Preventing a damaged reputation, more so than cost, is what drives online merchants to improve their data security and comply with industry standards. And more merchants are starting to use third parties to store their payments data to improve security and protect their reputations, new research suggests.
In a online survey of 117 merchants of all sizes CyberSource Corp. and Trustwave conducted in December and January, 69% of respondents said protecting their brand or revenue was the primary purpose behind their payment-security investment, while 26% said they invested to avoid bank fines (see chart).
CyberSource’s 2011 Payment Security Practices and Trends Report, released July 19, identifies several negative effects of security breaches, including a tarnished brand caused by the subsequent media attention. Some 50% of the stories written about an organization affected by a breach are devoted to coverage of the breach, according to CyberSource, which is owned by Visa Inc.
Merchants also can lose customers after notifying them of a breach because they lose confidence in the retailer and change their buying behavior, according to the report, which found that 55% of consumers affected by a breach will have less trust in the breached organization, and about 30% will stop buying from that company.
Breaches also negatively affect stock prices, as organizations can lose from 0.63% to 2.1% in their stock value when they report a security breach, according to the report.
“The key driver is brand protection,” Rosa Luis, CyberSource solutions marketing manager in payments security, tells PaymentsSource. “It’s a really good indication of where we’re going today, as there has been a big push for compliance in the past few years.”
Merchants are moving from housing their data in-house, where it could be breached, to PCI-certified third parties, where the information also can cost less to maintain, Luis notes. “What we’re seeing is that those companies that use onsite [means] to prevent breaches are spending more on personnel and infrastructure than if they were outsourcing,” she says.
Over the next 24 months, more organizations will move payment data from their own environment to reduce security risks, according to the report. Of the very large merchants in the Payment Card Industry Data Security Standard Level 1 category surveyed that already had moved payment data, 75% are spending less than $500,000 on their payment-security infrastructure, while only 60% of those that keep data in-house spend less than that amount, according to CyberSource.
Overall, merchants are focusing more on doing business and letting PCI-compliant third parties take care of security, James Paul, Trustwave senior vice president of global compliance, tells PaymentsSource.
“One of the things we see in the field is that merchants are becoming more and more critical of what their core skills are, and often it doesn’t include payment security,” he says. “They need to focus on their business and leave security and compliance to the outsourced service providers.”
