
with the goal o understanding payment security investment
drivers, organization structure, and the resulting relative costs
o these practices.
Report HighlightsA ew highlights ound in the survey and discussed in this
report include:
Brand Protection is Key Driver o Investment: The need
to protect the organizations brand and its revenues
was given as the primary driver or investment in
payment security.
Threat rom External and Internal Sources Perceived as
Equal: While the successes o external hackers oten
make headlines, employees can be an equally damaging
source o risk. The survey ound that organizations
perceive the threats rom internal and external sources
as being nearly equal.
Trend Towards Remote Data Storage: With the need to
secure payment data and eciently comply with PCI DSS,
organizations are planning to shit their payment data
security approach rom an on-site strategy to a remote
one. Those organizations that had already made the shit
reported shorter time-to-compliance and ewer ull-time
equivalent employees managing payment security.
Payment Security Cost and Complexity Expected to
Increase: Most survey respondents expect that the
technological complexity, cost, and resources required
to manage payment security will increase over the next
24 months.
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
4/25
4Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
OwnershipThere are our departments within organizations that are
typically responsible or payment security. They include:
IT, Finance, Legal or Compliance, and Operations. In the
majority o organizations participating in the survey, paymentsecurity was managed by one o two groups: IT or Finance.
For over hal o all organizations (57%), the IT department
maintains payment security ownership (see Chart 1).
Note: The PCI DSS Security Standards Council denes
our merchant or organizational levels2, based on annual
transactional card volume processed. For this report, survey
results were segmented into two groups:
Level 1: organizations processing over 6 million global
payment card transactions annually
Level 24: organizations processing ewer than 6 million
global payment card transactions annuallyToday, IT departments are most likely to have responsibility
or payment security in both large and small organizations.
However, the organizations number o annual t ransactions
does matter: Finance tends to retain greater payment
security ownership within Level 24 organizations. In act,
nearly a third (30%) o Level 24 organizations payment
security is managed by Finance, compared to just 12% in
Level 1 organizations. Further breakdowns by organization
levels are shown in Chart 2 and Chart 3.
Payment Security Ownership and Drivers
2 PCI DSS Security Standards Council; https://www.pcisecuritystandards.org/
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
5/25
Payment Security Ownership and Drivers
5Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Ownership varies by industry. Although respondents reported
IT ownership in well over hal o the organizations, in
each industry sector surveyed, there were several notable
exceptions. Finance is more commonly responsible or
payment security in both educational (80%) and government
(50%) services organizations (see Chart 4).
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
6/25
Payment Security Ownership and Drivers
6Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Drivers o Payment Security InvestmentRegardless o ownership within an organization, a primary
driver or investment in payment security is the protection
o the brand or revenue (selected by 69% o respondents),
rather than avoiding bank nes or non-compliance (seeChart 5). One o the largest investments an organization can
make is in the development and ongoing protection o its
brand. Security breaches can signicantly tarnish the brand
image and aect long-term revenues.
Motivation or investing in payment security also varied by
department. Both IT and Finance departments security
investments were mainly driven by brand and revenue
protection (or approximately 70% o respondents).
However, in the instances where Legal departments owned
the practice, the driver was more oten to avoid nes.
Dierent motivators or each group are likely due to the
inherent corporate responsibility. For instance, IT needs to
maintain an overall security perimeter to keep hackers rom
inltrating the inrastructure and harming the brand; Finance
seeks to ensure that all nancial aspects remain ecient
and that revenue continues to be generated and properly
recognized; Legal wants to ensure legal obligations are met
and remain in accordance with state and ederal laws.
Breach Impact on Organizations
Motivators are likely related to the real impact a breachcan have on an organizations brand, revenue and value.
Consider the ollowing:
Tarnished Brand
In the U.S., most states mandate that any organization
suering a breach must disclose it to the impacted
individuals3. The media attention generated by a publicly
disclosed breach can have a signicant impact on the
organizations brand reputation as well as on revenues.
