Embed Size (px)
Citation preview
SECURE CUSTOMER DATA: ARE YOU AND YOUR CUSTOMERS AT RISK?
CONTENTS1.0 EXECUTIVE SUMMARY
2.0 THE REAL COST OF DATA BREACHES TO THE RETAIL SECTOR
2.1 Cost of Reputation
3.0 DATA BREACHES IN EUROPE AND THE DACH REGION
4.0 WHAT HAPPENS TO YOUR CUSTOMER’S DATA?
4.1 PCI DSS
4.2 Consumer Confidence
4.3 The DACH ECommerce Market
5.0 3 WAYS TO REDUCE THE CHANGE OF A DATA BREACH
6.0 CONCLUSION
7.0 GLOSSARY
8.0 SOURCES
9.0 ABOUT SECURE TRADING
3
4
5
6
8
8
9
9
10
11
12
13
14
1.0 EXECUTIVE SUMMARY
Cases of cyber attacks and data breaches are an increasingly frequent occurrence affecting all kinds of businesses, big and small. While many of us are aware of those involving large brands such as TalkTalk, Target, Sony, and even the Bundestag, many less well-known organisations and online retailers are also victims of this crime.
IT SECURITY EXPERTS
BELIEVE THAT IT IS NOT A QUESTION
OF ‘IF’ YOUR BUSINESS WILL
SUFFER A DATA BREACH,
BUT ‘WHEN’
In fact IT security experts believe that it is not a question of ‘if’ your business will suffer a data breach, but ‘when’. The inevitability of a data breach means that online retailers and digital businesses need to not only take preventative measures to reduce the opportunity for a cyber attack, but also find ways to limit the damage a data breach could cause.
This means addressing the key causes of a data breach; a malicious or criminal attack, system glitch or human error, and also implementing robust measures to identify data breaches early and put response plans into action fast.
In this whitepaper we will be exploring the impact of data breaches on eCommerce business in the DACH region, and the wider European Community. We will also be looking at ways to protect your business and your customers’ data, reducing the risk of cyber attacks and the consequences for your business.
3
4
2.0 THE REAL COST OF DATA BREACHES TO THE RETAIL SECTOR
In the 2015 Cost of Data Breach Study: Global Analysis1, by IBM and Ponemon Institute, the average total cost of a data breach for the 350 companies contributing in this research increased from $3.52 to $3.79 million.
This benchmark research is of particular interest to those retailers in the DACH region where it was discovered that the average per capita cost of data breach in Germany is $211, second highest to the US’s $217, compared to a global average of $154. The average total organisational cost in Germany is $4.9 million, again higher than the global average.
Accordingly to this research the retail industry’s average per capita cost has also increased dramatically from $105 in 2014 to $165 in 2015.
While these figures provide compelling enough reasons to instigate preventative measures to protect your customer data, let us look at how these costs break down and what specific expenses are incurred if your business suffers a data breach:
• Investigation: Whether carried out in-house or by an external provider, a forensic team needs to determine how the system was compromised and what data was affected. A third party forensic investigation can cost anywhere from $200 -$2,000 per hour;
• Remediation: Having identified how the breach happened and ensured that there is no malware still undetected in the system, measures need to be taken to prevent a similar breach from occurring again. Germany spends $224 per record to resolve a malicious or criminal attack1
• Notification: Depending on your business and the nature of the data breach you must notify those affected. You may also need to notify industry regulators, the media and the police. Notification to customers must be through first-class post unless they have opted in to electronic correspondence, a significant cost to the business;
• Identity-theft repair and credit monitoring: While your business does not legally have to provide credit or identity monitoring services to help customers deal with the fallout of personal data being compromised, to help restore the organisation’s reputation it should be considered. As a result of last year’s TalkTalk data breach in the UK, customers have been offered a year’s worth of credit monitoring by the telecoms giant;
• Business disruption: System downtime prevents normal business activities, for online retailers this may mean that eCommerce websites are down and transactions cannot be processed. Resources may also have to be diverted to dealing with the data breach and key employees taken away from their core competencies;
WHILE YOUR BUSINESS DOES NOT LEGALLY HAVE TO PROVIDE CREDIT OR IDENTITY MONITORING SERVICES TO HELP CUSTOMERS DEAL WITH THE FALLOUT OF PERSONAL DATA BEING COMPROMISED
5
2.0 THE REAL COST OF DATA BREACHES TO THE RETAIL SECTOR Continued
HIGH PROFILE DATA BREACHES ARE LIKELY TO MAKE CONSUMERS THINK TWICE ABOUT SHARING THEIR CARD DETAILS AND PERSONAL DATA WITH THOSE ONLINE RETAILERS AFFECTED
• Lost sales: This may include an abnormal customer churn, increased customer acquisition activities, reputation losses and diminished goodwill;
• Fines and compensation: Depending on your industry, your organisation may be subject to fines from regulators. Those affected by the data breach may also be eligible for compensation, or you may be at risk of legal action and the costs associated with that;
• Recovery of assets: These may include lost data, and corrupted software or systems;
• PR campaigns: It may be necessary to initiate a public relations campaign to mitigate against loss of reputation and customer churn.
