We had an interesting conversation today about the past few week’s data breaches – and how, as the first P2PE provider in the U.S. to be validated by PCI in March, we’ve already had conversations with some of the companies that are showing up in the news.
And for various reasons, several have decided to hold off on implementing P2PE – product roadmap is too cramped, IT is preoccupied with the October 2015 EMV deadline, or in some cases, companies don’t want to spend additional money on security.
To which we just shake our heads when a breach does happen because Ponemon and Symantec have reported that a breach costs an enterprise or merchant $188 per consumer record – not per transaction (can you even imagine?). So if there are 120,000 unique consumers that use the same card every time they shop at a store, a breach of those 120,000 records could cost about $22.5 million dollars.
From a security standpoint, in our opinion, if implementing P2PE cost even 5% of what a breach costs a company (which it doesn’t), we would think that most retailers would be willing to move a roadmap so that they are “insured” in the case of a breach.
But we’ve come to the conclusion that additional security is a bit like life insurance. We may know that we all need it – because let’s face it, no one is going to live forever – but there are competing financial priorities. Even though the average cost of life insurance is just $5 per month, and 85% of consumers agree that most people need life insurance, just 62% say they have it.
Our thought is that P2PE is “insurance” against the loss of card data if a breach occurs…which unfortunately may be inevitable for any U.S. company: big, small, convenience store, department store, grocery, auto, it doesn’t matter. While a breach is not as inevitable as death, if the biggest companies in the U.S., like Home Depot and Target, can be compromised, any company can. And thieves don’t care if they get credit card data from Johnny’s Corner Automotive, Tina’s Dry Cleaners, or a major chain. Credit card data will sell on the black market regardless of where it came from.
Bluefin’s Chief Innovation Officer, Ruston Miles, will be speaking at this week’s The Money Event on P2PE, EMV and NFC and at this month’s Merchant Advisory Group annual summit on P2PE, EMV and Tokenization. Why so many technologies? Because while we are huge advocates for P2PE because of WHAT it protects and WHERE (cardholder data encrypted at the point of entry) – there is no silver bullet for security.
Watching NBC and CBS national news last night reporting on the Home Depot breach and hailing EMV as if it will all of a sudden magically put an end to these breaches is laughable to those who understand the industry – and plain insulting to the everyday consumer who, in a year and a half from now, is looking at their credit card statement and wondering why, if they used their Chip and PIN, $15,000 worth of electronics were just charged to their credit card.