Statistically, in the rst year o an occurence, more than 50%
o the stories written about an organization are devoted to
coverage o the breach4.
Customer Loss
Customers aected by a security breach are likely to lose
condence and change their uture buying behavior.
For instance, 55% o victims will have less trust in the
organization, and approximately 30% will discontinue buying
rom that company in the uture5.
Stock Valuation
Organizations can lose rom 0.63% to 2.10% in stock price
value when a security breach is reported. This equates to
an average market capitalization loss o $860M to $1.65B
per incident6.
3 National Conerence o State Legislatures; http://www.ncsl.org/deault.aspx?tabid=13489
4 Factiva; September 2006; Source: http://www.continuitycentral.com/news02793.htm
5 Javelin Strategy and Research; June 2008; Source: http://www.tawpi.org/uploadDocs/Data_Breach_survey.pd
6 CMO Council; September 22, 2006; Secure the Trust o Your Brand
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
7/25
Payment Security Ownership and Drivers
7Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Sources o Payment Security RiskAlthough security breaches by external hackers garner
much public attention, threats that originate rom within
the organization can be equally damaging. Within an
organization, payment data is exposed and at risk at manypoints in the order management process, rom sales to the
back-oce.
When asked about the risk o payment data being stolen by
employees versus external hackers, organizations reported
that the payment security threat was perceived as nearly
equal (see Chart 6).
The risk o breach rom employees was perceived slightly
higher (38%) in Level 1 organizations versus Level 24
(35%). This dierence may be related to the challenge o
monitoring a larger sta, in addition to the relative anonymity
that exists in a larger company.
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
8/25
8Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Typically, organizations adopt either an on-site or remote
payment security strategy, or have a hybrid approach as they
transition rom one to the other.
With an on-site strategy, payment data is secured in-house
and on the organizations own network and systems, using
encryption and similar technologies. The ocus o this
strategy is to lock the payment data down to eliminate the
security risk.
In contrast, some organizations adopt a hosted or remote
strategy, where payment data is captured, transmitted, and
stored by a PCI DSS-certied payment service provider,
which then returns secure tokenized payment inormation
back to the organization. This strategy ocuses on eliminating
payment data rom the environment, rom capture through
storage, versus securing it within the environment.
The ollowing sections examine the use o on-site and remote
approaches as they relate to organizational practices during
capture and transmission, data storage and perormance o
back-oce tasks.
Data Capture and TransmissionThe survey asked respondents to report on the approach
being used to secure payment data during capture and
transmission across their various sales channels. Chart 7
shows organizational use o a remote strategy is currently
highest in the call center channel, with point o sale (POS)
close behind. Most organizations reported using primarily an
on-site strategy in the online channel.
Level 24 organizations are more likely than Level 1
organizations to use remote capture strategies in online and
call center channels (see Chart 8).
Level 24 organizations typically have smaller, less complex
inrastructures than Level 1 organizations, and thereore are
less likely to invest heavily in solutions that require on-site
maintenance and IT expertise.
Rather than build a proprietary solution in-house, thesecompanies tend to deploy third-party solutions that host
the payment data elds, providing secure capture and
transmission o the payment data so it never enters the
organizations network.
In addition, the initial deployment o PCI DSS requirements
was ocused primarily on Level 1 organizations. Remote
strategies were not readily available at that time. The Level
1 organization oten invested in on-site strategies to meet
the initial requirements, perhaps delaying their migration to
remote strategies today.
Payment Security Management Practices
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
9/25
Payment Security Management Practices
9Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Over hal o the organizations surveyed report that their call
center sta has visibility to raw payment data. Similarly, o
those that have ace-to-ace sales sta, 40% report payment
data remains visible to sta.
However, when segmenting by organization level, Chart 9
shows that Level 1 are less exposed to raw payment data
during customer interactions than Level 24 organizations. In
addition, 45% o smaller companies with call center sta are
exposed to ull account inormation.