2.1 COST TO REPUTATIONAlongside the financial costs of rectifying a data breach, damage to an organisation’s reputation can be a significant and often unquantifiable cost.
High profile data breaches are likely to make consumers think twice about sharing their card details and personal data with those online retailers affected, and this can make the acquisition of new customers a substantial challenge. Businesses may initially need to instigate a damage limitation exercise with a PR campaign, and then invest more in advertising and marketing to improve their brand image and rebuild confidence in their services.
Customer loyalty will also be affected, resulting in some customers taking their business elsewhere. Online retailers and digital businesses will need to address this through their customer relationship management strategies, offering incentives to keep subscription customers on board, and discounts and offers to entice consumers back to their online stores.
6
3.0 DATA BREACHES IN EUROPE AND THE DACH REGION
GERMANY IN FOURTH PLACE BEHIND THE ARABIAN REGION, INDIA AND THE US FOR THE HIGHEST NUMBER OF LOST OR STOLEN RECORD
While no country or region is exempt from cyber attack and data breaches, in the DACH Region there are specific challenges for IT security professionals. The IBM / Ponemon benchmark research1 puts Germany in fourth place behind the Arabian region, India and the US for the highest number of lost or stolen records: 24,103, with 54% of these being as a result of a malicious or criminal attack.
A Frost & Sullivan market study into The Professionals’ Perspective: Cyber Security in the DACH Region2 concluded that the biggest challenges for IT professionals in the DACH region are a shortage of personnel and lack of
resources. This has a significant impact on the ability of organisations to improve data breach prevention, and highlights a need to invest in training and in advanced analytics solutions and threat intelligence services.
The graphic below shows the most common security threats in the DACH region, identified in this report, with ‘CE’ denoting Core Europe:
0%
CE
CH
DA
DACH
10% 20% 30% 40% 50% 60% 70% 80%
65%65%
61%
64%
63%
68%57%
60%67%
60%
76%
71%71%
72%
57%59%
52%
56%55%
50%
Payment Card SkimmersPOS Intrusions
Physical Tampering
Use of Stolen CardsRAM Scrape Software
MOST COMMON SECURITY THREATS IN DACH
SEE SOURCE: 2
7
3.0 DATA BREACHES IN EUROPE AND THE DACH REGION Continued
THE CONSEQUENCE OF THIS SECURITY THREAT IS THAT RETAILERS HAVE TO MEET THE COSTS OF CHARGEBACK
In brief, here is how those specific security threats can impact on retailers:
• Payment card skimmers: This device is fixed to an ATM or a payment card terminal, to obtain credit or debit card data, including the PIN.
• Point Of Sale Intrusions: Retailers are at most risk to this kind of security threat where cyber attackers compromise computers or servers that run POS applications.
• Physical Tampering: These are web based attacks were certain parameters in an organisation’s URL are changed so that when
a customer visits the site they are unaware of any differences but their personal data can then be compromised.
• Use Of Stolen Cards: The consequence of this security threat is that retailers have to meet the costs of chargebacks when the consumer realises their payment card details have been stolen.
• RAM Scraper Software: Another POS threat used to steal card payment data.
In more general terms, IT security professionals identified the following as their top security threat concerns:
0%
CE
CH
DA
DACH
10% 20% 30% 40% 50% 60% 70%
69%
69%
69%62%
55%
56%63%
61%
66%
69%
59%58%57%
56%56%
58%
80%
Application VulnerabilitiesMobile Devices
Malware
Configuration Mistakes
TOP SECURITY THREAT CONCERNS IN DACH
SEE SOURCE: 2
8
4.0 WHAT HAPPENS TO YOUR CUSTOMERS DATA?
CHARGEBACKS CAN HAVE AN ADVERSE IMPACT ON A RETAILER’S BUSINESS, POTENTIALLY WITHDRAWING THEIR ABILITY TO TAKE A PARTICULAR TYPE OF CREDIT CARD, OR EVEN CLOSING THEIR MERCHANT BANK ACCOUNT
Most data breaches target payment card and bank data that can then be used to convert into cash quickly. Consumers’ personal data may also be targeted as a gateway to gain access to other data, for example in the case of telephone scams or email phishing attacks.
