A recent survey of over 500 US and other MNCs has revealed that they are
still struggling with consumer data security, possibly because that is not a top
priority for them. It is both surprising and saddening that in the land where
security is a national paranoia and said to be above everything else,
organizations have not been able to come to grips with it. We must not forget
that US is also the country where there have been data security standards in
place for a few years now.
Conducted by a Ponemon Institute in the US, this survey threw some very
interesting yet alarming results. More than 70% companies surveyed agreed that
consumer data security is not a top strategic initiative. Over 55% companies
accepted that they secure only crucial credit card data of the consumer and not
other information like social security, drivers license, and bank account, and
other details about consumers and their families. The difference between large
and small companies was stark according to the survey. Only 28% of smaller
companies actually comply with PCI as opposed to 70% of larger companies.
The PCI-DSS (Payment Card Industry's Data Security Standard) is a guideline
for all businesses that handle credit card information for protecting consumer
data, and has been in place since June 2005. The research report also states
that despite PCI-DSS being there for sometime now, data breach and credit card
fraud cases have only been going up, except for those places where businesses
have taken it up at a strategic level.
The survey recommends some practical initiatives that can go a long way in
enhancing security for the consumer as well as the company that it deals with.
For instance, there can be a company's security compliance logo for consumers so
that consumers' general awareness about security goes up, and they also know
about security compliance status of the retailers they do business with. And the
need for a company champion who owns and drives security in the company, and is
strongly empowered to direct numerous teams for support. Surely companies should
ultimately be able to leverage their investment in security compliance. It is
very easy to pass the blame on businesses, but another interesting finding of
the survey is that only 23% of the respondents believed that PCI-DSS compliance
is positively contributing to their organizations' security. Surely a lot of
work in terms of creating awareness and working out the right solutions is
required to be done by vendors, before they can accuse businesses of been
complacent.
This survey might be a reflection of the state of affairs in the US, but I
believe that it will have a great relevance for a country like India, where the
role of IT in retail is going up significantly. The use of all sorts of smart
cards including credit and debit cards is on the rise here, and unless Indian
business gear up for security challenges, we will see big disasters happening.
Ibrahim ahmad
ibrahima@cybermedia.co.in