E-commerce merchants are tightening credit card data security and planning to move the data from their networks to third party vendors in order reduce security risks, data storage and compliance costs.
According to a survey by Visa’s CyberSource unit and Trustwave, nearly 70 percent of e-commerce merchants were not motivated by the threat of fines for non-compliance with the Payment Card Industry Data Security Standard to tighten security, but instead acted on their own in order to protect their brand, InfoSecurity-US.com reports.
Only 26 percent of respondents said the penalties for PCI DSS non-compliance were the reason for increased credit card security.
Many respondents admitted that they felt that the threat of payment data theft from the inside is just as strong as the threat from external hackers.
“People are seeing the threats from internal and external forces as the same,” Rosa Luis, a solutions manager for payment security at CyberSource, said, InfoSecurity-US.com reports. “That makes a lot of sense, because the data is readily available and easy to access for internal employees. So if you have credit card information on your network, employees have much more visibility into that than the external hacker.”
Outsourcing credit card data processing and storage saves merchants on infrastructure costs. Merchants that do not capture, transmit or store data within their own network have a lower overall cost of payment for security management.
“Companies that are using a remote strategy, and not doing things internally, are actually having much more success in reaching PCI DSS compliance in a shorter period of time,” Luis said,
InfoSecurity-US.com reports. “So 87 percent of the companies that are using a remote strategy are complying in 20 weeks or less, whereas only 79 percent of companies that are using an on-site strategy are complying with PCI DSS is the same amount of time.”
Tokenization has become a popular strategy for merchants to avoid storing credit card information in-house, InfoSecurity-US.com reports. This way, a credit card number is turned into a surrogate value that represents the card number without the ability to determine the number from the surrogate value.