Consumers are generally well protected from card payment fraud. When they spot an anomaly on their account they can request a chargeback from their card company who in turn will pass this cost and fees on to the retailer. Chargebacks can have an adverse impact on a retailer’s business, potentially withdrawing their ability to take a particular type of credit card, or even closing their merchant bank account. This so-called ‘friendly fraud’ can have serious implications for online businesses.
In some cases consumers may be eligible for compensation for financial loss and the associated distress caused by the improper processing of their personal data. This may result in a court action where the consumer will need to prove that the data protection act, in their region, has been breached and that damages should be awarded. The onus will be on the business or retailer to show that they have either not breached the data protection act, or have taken reasonable care to comply with the Act.
Data protection is regulated by different authorities in different countries. In Germany it is primarily regulated by the Federal Data Protection Act (Bundesdatenschutzgesetz); in Austria, the Austrian Data Protection Authority (Datenschutzbehörde); and in Switzerland, the Swiss Federal Data Protection Act (DPA).
4.1 PCI DSSPCI DSS is a set of comprehensive and universal security standards for all organisations handling cardholder data. Consumers are increasingly aware not only of the existence of PCI DSS but also of the protection it gives them when shopping online. For online retailers the costs needed to ensure IT security, risk management and regulatory compliance can be excessive, which is why using a payment service provider and a hosted payment page can be an effective solution; taking the business entirely out of PCI DSS scope.
9
4.0 WHAT HAPPENS TO YOUR CUSTOMERS DATA?Continued
IN A SURVEY BY DELOITTE3 83% OF CONSUMERS SAID THEY WERE AWARE OF RECENT SECURITY BREACHES OF DATA HELD BY RETAILERS
4.2 CONSUMER CONFIDENCEWith high profile stories of data breaches making the news on an increasingly frequent basis, consumers have become more aware of the risks associated with sharing their payment card and personal details online and data protection issues.
In a survey by Deloitte3 83% of consumers said they were aware of recent security breaches of data held by retailers; and 59% stated that a single data breach would negatively impact their likelihood of buying from an affected retailer again.
EU citizens put ‘becoming a victim of fraud’ as the most serious risk associated with sharing their personal information online, in the EU’s Eurobarometer4 survey. This was followed by their ’online identity being used for fraudulent
purposes’ and their ‘information being used without their knowledge’ as major concerns that impact on their willingness to share this information online.
4.3 THE DACH ECOMMERCE MARKETThe DACH region has a relatively mature eCommerce market, with Germany, Switzerland and Austria ranking in the top three in Central Europe of eCommerce sales5:
Ranking Central Europe in turnover (EUR million)
• Germany - €71,200
• Switzerland - €12,717
• Austria - €11,685
10
5.0 3 WAYS TO REDUCE THE CHANCE OF A DATA BREACH
DATA PROTECTION POLICIES NEED TO BE CLEARLY COMMUNICATED, REGULARLY REVIEWED AND ALL PARTIES TRAINED ACCORDINGLY
There are two key aspects to a cyber attack or data breach. The first is to put in place preventative measures to protect your business and your customers’ data. The second is to have a far-reaching data breach response plan.
While a comprehensive response plan is only put into action if your business suffers a data breach, it can have a positive impact on the consequences of a data breach, both for your customers and for your online business.
But first, what measures can you take to protect your business and customers’ data?
1. Security Risk Assessment: Before implementing any preventative measures you should first assess where you may be at risk. Having identified any weaknesses you can then find the best solution for protecting those areas.
2. Data Protection Policies: One essential aspect of preventing a cyber attack is to ensure that employees, contractors and suppliers are aware of your organisation’s risk management boundaries, and the acceptable and secure use of your organisation’s ICT systems. Data Protection Policies need to be clearly communicated, regularly reviewed and all parties trained accordingly.
3. Only Keep Essential Data: It may be possible to mitigate against a data breach by removing or minimising the amount of data you store. For example, level 1 PCI compliant payment services providers can remove payment card data out of your business and into their secure environment.
Businesses will also need to familiarise themselves not only with their country’s data protection laws, but also with new EU legislation set to come into force in 2018. The EU General Data Protection Regulation and the Directive on Payment Services6 form part of the EU’s Digital Single Market strategy, and seek to reduce cyber security attacks and mandate strict data breach notification processes in Europe.
11
While regulators and governments are tightening up data protection legislation and meting out hefty fines to those business that do not take reasonable care of their customers’ data, the impact on business is much more profound than the financial costs of fines and compensation. Loss of business as a result of a data breach, and even more so the loss of reputation and trust, provide compelling reasons to put preventative measures in place.