Create a more secure payment environment by minimizing sta interaction with raw payment data. While exchange
o payment data is necessary or call centers and customer-acing sta during the order process, payment inormation
can be handled using a hosted payment acceptance solution that bypasses your environment (reducing PCI DSS
scope), or via a separate payment interaction solution such as IVR (interactive voice response) and DTMF (dual-tone
multi-requency) that is hosted outside your environment, connecting customers directly with payment service providers.
BEST PRACTICE
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
10/25
Payment Security Management Practices
1Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Securing Payment Data StorageAccording to the PCI DSS, those that employ on-site storage
strategies must store the account inormation in a tokenized,
encrypted or otherwise unreadable ormat.
Today, 57% surveyed report storing their payment dataon-site using either encryption or tokenization as a security
measure. Another 43% o organizations reported employing a
remote storage strategy (see Chart 10).
Level 24 are more likely to use a remote storage strategy
than larger (Level 1) organizations, which currently tend
to store the data on their own networks. The survey ound
that 43% o Level 24 organizations and 38% o Level 1
organizations use a remote strategy (see Chart 11).
For many companies, payment data is decentralizedused
by several dierent departments and systems, and housed in
multiple databases across the organization. With payment data
spread throughout, payment security can become complex.
To simpliy payment security management, some are
centralizing their payment systems inrastructure, where
sales systems and access to payment processors are tied
to a central management, reporting, and administration
inrastructure across all sales channels. Over two-thirds o
the survey respondents reported employing a centralized
platorm. Another 15% reported they would be centralizing in
the next two years. However, 9% o organizations still reported
employing decentralized systems with no plans to change.
To better manage payment data and reduce the impact o a breach, centralize your payment data and substitute
primary account numbers (PAN) with payment tokens generated by a PCI-DSS certifed service provider. Centralizedplatorms enable reduced costs and complexity o managing security across multiple sales channels, allowing
operation with ewer sta and reduces, and reduces points o vulnerability. Tokenization enables elimination o
data rom your environment, making it unavailable to sta or hackers, yet still transact billing and returns as you
normally do.
BEST PRACTICE
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
11/25
Payment Security Management Practices
1Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Back-ofce Payment Data ExposureBack-oce sta is also exposed to payment data during
tasks such as manual review, chargeback management,
account updating or billing/account-on-le, and related
reconciliation tasks. Accounting and raud review sta werereported as having the most exposure to raw payment data.
Nearly a third (32%) o Level 1 organizations surveyed have
raw data visible to raud review sta, compared with 24% o
Level 24 organizations (see Chart 12).
Reduce sta exposure to payment data by populating customer records with a payment token. Raw payment data is
no longer required as tokens can be ormatted to include identiying inormation without exposing payment data. In
instances when personal data visibility and automated account data updating is required, outsource the operation to
a qualifed third-party.
BEST PRACTICE
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
12/25
1Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Payment Security StafngNearly all organizations reported requiring the equivalent o at
least one ull-time sta member to manage payment security
operations. Overall, organizations using a remote strategy
employed ewer ull-time equivalent (FTE) payment securitysta in comparison to those using an on-site strategy.
Level 1 average 2.4 FTE sta while Level 24 organizations
average slightly ewer, at 1.9. In addition, more Level 24
(68%) reported having ewer than three FTE sta than Level 1
(64%); possibly because larger organizations require more
resources due to scope (see Chart 13).
Compliance and CertifcationCompleting PCI DSS validation in a timely manner is
important to uncover any potential security issues, avoid
nes, retain the ability to accept credit card payments, and
reduce overall cost and overhead. The cost o PCI DSS
validation is a direct unction o the time required to complete
the process.
Chart 14 compares the number o weeks required to
complete PCI DSS certication using remote and on-sitestrategies. Nearly all organizations (87%) with remote storage
strategies were able to complete certication in less than 20
weeks. In contrast, 79% o on-site storage organizations were
able to complete certication in the same time period.
The dierence in number o weeks to complete PCI DSS
validation by payment security approach is likely due to the
number o systems and points o contact that are seen as
being in scope, and thereore requiring an audit or scan.
