In the realm of payment card data security, 2011 qualifies as the year in which “more” became a key term on many levels.
More vendors created more security devices and defense mechanisms, and more merchants became more aware that more defense mechanisms were needed. Unfortunately, more organized crime rings got more involved in unleashing more hacking attacks on payment networks. And, even worse, their attacks got more sophisticated.
Though final security breach reports for 2011 will not be compiled until next year, industry experts take solace in knowing that one key area of data security is not defined by “more.” Though more attacks were launched, the number of breached payments records worldwide has fallen steadily the past few years, from a reported 361 million in 2008 to less than 4 million in 2010, according to Verizon Communications and U.S. Secret Service reports.
That decline illustrates the growing attention the industry is paying to security and constitutes a silver lining because of new products and new Payment Card Industry Security Standards Council guidelines and requirements. And that awareness translates into making things tougher for criminals seeking access to payment networks, Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group, tells PaymentsSource.
“We’ve seen the defenses steadily progressing,” McNelley says.
Online merchants this year bolstered their website and payment-system security, making it a major development that helped boost consumer confidence in making online payments, she adds.
But bad guys also quickly can create and launch new attacks, increasing the number of malicious software and generic Trojan strains designed to attack systems, McNelley warns.
The year resulted in much security debate, spurred along by the Wakefield, Mass.-based PCI council’s initiatives and Visa Inc.’s push last summer to bolster security by offering U.S. merchants incentives to reduce PCI compliance fees if they met deadlines to convert to the EMV contact and contactless cards common in Europe (
In addition, the Smart Card Alliance released a report in February indicating the U.S. was closer to handling the payments network changes needed for EMV conversion than most experts in the industry may have thought (
In an indication of growing security awareness, Visa earlier in the year had revealed its own study showing a high percentage of payment-service providers were improving their PCI compliance (
The PCI council in August also released guideline information to clear up confusion over compliance for the tokenization security process (
It seemed every expert wanted to weigh in on encryption–an indication the defense mechanisms were becoming more sophisticated in response to the growing security threats. But the debate centered on encouraging businessowners to deploy layers of defense instead of rely on advanced encryption as a final security answer (
Mobile-payment security moved to the forefront seemingly overnight. As mobile-payment devices became prolific, so, too, did the need for defense mechanisms to keep them safe. The PCI council announced in October it would offer testing for encryption use in new mobile devices manufacturers were developing or merchants were using (
While card data security at call centers (
To that end, the PCI council in November announced that special interest groups would study online and cloud-computing security in 2012 to establish security compliance requirements and standards (
The year resulted in merchants starting to catch up to banks in terms of security awareness, McNelley says. “The good news is that we are slowly seeing businesses become more aware of the threatening security landscape,” she says.
What do you think about this? Send us your feedback.
