Buried in back offices and data centers across the country, far from consumers’ eyes, is a network of transmission lines and storage facilities responsible for getting your card information from point A to point B every time you make a purchase. A few years ago, companies in the industry got together and implemented security rules for businesses to follow so your data doesn’t fall into the wrong hands. But a new study uncovers the scary truth about these rules: Almost nobody follows them.
A study conducted by Verizon Business’s Risk Team found that only 21 percent of companies met the security standards on an initial evaluation, says Jen Mack, director of global PCI services for Verizon (the acronym stands for payment card industry). “That’s the scary part. The standard is a bare minimum and organizations are still struggling to meet it,” she says. On average, businesses only met about three-fourths of the standards.
“We see the most amount of fraud happening in the retail and financial services industries,” Mack says. The growth of online shopping has been a boon for criminals, leading to a rise in what experts call “card not present” fraud. Also, retailer practices, like not asking for signatures on small-ticket transactions and failing to lock down wifi connections, present tempting opportunities for tech-savvy crooks offline as well as online.
Organizations do a particularly lousy job when it comes to protecting stored customer data. Only 43 percent of those studied by Verizon got a passing grade. Mack says another area where companies fall short is in keeping their security practices and policies up-to-date. Hackers are continually evolving and improving their methods, so companies that handle customer card information that adopt what Mack calls a “set it and forget it mentality” are putting consumer data at risk.
“It’s frankly impossible for the consumer to know” whether or not any given company will put their data at risk, says Philip J. Blank, managing director at Javelin Strategy & Research. Even if a company is vigilant about data security, the company to which they outsource their payment processing might not be. “In almost every case these standards deal with infrastructure-type issues that consumers aren’t aware of,” Blank adds.
So what can you do to protect your card information in this veritable Wild West of data security? Blank says there is one step you can take to cut down on the risk that a hacker will go on a shopping spree with ill-gotten account information. “I would set an alert on my card to catch card-not-present fraud,” he advises. “Every time there’s a card-not-present transaction, have the issuer send you a text message.”
If someone besides you tries to use your card, you can immediately call the issuer and let them know that your account has been compromised.