At Secure Trading we employ a host of cyber security measures to prevent payment card fraud and data breaches, including our ACI/ ReD service Protect Plus product, PCI DSS compliance, penetration testing, social engineering, 3D Secure and tokenisation.
If you would like to discuss best practices for keeping your customers’ data safe, contact a member of the Secure Trading team and benefit from our extensive experience in this area of cyber security.
London: +44 (0) 808 274 3229
Email: [email protected]
THE IMPACT ON BUSINESS IS MUCH MORE PROFOUND THAN THE FINANCIAL COSTS OF FINES AND COMPENSATION
6.0 CONCLUSION
12
7.0 GLOSSARY OF TERMS
3D SECURE3D Secure is an XML-based protocol designed to be an additional security layer for online credit and debit card transactions.
ALTERNATIVE PAYMENTS METHODSThese refer to payment methods used as an alternative to credit or debit cards. These include charge cards, prepaid cards, direct debit, bank transfers, phone and mobile payments, money orders and cash payments.
CHARGEBACKThis is the demand from a credit card company or bank for a merchant to make good the loss on a fraudulent or disputed transaction. Also known as ‘friendly-fraud’.
DIGITAL PAYMENTSPayments made online from a merchants’ eCommerce website. For the purposes of this whitepaper ‘digital payments’ refers to transactions involving the purchase of digital, non-material, goods.
DIGITAL SINGLE MARKETThis is a European Commission initiative to use the Internet and digital technologies to create jobs and contribute an estimated €415 billion per annum to the European economy.
ECOMMERCEECcommerce (electronic commerce) refers to the buying and selling of goods and services, or the transmitting of funds or data, over an electronic network, primarily the Internet.
EMVEMV is the global standard for credit and debit payment cards based on chip and PIN card technology. It takes its name from the card schemes Europay, MasterCard, and Visa; the original card schemes that developed it.
FALSE PROFILINGFalse profiling occurs when fraud prevention tools prevent genuine customers from making transactions. This may be because the rules that determine when to block a transaction do not include positive profiling.
PAYMENT SERVICES PROVIDERA payment services provider facilitates transactions securely between a customer and a merchant.
PCI DSS COMPLIANCEThe Payment Card Industry Data Security Standard, regulates the storage of card data by all organisations in the payment network.
PROTECT AND PROTECT PLUSSecure Trading’s counter-fraud solutions. ‘Protect’ is included in payment processing APIs. ‘Protect Plus’ is available for customers requiring an enhanced level of fraud protection.
TOKENISATIONTokenisation replaces sensitive data, PAN, with a token that can then be securely stored and transmitted to a payment service provider.
13
8.0 SOURCES
1. http://nhlearningsolutions.com/Portals/0/Documents/2015-Cost-of-Data-Breach-Study.PDF
2. https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/Professional%20Prespective%20DACH%20Region-English.pdf
3. http://www2.deloitte.com/us/en/pages/about-deloitte/articles/press-releases/building-consumer-trust.html
4. http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_eurobarometer_240615_en.pdf
5. http://www.ecommerce-europe.eu/press/2015/european-e-commerce-turnover-grew-by-14.3-to-reach-423.8bn-in-2014
6. http://ec.europa.eu/justice/data-protection/reform/index_en.html
TO FIND OUT MORE ABOUT
OUR FRAUD SERVICES OR
SECURE TRADINGS OTHER PAYMENT
MANAGEMENT SOLUTIONS CONTACT OUR
SALES TEAM - [email protected]
9.0 ABOUT SECURE TRADING
Secure Trading is an integrated payments services company – a single point of contact for card acquiring, payment processing and PCI compliance and cyber security services.
Established in 1997, Secure Trading’s specialist service helps businesses of all sizes across a whole spectrum of industries achieve success online. Our worldwide footprint and network ensure that we can deliver tailored solutions to even the biggest international companies, while our uncompromising focus on customer service means that thousands of businesses across retail, gaming digital entertainments and financial sectors trust us to give their customers the best possible online experience, 24/7. Our high-performance payments platform has an unrivalled 100% uptime record, while our multi-acquiring network ensures businesses can operate internationally with ease. With both payment processing and card acquiring services we can provide businesses with an end-to-end solution, reducing the complexity of setting up online. We also offer complementary bespoke cyber security services and PCI compliance certification.
Headquartered in the UK, US and Malta, Secure Trading is your payment partner. www.securetrading.com
London: +44 (0) 808 274 3229
Email: [email protected]
Web: http://www.securetrading.com/digital-entertainment
14
