Data Breach Response Guide for Merchants
Responding to a Data Breach Communications Guidelines for Merchants
It all comes down to one word: TRUST. 
How merchants respond to data breaches can build or damage hard-earned trust and corporate reputation.
• A 2008 survey of U.S. consumers found that an average of 79 percent cite loss of trust and confidence in any business they deal with as a consequence of a security or privacy breach.
• An October 2008 consumer confidence survey found that 74 percent of U.S. consumers would not shop where they feel their financial or personal information may be at risk.
Because data compromises are often complex, it is challenging to make the rapid communication decisions needed to mitigate the potential harm of a breach. These situations are often further complicated by the reality that every data breach is different and there may be no precedent within your organization for responding. But the stakes for handling a breach effectively couldn’t be higher, and the impact to your business — depending on a variety of factors — can be huge. 
The impact of a poorly handled breach can reach throughout your business in both the short and long term: bad press, lost sales, mitigation and litigation, as well as the uphill battle to rebuild your reputation.
Although it is true that every data compromise has its own challenges and extenuating circumstances, there are some good basic communications principles that can be applied to most data breach situations. This booklet is intended to provide some best-practice guidance for merchants on how to think about, prepare for and respond to data breaches.
The best line of defense is a thorough and ongoing data security program. This document presumes that your company has extensive prevention measures in place but also recognizes the critical need for every company to be prepared to communicate in the event of a data breach. These are not requirements from Visa but are merely best practices for your consideration.


2013 Global Security Report by Trustwave


Top 5 Compromised Industries

1 Retail and

2 Food & Beverage

The retail space saw a 15% increase in 2012 compared to 2011, nearly equal to the 17% drop in Food & Beverage breaches. Over the past three years, these two have been almost interchangeable, with similar network layouts due to the payment systems and software vendors used. In these industries, security often becomes an afterthought until a breach is identified.

3 Hospitality

Three years ago, Hospitality was hardest hit by far. This industry has made significant strides to resolve data security issues. The majority of Hospitality breaches this year were actually at Food & Beverage locations within the building and not necessarily in the Hospitality Management System (HMS). The reason for this is twofold: The Food & Beverage systems are usually easier to compromise and more payment cards are used in these establishments (as the HMS is limited to the guests staying at that hotel).This is not to say that an HMS is more secure than Food & Beverage systems.  A successful HMS breach may include data from an “interface” server that combines the HMS with the hotel’s Food & Beverage and Retail locations (e.g., gift shop), harvesting significantly more data.

4 Financial Services

A small increase for Financial Services highlights the fact that attackers are continuing to look at central aggregation points like payment processors and merchant banks as viable targets. The Payment Card Industry Data Security Standard (PCI DSS) has made comprehensive security controls more commonplace in larger organizations. Therefore, the organizations become more difficult to compromise. This by no means indicates that attackers have given up on these high-dollar targets, simply that they are better defended, presenting a bigger challenge to would-be intruders. The logical progression for attackers will be to hit the next stop in the payment card industry (PCI) flow: the banks. If attackers are able to breach financial intuitions such as payment gateways or merchant processors, the payoff would be huge.

5 Nonprofit

The increase in attacks on Nonprofit has several potential causes. Attacks could be based on beliefs (personal, religious or political), or they could simply be financial targets, considering that many of these organizations typically do not have the funds to spend on security. 

Download The Report