Organizations with an on-site approach are likely to have
more systems, devices, and processes in-scope than thoseadopting a remote approach.
Payment Security Operations: Stang & Compliance Management
To reduce the time and resource investment required
to validate PCI DSS compliance, seek to reduce the
scope o the overall audit by reducing the number
o systems that must be included in the audit.
Removing payment data rom your environment and
lowering instances in which sta interact with the
data will contribute to a reduction in scope or PCIDSS requirements 1, 3, 4, and 9 (or defnitions o
all 12 requirements, see the Glossary).
BEST PRACTICE
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
13/25
Payment Security Operations
13Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
PCI DSS Requirement 6.6 Compliance
Security o Public-acing Web Applications
Compliance with PCI DSS requirement 6.6 (see Glossary
or denition) has been o particular interest since its
introduction in 2008. This requirement provides options
intended to ensure that public-acing web applications are
protected rom common threats to cardholder data.
The rst option, application protocol testing, can oten be
onerous or a business to undertake, sometimes requiring
specialized personnel to be hired. Organizations using this
option likely use application penetration testing by external
validation.
The second option is to adopt a web application rewall
approach that, similar to the rst option, requires hiring and
training o the proper sta.
Survey results displayed in Chart 15 show that 59% use bothapplication protocol testing and web application rewalls to
meet the PCI 6.6 requirement. It is by ar the most popular
method, with the application protocol testing only option a
distant second at 12%.
Other categories included outsourcing, external scans, patch
management, code audits, HIDS (host intrusion detection
system) and NIDS (network intrusion detection system).
Extended ValidationAn Extended Validation (EV) secure sockets layer (SSL)
certication provides a more stringent validation process
than the typical SSL certication, assuring customers that
their data is sae with the seller during the purchase process.Certicates protect an organizations transactions with its
customers by encrypting sensitive data during transmission
rom customer to seller, including payment card numbers.
See Figure 1 or an example o EV SSL certication
representation.
Figure 1: EV SSL-Certied Website
O the 30% o organizations that use EV SSL, most reported
using the approach to increase consumer shoppingcondence (63%). In addition, Chart 16 shows that slightly
more Level 24 organizations (68%) adopted EV SSL than
Level 1 organizations (63%).
No single point solution can provide complete security
and PCI DSS validation. Ensure the highest level o
payment security and compliance status by deploying
multiple security controls, which also address
compliance with the PCI DSS 6.6 requirement.
BEST PRACTICE
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
14/25
14Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
The cost o managing payment security varies by
organization, organization level, and perceived importance o
security within each environment. Understanding the impact
o a payment security approach to overall payment security
management costs requires an analysis o inrastructure and
technology costs, as well as cost o personnel.
Inrastructure and Technology CostsOrganizations were asked about their annual spend on
inrastructure and services in 2010, excluding sta. These
costs include services (remote tokenization and storage,
compliance auditing, etc.), encryption products/licenses
(encryption generating sotware, encryption key storage,
etc.), and systems (storage, databases, etc.) associated with
management.
Overall, Level 1 organizations adopting an on-site strategy
spent more on inrastructure and services (Chart 17) than
those using a remote strategy (Chart 18). As a comparison,
60% o those with an on-site approach spent under $0.5M as
opposed to 75% o those with a remote strategy.
Level 24 organizations spend on payment security
management was the same regardless o whether an on-site
or remote approach was utilized.
Payment Security Costs
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
15/25
Payment Security Costs
1Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Personnel CostsUsing reported FTE and industry data or personnel costs
(includes salary, benets, training expenses, and related
personnel management costs), estimates o personnel costs
were derived or each strategy and organizational level.Level 1 with an on-site strategy, on average, spend nearly
$1.7M annually on personnel costs compared to those using
a remote strategy, which spend approximately $1.1M
a dierence o nearly $0.6M per year (see Chart 19).
