We all know the following – data breaches are not going away. It’s the smart criminal’s theft of choice. Why smash and grab for Louis Vuitton bags when you can charge up millions on stolen cards? On Wednesday, the Ponemon Institute and IBM released their annual Cost of Data Breach Survey. The Survey confirms the prevalence of breaches but also details the rising costs to retailers and enterprises. The Survey found the capita cost in a data breach increased to $217 in 2015 from $201 in 2014. Plus, the average total cost of a data breach increased to $6.5 million from $5.8 million in 2014. PCI P2PE? Yes, please.
The Survey, which was conducted by Ponemon and sponsored by IBM, polled 350 companies in 11 countries. All respondents had experienced a data breach at some point, involving anything from 2,200 to more than 100,000 compromised records.
Main factors contributing to the increased cost of data breaches in recent years, according to the report, included the increased incidence of cyber attacks and the growth in the lost business that can result. In fact, according to the report, the cost associated with lost business has increased from an average of $1.33 million in 2014 to $1.57 million in 2015. Included in this number are both direct and indirect costs, such as customer turnover, increased customer-acquisition activities, reputation losses and diminished goodwill.
By now, most retailers and enterprises should “get” it, right? Look no further than the continued monetary losses and negative news around major companies that have suffered a breach. These companies serve as an extremely cautionary tale of what happens with a large-scale breach – money-wise and customer-wise.
Yet despite the statistics, there is still an “it can’t happen to me” mentality (or even worse, “it can’t happen to me twice” mentality). Not only can it happen to any company of any size, it can happen in any industry. Thieves go where the data is, regardless of whether you sell high-end electronics, kids clothing, health insurance – or in the case of the IRS, process tax payments.
At Bluefin, we advocate a holistic approach to payment security that includes:
- PCI-validated P2PE to encrypt data in motion from the time the card is swiped or dipped, to the point where it is decrypted in Bluefin’s secure PCI-compliant hardware environment.
- EMV to authenticate the physical card being used – and to authenticate the consumer.
- Tokenization to “mask” card numbers that are stored by merchants for recurring billing, subscription payments, and card on file payments.
In our opinion – you cannot have one of these security solutions without the other two. And why PCI P2PE? PCI P2PE solutions have been fully vetted and audited by the PCI SSC and PCI P2PE QSA’s as following strict chain of custody and management of payment devices, users and locations. The benefit is a third party stamp of approval – and with that comes reduced PCI scope and assessment, per the Council. And as a leading provider of PCI P2PE, we offer products for mobile, retail and call center, all backed by our proprietary, online management system for attestation and compliance, the P2PE Manager.
But not every breach is about payment information. The disturbing fact is that thieves favor “rich” records like those found in healthcare where data includes information that can facilitate identity theft – drivers’ license numbers, social security numbers and date of birth. Shoring up our payment systems is only one part of the equation. The other part is ensuring that *all* sensitive consumer information, when stored, is fully encrypted and only decrypted outside of the enterprises’ environment.
There is no one fix to preventing a data breach and preventing the theft of data. But the good news is that the increased awareness has brought more security solutions to the market, enabling businesses to arm themselves effectively.