Businesses that process payment cards have risk points thatnon-merchants do not.

Exposures involving payment card data bring with them additionalfinancial penalties, an entirely new set of compliance mandates andobligations to respond that are different from those used inconventional data breaches.

Businesses and the producers that serve them must recognize thedifferences between these disparate exposures, both in terms ofrisks as well as the strategies that should be followed before abreach occurs and after one is suspected.

What is a payment card breach?

Small businesses may not have a clear understanding of thedifferences between a data breach and a payment card breach. It'snot uncommon for entrepreneurs to assume these are just two termsfor the same event. But while both types of scenarios may bereferred to as data breaches in news stories, many of the recentmega-exposures have actually fallen under the payment card breachumbrella. Unlike a data breach, which involves personallyidentifiable information and/or healthcare data, a payment cardbreach is any event where credit or debit carddata — account numbers, accountholder names,credit card verification (CCV) codes and expiration dates — isexposed. The terms are not mutually exclusive, as some exposuresinclude multiple types of information.

Entrepreneurs, even those with a good working knowledge ofinsurance practices and a commitment to carrying robust policies,may discover their payment card breach coverage isn't as inclusiveas they thought it would be. Payment card exposures, once theassessments and increased legal and investigative costs are finallytallied up, are tremendously expensive.

Many carriers shield themselves from these exorbitant financialimpacts by specifically excluding payment card breaches from theirpolicies. Small businesses interested in obtaining coverage willwant to work with a producer experienced in the arena who canconnect them with a specialty policy solution. The coverage isgenerally quite costly, but merchants with a significant paymentcard transaction load may still choose to pay the premiums as a wayto mitigate their risk.

Financial impacts in payment cardexposures

Many of the potential costs that result from a data breach arewell known among small business owners, including expensesassociated with providing credit monitoring services to victims.Fines levied by regulatory agencies and victims' lawsuits are alsosometimes thrown into the mix, depending on the nature and scope ofthe exposure. Payment card breaches, however, bring with themadditional financial impacts. A number of these more uniqueexpenses often come as a surprise to small businesses, even thosethat have endeavored to read and understand their payment cardsystem's operating agreement and familiarize themselves withpayment card industry (PCI) security mandates.

When the payment card activity that a company processes appearssuspicious, a major card issuer such as MasterCard or Visa willflag the merchant account for review. The issuer then provides thebusiness with a statement outlining the number of potentiallyfraudulent payment card transactions that have been attributed tothat specific payment card system. This statement, rather thanproviding a detailed accounting of the concerns, is often just asingle page and offers only a top-level review of thesituation.

Related: More people, more problems: Risks in automatinginsurance payments

The assessment, investigative and responses phases of abreach often leave small retailers facing large legal costs.(Photo: Shutterstock)

At this point, the business is now responsible for following therequired steps outlined in its merchant agreement, all of whichmust happen in quick succession. An analysis of the suspectedbreach must be conducted by one of the country's few certified PCIforensic investigators. These firms, in high demand due to theirvery niche nature, are typically more expensive than companieshired to review standard data breaches. It's common for a paymentcard breach investigation to cost at least $10,000 for even themost basic research. Complex investigations run far higher.

If the results of the forensic investigation point to a securityweakness on the part of the small business — in other words, ifthey aren't in compliance with PCI Data Security Standards andtheir noncompliance contributed to the breach — then the merchantis issued an assessment. The language in the payment card systemcontract provides the foundation for charging these assessments,but the calculations used to arrive at the final sum areconvoluted. Some of the factors involved are kept secret and knownonly to the card issuers. It's nearly impossible for a business toknow what their assessment charges may be until the final billarrives and the individual components of the assessment aren'talways clear.

The assessment is just the beginning of a merchant's financialwoes. Because the card issuers are in the driver's seat, theassessment, investigative and response phases of a payment cardbreach often leave small retailers facing larger legal costs thanthey might incur after a standard data exposure. Assistancetypically offered by vendors and other business partners may not beavailable if those firms opt to extricate themselves from therelationship before their systems become targets in theinvestigation as potential weak points.

Next-level support mechanisms, such as those included infranchise agreements, have been known to evaporate as franchisorsseek to separate themselves from a non-compliant franchisee. Thesmall business must then fend for itself against a massive andwell-financed card issuing entity.

Further complicating matters for small businesses is thecumbersome appeals process that follows an assessment. Becauseappeals are presented to the card issuers themselves — the verysame group that levied the assessment originally — it's rare thatappeals are upheld or assessments reduced. While appeal proceduresmay exist, the reality is that, unlike conventional data breaches,there is no workable method for successfully appealing any portionof an assessment.

Proactive steps

The best strategy a firm can adopt is to prevent a payment cardbreach from happening in the first place. A risk assessment of thebusiness, carried out by an experienced expert, can often pinpointpotential vulnerabilities. This gives the merchant an opportunityto resolve problem areas, ensuring their compliance with PCIregulations and improving the security of their systemsoverall.

Something as simple as software that's out of date can givecyber hackers the opening they need to siphon off valuable paymentcard data, setting the small business up for big financial problemslater. Remediation efforts don't need to difficult or expensive,and they will almost certainly be less devastating to the bottomline than an assessment levied by a card issuer and all theresulting costs that come along with it

Related: Target settles with banks over 2013 data breach for$39 million

Eduard Goodman is chief privacy officer at IDT911.