Many merchants assume that data compromise only happens to large companies. While you may have heard about several large-scale merchant compromises in the media, hundreds of small-merchant compromises happen every year that are not made public.
The majority of data compromises happen to merchants who process fewer
than 1 million transactions annually.
Internet-connected businesses of all sizes face the same threat. Cyber-criminals use the same techniques to hack small businesses that they use to attack large companies. To prevent compromises, small Internet-connected merchants must apply the same data security principles used in large-scale corporations.
Stolen data results in fraud and reduced card use
Stolen card data is the primary source of credit card fraud and credit card fraud hurts everyone. Merchants suffer when their goods and services are purchased with stolen credit card data, as the card brands may cancel payment on these fraudulent transactions. Consumers lose confidence when their card data is stolen and are less likely to make future purchases.
Because merchants aren’t aware when card data is stolen, it often takes weeks, months, and sometimes years for a merchant to learn of a data breach. As a result, once a merchant has learned of a compromise, fraudulent card use has likely begun.
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) was created to protect consumers, merchants, processors and banks from data compromise.
The PCI DSS is a set of requirements for the security of payment card information. These requirements were developed by the PCI Security Standards Council (PCI SSC), which was founded in 2006 by the major card brands (Visa International, MasterCard Worldwide, JCB International, Discover Financial Services, and American Express).
A merchant’s card handling practices and processing environment determine which portion of the PCI DSS applies to their business. Some merchants must validate their compliance with all of the PCI DSS; others may only have to meet a portion of the requirements.
All merchants that process, store, or transmit cardholder data are required to comply with the PCI DSS standards.
The PCI SSC has authorized a select set of security vendors to help merchants ensure their proper compliance with the PCI DSS.
Merchant consequences of a data compromise
Forensic investigation fees
When a business is compromised, one or more of the card brands may require a forensic investigation by an approved vendor. A forensic investigation involves the following actions:
- Determining which systems require investigation
- An onsite investigation performed by an approved PCI Forensic Investigator (PFI)
- Creation of a forensic reports for the merchant bank and the card brands
The average forensic investigation is four weeks long and requires: 1) employee labor, 2) access to company data, and 3) employing a forensic team. Forensic investigation costs vary by the investigator, the size and complexity of the systems being reviewed, the extent of the compromise, and other fees as required by the investigator. These costs typically range from $12,000 to over $100,000 per investigation.
The card brands require vulnerabilities found in the forensic investigation be remediated3. Updating security requires employee labor as well as IT professionals making the necessary hardware, software, and network modifications. On average, this costs over $2,000.
Card brand compromise fees
The card brands may fine the acquiring bank for the merchant data compromise, but this fine is almost always passed on to the party responsible for the point of the breach—the merchant. The compromise fees will vary depending on the following conditions:
- Number of cards compromised
- State of your security systems at the time of the breach
- Your responsiveness to report and remediate the breach
These fines are relative to the scope of the breach, but typically start around $5,000 with the potential to exceed $500,000 from each card brand.
Card reissuing and monitoring fees
In the event card data is compromised, banks must determine the extent to which they will issue new cards to replace the ones that have been stolen, and monitor accounts where there is the suspicion of fraudulent charges. The cost associated with these actions may be passed on to the merchant responsible for the breach.
For example, MasterCard may require up to $25 to reissue cards to customers and $5 to monitor accounts where no card was reissued.
When a merchant is compromised, card brands may require the acquirer to help pay for fraudulent charges against the stolen cards, normally calculated in chargeback costs5. The acquirer may pass these costs on to the merchant. Depending on the credit limits and the number of cards stolen, these penalties have the potential to be enormous, as stolen cards may remain in circulation long after the breach. One small merchant recently reported nearly $450,000 in fraudulent use of stolen cards. These penalties are relative to the size and scope of the breach and are at the discretion of the card brands.
Card brand non-compliance fees
In addition to compromise penalties and fines from the card brands, each card brand requires compliance with their security program to protect card data. These programs are listed below:
- Visa, Cardholder Information Security Policy (CISP)
- MasterCard, Site Data Protection Plan (SDP)
- JCB, JCB Data Security Program
- Discover, Discover Information Security & Compliance (DISC)
- American Express, Data Security Operating Policy
Enforcement of these programs and fines are dependent on the card brand and their policies. MasterCard, for example, may assess noncompliance fines of up to $100,000 per violation for breaching its “Wrongful Disclosure and Failure to Safeguard Account Data” regulation6. According to Visa, members not PCI compliant at the time of a compromise may be subject to fines of up to $500,000 per incident.
Lost business & damage to customer confidence
A recent survey found the following consumer trends that result in the event of a data compromise:
- 55% of breach victims lost serious trust in the company responsible for their data being stolen
- 30% of victims state that they would never purchase products from the company again
- 29% would never maintain any relationship with the organization in the future
A separate study concluded that up to 70% of the cost of a compromise is revenue loss. While revenue losses of this magnitude may hurt a large corporation, they would be devastating to a small company.
How do I prevent a card compromise?
The best way to prevent a data compromise is to comply with the PCI DSS. Non-compliant merchants are responsible for over 99% of all data compromises. PCI DSS compliance dramatically reduces your risk and limits your potential liability in the event of a compromise.