Businesses that process payment cards have risk points that non-merchants do not.

Exposures involving payment card data bring with them additional financial penalties, an entirely new set of compliance mandates and obligations to respond that are different from those used in conventional data breaches.

Businesses and the producers that serve them must recognize the differences between these disparate exposures, both in terms of risks as well as the strategies that should be followed before a breach occurs and after one is suspected.

What is a payment card breach?

Small businesses may not have a clear understanding of the differences between a data breach and a payment card breach. It's not uncommon for entrepreneurs to assume these are just two terms for the same event. But while both types of scenarios may be referred to as data breaches in news stories, many of the recent mega-exposures have actually fallen under the payment card breach umbrella. Unlike a data breach, which involves personally identifiable information and/or healthcare data, a payment card breach is any event where credit or debit card data — account numbers, accountholder names, credit card verification (CCV) codes and expiration dates — is exposed. The terms are not mutually exclusive, as some exposures include multiple types of information.