Level 24 with an on-site strategy spend, on average, a little
over $1.5M versus those using a remote strategy that spend
$1M annuallya dierence o nearly $0.5M (see Chart 19).
Total Payment Security CostsBy combining reported inrastructure costs and calculated
personnel costs, the impact o payment security practices on
the total cost o management can be assessed (see Chart 20).
According to the data compiled in this survey, Level 1
organizations using an on-site strategy will spend, on average,
nearly 75% more per year on payment security than those
organizations using a remote strategy. The same trend holds
or Level 24 organizations, albeit on a smaller scale. Level
24 organizations adopting an on-site approach spend $0.3M
more annually on payment security versus those adopting a
remote approach.
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
16/25
1Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Trends in Data Capture PracticesSurvey results indicate that more organizations will be
capturing payment data remotely over the next 24 months
across all sales channels (online, call center, and POS), or
both Level 1 and Level 24. The results are shown in Chart21 and Chart 22. The largest increases are in Level 24,
where online adoption jumps rom 38% to 48% and POS
rom 21% to 32%.
The trend to reduce the exposure to raw payment data can
be attributed to two primary actors. First, moving payment
data out o the environment reduces PCI DSS scope. Second,
rendering raw payment data inaccessible to internal sources
reduces the risk o payment data being stolen by employees.
Both Level 1 and Level 24 organizations expect to reduce
sta access to raw data in call center and ace-to-ace
environments over the next 24 months, with Level 1 doing so
at a higher rate than Level 2 4 (see Chart 23 and Chart 24).
Payment Security Management Trends
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
17/25
Payment Security Management Trends
1Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Trends in Data Storage PracticesMore organizations are considering a move to storing payment
data remotely with a PCI DSS-certied service provider (versus
on-site.) Hal o the organizations surveyed indicated shiting to
a remote strategy over the next two years (see Chart 25).The shit to remote storage may be due to the desire to reduce
the risk and impact o a security breach on the organizations
brand. When analyzing results by organization level, both Level
1 and Level 24 organizations see similar gains in remote
strategy adoption.
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
18/25
Payment Security Management Trends
18Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Trends in Back-ofce PracticesOrganizations expect visibility o payment data in the back-
oce to decline over the next two years. However, Level 1
organizations still expect to operate with higher levels o
payment data visibility than their Level 24 counterparts,see Chart 26.
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
19/25
Payment Security Management Trends
19Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Complexity, Cost, Time & ResourcesOrganizations were queried about their expectations
regarding the cost and complexity o managing payment
security in the uture. Overall, over hal o the organizations
said cost, complexity and resource requirements wouldincrease (see Chart 27).
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
20/25
2Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Conclusion
Despite the expectation that cost, resource requirements,
and technical complexity will increase over the next 24
months, managers continue to seek ways to boost eciency
in each area. And the reason is clearinadequate protection
o customer payment data can have a detrimental eect on
the organizations business. The payment data managementstrategy deployed must help reduce complexity, resource
dependency, and costs while increasing ecacy and
reducing PCI DSS scope.
Survey results indicate a general trend or many organizations
to move towards a remote payment security strategy. While an
on-site strategy is currently preerred by larger organizations,
organizations using this strategy also report higher investments
in systems and devices, a higher level o stang, and longer
time rames to validate compliance. Organizations using
remote strategies report lower expenses in these areas and the
ability to achieve PCI DSS validation in a shorter time rame.
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
21/25
2Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
The CyberSource and Trustwave Payment Security
Practices and Trends Report, developed in association with
the Merchant Risk Council (MRC), is based on a survey
o organizations residing and trading in North America.
Organizations that participated in this survey oered products
or services to customers spanning the government, education,non-prot, business and consumer sectors. Most respondents
were either ultimately responsible or, or had signicant
infuence on, policy and security management decisions.
The survey was conducted via online questionnaire by handl
Consulting and completed by 117 participants between
December 6, 2010 and January 31, 2011.
