More than any type of sensitive data, transactional and payment card information is actionable. Both legitimate and malicious parties have devoted enormous resources to collecting data such as credit card numbers, as well as information about buying habits and histories.
On the legitimate end, many businesses have translated this broader knowledge of customer behavior into more effective marketing campaigns. However, protecting the sensitive information that fuels these efforts is a complex obligation, one that can sometimes strain the resources of businesses of all sizes, exposing them to the risk of data breaches.
While breaches involving names and addresses are certainly damaging to both an individual privacy and corporate reputation, incidents of stolen payment card data and Social Security Numbers often have more immediate consequences, easily escalating into identity thefts. A recent report from Javelin Strategy & Research demonstrated the strong link between the two phenomena, and while the revelation may come as no surprise to the cybersecurity community, it highlights the challenges that remain in securing payments.
With mobile payments and online retail also becoming pillars of retail, consumers, businesses and cybersecurity professionals must do more to cover all bases. Following sensible compliance frameworks and best practices will be essential to stemming the tide of identity theft.
Report finds strong link between stolen payment card data and identity theft
Last year, 16 million Americans were notified that their payment card data had been breached. Of that group, more than 25 percent also suffered identity theft, demonstrating the increasingly high stakes of protecting transactional and personally identifiable information from cybercriminals.
At the same time, not all data breaches are created equal. Lifted payment card data and Social Security Numbers enabled identity theft at a higher clip than stolen checking account numbers and online banking username/password combinations. Twenty-eight percent of the more than 4 million SSN data breach victims in 2012 suffered identity theft facilitated by that data.
Moreover, some industries were more likely to be the target of cybercriminal campaigns on this front than others. The healthcare, finance and retail sectors all face particular challenges that make them prime targets for data breaches that lead to identity theft. For example, healthcare providers are increasingly investing in electronic health records, while retailers have constructed intricate IT systems to support payment cards. Given the size and scope of these organizations’ clienteles, damage from breaches is often wide-reaching and varied, ranging from lawsuits to decreased customer retention..
“By breaching the data stores of businesses in the financial, healthcare and retail industries, criminals can obtain the fuel they need to execute various fraud schemes, and these crimes have crippling consequences,” stated Javelin senior analyst Al Pascual. “Identifying and protecting the sensitive information typically stored by these industries is essential for mitigating the risk of a data breach and, therefore, the risk of financial loss to data custodians, consumers and third-party businesses.”
However, in many cases these breaches are not solely the result of concerted cybercriminal effort. Rather, loose organization and classification of data frequently contributes to incidents since it creates confusion about the relative vulnerability of data assets, as well as the responsibility for protecting them.
A closer look at using classification to address data protection issues in retail
More specifically, retailers demonstrate how cybersecurity efforts can sometimes be derailed by a combination of complex compliance obligations and organizational oversight. The holiday shopping season, which compresses huge numbers of transactions into days like Black Friday and Cyber Monday, only exacerbates these issues, making the case for improved approaches to securing payment data.
A Florida TV station chronicled the identity theft risks that arise in November and December, when shoppers make numerous purchases both online and offline. Lax website security or unattended personal information may give thieves access to information such as SSNs, which can be used to impersonate others. Some consumers have witnessed massive tax returns wrongly issued in their names by the Internal Revenue Service, while others have noticed anomalous events in their credit card histories.
In retail, identity theft is a particularly nuanced issue since it is caused by both consumer habits and business practices. While some shoppers may not be the most diligent about checking for website SSL or keeping personally identifiable information under wraps, organizations also sometimes fall short in properly handling data on the backend, despite their obligations under the Payment Card Industry Data Security Standard. The rise of mobile and Internet payments has already pushed organizations in Europe to draft new security frameworks, potentially adding an extra layer of regulation on top of an already challenging compliance issue.
“Storing unprotected primary account numbers violates payment card industry guidelines, but retailers can lose track of where and how [the numbers] are being stored,” stated the Javelin report. “The unprotected storage of PANs for chargeback management, fraud analytics, or marketing purposes plays directly into the hands of criminals. PCI-related fines that are imposed on breached retailers can have high impact, especially for smaller merchants, but these are dwarfed by the dollar losses that can result from the fraud committed with breached payment card data.”
Retailers’ situation illustrates the fine line between proactively using consumer data to boost business and leaving it overly exposed to risk. Businesses need not abandon analytics altogether, but extra caution may be advisable. Assets should be classified according to their risk levels and given protections appropriate to their profiles.
What consumers and businesses can do to guard against identity theft
Encryption, usage policies and stronger access management are some of the fundamental steps that organizations in all sectors can use as building blocks for safer payment environments. In many cases, seeking the help of PCI DSS and perimeter security experts will go a long way to getting better insight into IT systems, which ultimately leads to improved cybersecurity and compliance.
For consumers, personally identifiable information requires careful handling. Using a password manager to automatically generate and store complex credentials can protect against attackers who exploit weak login security. Similarly, using a shredder to destroy documents, keeping antivirus software up-to-date and being mindful of where sensitive data is stored all contribute to a stronger front against identity thieves.
While identity theft appears to be on the rise, its prevalence is the product of changeable habits and behaviors. With a clear mind toward protecting transactional and payment card data, businesses and consumers can ensure that payments systems are both efficient and secure.
