New Survey Released By RSA The Security Division Of EMC Reveals An Inconsistent State Of Credit Card Data Security Across Latin America

RSA, The Security Division of EMC (NYSE: EMC), today announced the results of a survey of Latin American businesses regarding the state of credit card data security within their organizations – and the plans those businesses have for new data protection measures.

Conducted by RSA in early 2008, the survey was designed to gain a view into how organizations are currently storing and protecting credit card data. The PCI DSS is a best practices framework that applies to all organizations that collect, process or store credit card information. Created by the major payment card brands, the standard is global in scope, and designed to ensure the security of consumer credit card data throughout the information lifecycle.

The survey results from 164 businesses across the region highlight a diverse state of affairs:

• In contrast to the findings of a similar poll conducted by RSA in the United States in 2007, the length of time that Latin American businesses store sensitive credit card authentication data broadly meets PCI DSS requirements
• Credit card data resides in multiple layers throughout the information infrastructure – such as databases and point-of-sale systems – indicating that major challenges lie ahead in preventing data loss
• A significant number of organizations have yet to deploy basic information security enforcement mechanisms
• While only approximately half of those surveyed were aware of the PCI DSS, the majority of those have already taken steps to meet the requirements – and many are prepared to fully comply by late 2008

Possessing and Storing Valuable Credit Card Data

Storing all the information found on a credit card creates the highest level of risk, as this information, in its entirety, can be used to create counterfeit credit cards. Once a transaction has been authorized, the PCI DSS forbids the storage of key authentication data include the full magnetic stripe data, PIN information and the CVV (Card Verification Value) code. Encouragingly, most of the RSA survey respondents (81%) follow the PCI standard by not storing full magnetic stripe data and slightly more (83%) never store CVV codes. This contrasts with the results of a similar poll conducted in the U.S. in 2007, which revealed completely different results.

The respondents in Latin America identified which systems within their companies’ networks store, process or transmit credit card data. The results showed a significant spread of credit card data across many layers of the information infrastructure, creating the potential for short- and long-term challenges in preventing data loss. Survey respondents noted that the most common locations for credit card data include: databases (37%); internal applications (34%); point-of-sale (POS) systems (24%); storage systems (21%); files and folders on servers (12%); unstructured documents such as spreadsheets (12%); and email (9%).

Mechanisms to Protect Credit Card Data: Technology and the Human Factor

Alarmingly, only about half of the respondents have deployed basic information-centric security technologies to help protect sensitive credit card information. Just 46% of the respondents’ companies encrypt stored credit card data; 49% do not encrypt the data at all. When asked whether or not their organizations track or monitor all access to systems within their cardholder environment, responses were split (48% in each case), indicating that almost half of the organizations represented in the poll have limited knowledge of who has access to this critical information.

Providing secure remote access for employees, partners and contractors to company networks containing credit card data helps to reduce the risk of exposure. While many survey respondents (43%) have deployed two-factor authentication – such as token-based security or certificates – more than half (52%) have taken a risk in providing no such authentication technology.

The survey showed that a majority of respondents (60%) follow best practices by only allowing access to credit card information to between one and ten people in total. Another 20% reported that their organizations allow such access to between 10-100 employees – and 15% indicated that this access is provided to more than 100 individuals. Although best practices show that credit card data is much more secure when fewer people have access to it, some organizations require that more personnel are provided access based on the size of their operations.

Also, establishing corporate policies to address the security of credit card data within an organization is critical to avoiding its loss. While the survey indicated that about half (47%) of the respondents’ companies have such a credit card data policy in place, an equal amount do not have any formal policies at all.

Awareness and Plans for Meeting PCI DSS Guidelines