Report and Survey Methodology
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
22/25
2Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
CyberSourceCyberSource payment security solutions include Payment
Tokenization, Hosted Payment Acceptance, and Automated
Account Updater.
Eliminate Capture and Transmission Risk: UsingCyberSources Hosted Payment Acceptance service, you
can accept and process payment data without the data
ever touching your network.
Eliminate Payment Data Storage Risk: Payment
tokenization gives you the ability to secure your payment
data in CyberSources PCI DSS-certied datacenters,
removing the use o raw payment data rom your
network by exchanging that data or a payment token,
useless to hackers and devious employees.
Reduce Back-ofce Risk: Format-preserving tokens
make it easy or customer service and back-oce sta
to perorm tasks without exposure to payment data.Automated account updater services automatically
update billing and account-on-le records, reducing the
need or sta to interact with customer payment data
during updates or billing ailures.
CyberSource Payment Management Solutions
Global Payment ServicesSell anywhere in the world by
accepting the payment types preerred in local markets.
Transact in over 190 countries and und in 21 currencies.
Worldwide and country bank cards, PIN-less debit, debit
cards, bank transers, direct debits, Bill Me Later, PayPal,
subscription/recurring billing, real-time global tax calculation,
and dynamic currency conversion.
Fraud ManagementClose your threat window while keeping
good customers happy. When aced with multiple ongoing
and changing raud threats, the ability to quickly detect and
deter these attacks without impacting your customers has
a direct bearing on your bottom line. CyberSource Decision
Manager provides automated raud screening, rule console,
case management system and analytics.
TrustwaveTrustwave is a global provider o payment security and PCI
DSS compliance solutions.
Payment Security:
Trustwaves End-to-End Encryption and Tokenization
solutions protect payment card data in motion and while
stored to simpliy security inrastructure and reduce the
scope o PCI compliance.
PCI DSS Compliance:
Trustwave oers unmatched resources and experience
in guiding customers through the process o PCI DSS
compliance, rom initial scheduling o your review to nal
preparation o documentation. As the global leader in PCI
DSS compliance solutions and services, Trustwave oers
comprehensive compliance programs or acquiring banks
and ISOs, payment service providers, POS providers, andmerchants o all sizes.
Comprehensive Data Security:
Trustwave oers a robust portolio o best-in-class data
security products, including:
Award-winning,patentedtechnology,including
encryption, data lost prevention, network access control,
application security, security inormation and event
management
Managedsecurityservicestoreducethemanagement
burden o a comprehensive data security program
Industry-leadingsecurityresearchandexpertisefrom
Trustwaves SpiderLabs
Resources and Solutions
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
23/25
Resources and Solutions
23Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Additional Sources Stockprices,Yahoo!Finance,www.nance.yahoo.com
ComputerWorld,OneYearLater:FiveTakeawaysFrom
the TJX Breach. January 17, 2008. Vijayan, Jaikumar
CyberSource,EnterprisePaymentSecurity2.0.2011.
Glaser, David
CyberSource,AManagersGuidetoComparingthe
Cost o Payment Security Strategies. 2010. Anderson,
Lisa, and Huang, Yu-Ting
CyberSource,CyberSourceEnterprisePaymentSecurity
Solutions. 2009
Trustwave,PaymentCardTrendsandRisksforSmall
Merchants: A Supplement to Trustwaves 2011 Global
Security Report. 2011.
Trustwave,2011GlobalSecurityReport.2011.
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
24/25
Resources and Solutions
24Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.
Glossary o Terms On-site strategy: Payment data is managed and secured
during capture, transmission, and storage using your
own sta, systems and inrastructure that could be
owned, leased, or licensed by your company. Remote strategy: One or more service providers manage
payment data security on your behal. This could include
technologies such as hosted payment tokenization or
end-point encryption with remote data storage, and
hosted payment acceptance where the cardholder data
is captured directly by the payment network via a hosted
order page or interactive voice response system.
Payment data: Data that acilitates the payment
transaction process. Includes credit or debit card
numbers, name, address, and telephone number.
