New Survey Released By RSA, The Security Division Of EMC, Reveals An Inconsistent State Of Credit Card Data Security Across Latin America
With Payment Card Industry Data Security Standard (PCI DSS) deadlines to meet, Latin American businesses reveal practices that range from ‘concerning’ to ‘promising’ in how they are protecting consumers’ credit card information
RSA, The Security Division of EMC (NYSE: EMC), today announced the results of a survey of Latin American businesses regarding the state of credit card data security within their organizations – and the plans those businesses have for new data protection measures.
Conducted by RSA in early 2008, the survey was designed to gain a view into how organizations are currently storing and protecting credit card data. The PCI DSS is a best practices framework that applies to all organizations that collect, process or store credit card information. Created by the major payment card brands, the standard is global in scope, and designed to ensure the security of consumer credit card data throughout the information lifecycle.
The survey results from 164 businesses across the region highlight a diverse state of affairs:
- In contrast to the findings of a similar poll conducted by RSA in the United States in 2007, the length of time that Latin American businesses store sensitive credit card authentication data broadly meets PCI DSS requirements
- Credit card data resides in multiple layers throughout the information infrastructure – such as databases and point-of-sale systems – indicating that major challenges lie ahead in preventing data loss
- A significant number of organizations have yet to deploy basic information security enforcement mechanisms
- While only approximately half of those surveyed were aware of the PCI DSS, the majority of those have already taken steps to meet the requirements – and many are prepared to fully comply by late 2008
Possessing and Storing Valuable Credit Card Data
Storing all the information found on a credit card creates the highest level of risk, as this information, in its entirety, can be used to create counterfeit credit cards. Once a transaction has been authorized, the PCI DSS forbids the storage of key authentication data include the full magnetic stripe data, PIN information and the CVV (Card Verification Value) code. Encouragingly, most of the RSA survey respondents (81%) follow the PCI standard by not storing full magnetic stripe data and slightly more (83%) never store CVV codes. This contrasts with the results of a similar poll conducted in the U.S. in 2007, which revealed completely different results.
The respondents in Latin America identified which systems within their companies’ networks store, process or transmit credit card data. The results showed a significant spread of credit card data across many layers of the information infrastructure, creating the potential for short- and long-term challenges in preventing data loss. Survey respondents noted that the most common locations for credit card data include: databases (37%); internal applications (34%); point-of-sale (POS) systems (24%); storage systems (21%); files and folders on servers (12%); unstructured documents such as spreadsheets (12%); and email (9%).
Mechanisms to Protect Credit Card Data: Technology and the Human Factor
Alarmingly, only about half of the respondents have deployed basic information-centric security technologies to help protect sensitive credit card information. Just 46% of the respondents’ companies encrypt stored credit card data; 49% do not encrypt the data at all. When asked whether or not their organizations track or monitor all access to systems within their cardholder environment, responses were split (48% in each case), indicating that almost half of the organizations represented in the poll have limited knowledge of who has access to this critical information.
Providing secure remote access for employees, partners and contractors to company networks containing credit card data helps to reduce the risk of exposure. While many survey respondents (43%) have deployed two-factor authentication – such as token-based security or certificates – more than half (52%) have taken a risk in providing no such authentication technology.
The survey showed that a majority of respondents (60%) follow best practices by only allowing access to credit card information to between one and ten people in total. Another 20% reported that their organizations allow such access to between 10-100 employees – and 15% indicated that this access is provided to more than 100 individuals. Although best practices show that credit card data is much more secure when fewer people have access to it, some organizations require that more personnel are provided access based on the size of their operations.
Also, establishing corporate policies to address the security of credit card data within an organization is critical to avoiding its loss. While the survey indicated that about half (47%) of the respondents’ companies have such a credit card data policy in place, an equal amount do not have any formal policies at all.
Awareness and Plans for Meeting PCI DSS Guidelines
While the deadlines for PCI compliance – and fines for non-compliance – have not yet been broadly enforced in Latin America, the deadlines have passed in other parts of the world where Latin American companies conduct business (the U.S. deadlines expired in November 2007). Almost half of the Latin American survey respondents (47%) were aware of the standard, but slightly more (48%) were not yet aware at all. Of those who were aware of PCI DSS:
- The vast majority (74%) responded that they have taken steps to comply with its requirements, but some (18%) have yet to take any action
- More than one third (35%) were ahead of the curve and either already compliant or expecting to be compliant within six months
- One quarter of respondents (25%) anticipated compliance within 6-12 months, and a slightly smaller amount (17%) expected to be compliant within 1-2 years. A small group of respondents (16%) have no timeframe in place.
“We are encouraged that many businesses in Latin America are moving in the right direction and have already taken preventative measures to protect their customers’ credit card information. However, for most organizations, the technology challenges that include establishing processes, policies and enforcement mechanisms, are still quite apparent,” said Roberto Regente, Director, Latin America, at RSA, The Security Division of EMC. “We are confident that these companies will succeed in meeting credit card security standards by taking a holistic approach to information risk management. This will help not only in meeting regulatory requirements, but also in accelerating their businesses and enabling them to achieve greater results.”
Facts about the Latin American Credit Card Data Security Survey Conducted by RSA:
- A total of 164 individuals from Latin American businesses responded to the RSA survey
- The majority of the responses were generated through an online survey of Latin American businesses in early 2008 (123 responses)
- A smaller sample (41 responses) was collected at an event in Mexico City
- The countries with the highest response rates included Mexico (39%), Brazil (24%), Argentina (9%), Colombia (7%), Chile (6%), Venezuela (3%), Peru (3%) and Ecuador (3%)
- This survey provides data relating to credit cards and debit cards
For full survey results please visit: http://www.rsa.com/company/news/releases/pdfs/LACCS_WP_0508_English.pdf
RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world's leading organizations succeed by solving their most complex and sensitive security challenges. RSA's information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle - no matter where it moves, who accesses it or how it is used.
RSA offers industry-leading solutions in identity assurance & access control, data loss prevention & encryption, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.
RSA, The Security Division of EMC
RSA is either a registered trademark or trademark of RSA Security Inc. in the United States and/or other countries. All other products and/or services mentioned are products of their respective companies.