Mexico City, Mexico - May 28, 2008 -
RSA, The Security Division of EMC (NYSE: EMC), today announced the results of a survey of Latin American businesses regarding the state of credit card data security within their organizations – and the plans those businesses have for new data protection measures.
Conducted by RSA in early 2008, the survey was designed to gain a view into how organizations are currently storing and protecting credit card data. The PCI DSS is a best practices framework that applies to all organizations that collect, process or store credit card information. Created by the major payment card brands, the standard is global in scope, and designed to ensure the security of consumer credit card data throughout the information lifecycle.
The survey results from 164 businesses across the region highlight a diverse state of affairs:
Possessing and Storing Valuable Credit Card Data
Storing all the information found on a credit card creates the highest level of risk, as this information, in its entirety, can be used to create counterfeit credit cards. Once a transaction has been authorized, the PCI DSS forbids the storage of key authentication data include the full magnetic stripe data, PIN information and the CVV (Card Verification Value) code. Encouragingly, most of the RSA survey respondents (81%) follow the PCI standard by not storing full magnetic stripe data and slightly more (83%) never store CVV codes. This contrasts with the results of a similar poll conducted in the U.S. in 2007, which revealed completely different results.
The respondents in Latin America identified which systems within their companies’ networks store, process or transmit credit card data. The results showed a significant spread of credit card data across many layers of the information infrastructure, creating the potential for short- and long-term challenges in preventing data loss. Survey respondents noted that the most common locations for credit card data include: databases (37%); internal applications (34%); point-of-sale (POS) systems (24%); storage systems (21%); files and folders on servers (12%); unstructured documents such as spreadsheets (12%); and email (9%).
Mechanisms to Protect Credit Card Data: Technology and the Human Factor
Alarmingly, only about half of the respondents have deployed basic information-centric security technologies to help protect sensitive credit card information. Just 46% of the respondents’ companies encrypt stored credit card data; 49% do not encrypt the data at all. When asked whether or not their organizations track or monitor all access to systems within their cardholder environment, responses were split (48% in each case), indicating that almost half of the organizations represented in the poll have limited knowledge of who has access to this critical information.
Providing secure remote access for employees, partners and contractors to company networks containing credit card data helps to reduce the risk of exposure. While many survey respondents (43%) have deployed two-factor authentication – such as token-based security or certificates – more than half (52%) have taken a risk in providing no such authentication technology.
The survey showed that a majority of respondents (60%) follow best practices by only allowing access to credit card information to between one and ten people in total. Another 20% reported that their organizations allow such access to between 10-100 employees – and 15% indicated that this access is provided to more than 100 individuals. Although best practices show that credit card data is much more secure when fewer people have access to it, some organizations require that more personnel are provided access based on the size of their operations.
Also, establishing corporate policies to address the security of credit card data within an organization is critical to avoiding its loss. While the survey indicated that about half (47%) of the respondents’ companies have such a credit card data policy in place, an equal amount do not have any formal policies at all.
Awareness and Plans for Meeting PCI DSS Guidelines
While the deadlines for PCI compliance – and fines for non-compliance – have not yet been broadly enforced in Latin America, the deadlines have passed in other parts of the world where Latin American companies conduct business (the U.S. deadlines expired in November 2007). Almost half of the Latin American survey respondents (47%) were aware of the standard, but slightly more (48%) were not yet aware at all. Of those who were aware of PCI DSS:
“We are encouraged that many businesses in Latin America are moving in the right direction and have already taken preventative measures to protect their customers’ credit card information. However, for most organizations, the technology challenges that include establishing processes, policies and enforcement mechanisms, are still quite apparent,” said Roberto Regente, Director, Latin America, at RSA, The Security Division of EMC. “We are confident that these companies will succeed in meeting credit card security standards by taking a holistic approach to information risk management. This will help not only in meeting regulatory requirements, but also in accelerating their businesses and enabling them to achieve greater results.”
Facts about the Latin American Credit Card Data Security Survey Conducted by RSA:
For full survey results please visit: http://www.rsa.com/company/news/releases/pdfs/LACCS_WP_0508_English.pdf
, a part of , enables organizations to modernize, automate and transform their using industry-leading , servers, and data protection technologies. This provides a trusted foundation for businesses to transform IT, through the creation of a , and transform their business through the creation of cloud-native applications and solutions. Dell EMC services customers across 180 countries – including 98 percent of the Fortune 500 – with the industry’s most comprehensive and innovative portfolio from edge to core to cloud.