Organization Level, as dened by the PCI Security
Standards Council
Level 1: Merchants processing over 6 million
transactions annually across all channels.
Level 2 - 4: Merchants processing less than 6 million
transactions annually across all channels.
Tokenization: Replacement o sensitive data with
a unique identier that cannot be mathematically
reversed.
Glossary o Terms Encryption: Conversion o data into a orm that cannot be
easily understood by unauthorized personnel. Requires
a key to decode the data.
Hosted Payment Acceptance: A PCI DSS-certied thirdparty hosts the payment data elds displayed on your
website, then captures, transmits, and stores that data
outside your network.
Payment Service Provider: Entity that oers organizations
online services or accepting electronic payments
through a variety o payment methods including credit
card, bank-based payments, and online banking.
PCI DSS Requirement 6.6: For public-acing web
applications, address new threats and vulnerabilities
on an ongoing basis and ensure these applications
are protected against known attacks by either o the
ollowing methods:
Reviewing public-acing web applications via manual
or automated application vulnerability security
assessment tools or methods, at least manually and
ater any changes
Installing a web-application rewall in ront o public-
acing web applications
PCI DSS Requirements: See Chart 31
-
8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave
25/25
CyberSource North America
CyberSource Corporation HQ
Phone: 650.965.6000
Fax: 650.625.9145
Email: [email protected]
CyberSource Europe
CyberSource Ltd
Phone: +44 (0) 118 929 4840Fax: +44 (0) 870 460 1931
Email: [email protected]
CyberSource Japan
CyberSource KK (Japan)
Phone: +81-3-5774-7733
Fax: +81-3-5774-7732
Email: [email protected]
CyberSource Asia Pacifc
CYBS Singapore Pte Ltd
T: +65 6499 2000
F: +65 6437 5879
Email: [email protected]
Trustwave North America
Trustwave Corporate HQ
70 West Madison Street, Suite 1050
Chicago, IL 60602
Phone: 312.873.7500
Fax: 312.443.8028
Email: [email protected]
Trustwave European Headquarters
Westminster Tower
8th foor
3 Albert Embankment
LondonSE1 7SP
Phone: +44 (0) 845 456 9611
Fax: +44 (0) 845 456 9612
Trustwave Asia-Pacifc Headquarters
Level 26
44 Market Street
Sydney NSW 2000
Australia
Phone: +61 2 9089 8870
Fax: +61 2 9089 8989
Trustwave Latin America Headquarters
Rua Cincinato Braga, 340 n 71
Edicio Delta Plaza
Bairro Bela Vista
So Paulo SP
CEP: 01333-010
BRASIL
Phone: +55 (11) 4064-6101
About CyberSourceCyberSource, a wholly-owned subsidiary o Visa Inc.,
is a payment management company. Over 330,000
businesses worldwide use CyberSource and Authorize.Net
brand solutions to process online payments, streamline
raud management, and simpliy payment security. The
company is headquartered in Mountain View, Caliornia with
international oces in Reading, U.K.; Singapore; Tokyo;
and Middle East. CyberSource operates in Europe under
agreement with Visa Europe. For more inormation, please
visit www.cybersource.com or email [email protected].
For More Inormation
Call1.888.330.2300
Visitwww.cybersource.com
About TrustwaveTrustwave is a global provider o on-demand and
subscription-based inormation security and payment card
industry compliance management solutions to businesses
and government entities throughout the world. For
organizations aced with todays challenging data security
and compliance environment, Trustwave provides a unique
approach with comprehensive solutions that include its
fagship TrustKeeper compliance management sotware and
other proprietary security solutions including SIEM, EV SSL
certicates and solutions including WAF, NAC, SIEM and EV
SSL certicates. Trustwave is headquartered in Chicago with
oces throughout North America, South America, Europe,
Arica, Asia and Australia. For more inormation, visit https://
www.trustwave.com.
For More Inormation
Call1.888.878.7817
Visitwww.trustwave.com