69% of businesses invest in antifraud efforts in order to guard their reputations.
Brand protection inspires antifraud efforts, as 69% of businesses say the main reason they invest in payment security is to protect their reputations, according to a report released today by CyberSource and TrustWave. That dwarfs the 26% of businesses who said they invest in payment security to avoid fines that can result from unauthorized release of consumer payment card information.
The report is based on a survey of 117 businesses conducted from Dec. 6 to Jan. 31; the businesses sell products or services in areas ranging from government and education to consumer products. CyberSource is an e-commerce fraud control provider owned by Visa Inc. TrustWave sells payment security services to online retailers and other businesses.
Businesses invest to protect their brands because their reputations among consumers can sour after data breaches involving payment information, says Rosa Louis, CyberSource’s solution manager for payment security. For instance, a 2008 report from Javelin Strategy and Research found 55% of customers affected by a security breach said they likely would lose confidence in businesses that failed to protect data and change their buying behavior. And 30% said they would discontinue buying from that company in the future. “Companies like TJX and Sony do recover from their breaches, but they do so with a slight tarnish to their brand,” she says.
Louis says that while consumers often assume that most payment fraud stems from hackers operating outside businesses, the survey results suggests a more complicated reality. About a third of the business respondents believe the biggest risk of data loss comes from external hackers. Another third place the risk with employees, while another third worry equally about employees and hackers.
The risk of an internal breach is perceived as slightly higher (38%) among retailers who are Payment Card Industry (PCI) Level 1 certified, than for smaller Level 2-4 merchants (35%). The Payment Card Industry Data Security Standard is a set of data security rules backed by the major card brands; merchants that fail to comply can be fined.
Louis says that heightened sense of internal risk might come from the need of larger businesses to employ relatively large staffs. “As companies put more barriers to get into their systems it makes getting this data profitable to anyone who can sell it,” says Louis. “That’s where the perception emerges that employees are just as likely to try to sell data comes from. Businesses are concerned that the danger comes from the inside.”
That perception is part of the reason businesses are changing how they store cardholder data. The report found that 57% of surveyed organizations store data on-site. Over the next two years, however, that percentage will drop to 49%. More Level 2-4 merchants (43%) store card data remotely than do Level 1 (38%) businesses. That’s because larger merchants don’t want to abandon the large investments they’ve made in developing their own proprietary systems, says Louis. “But as breaches become more rampant and cost companies money,” she predicts, “we’ll see a shift in that perception.”