Risky business: High financial costs for payment breaches at small retailers

Businesses that process payment cards have risk points that non-merchants do not.

Exposures involving payment card data bring with them additional financial penalties, an entirely new set of compliance mandates and obligations to respond that are different from those used in conventional data breaches.

Businesses and the producers that serve them must recognize the differences between these disparate exposures, both in terms of risks as well as the strategies that should be followed before a breach occurs and after one is suspected.

What is a payment card breach?

Small businesses may not have a clear understanding of the differences between a data breach and a payment card breach. It's not uncommon for entrepreneurs to assume these are just two terms for the same event. But while both types of scenarios may be referred to as data breaches in news stories, many of the recent mega-exposures have actually fallen under the payment card breach umbrella. Unlike a data breach, which involves personally identifiable information and/or healthcare data, a payment card breach is any event where credit or debit card data — account numbers, accountholder names, credit card verification (CCV) codes and expiration dates — is exposed. The terms are not mutually exclusive, as some exposures include multiple types of information.

Entrepreneurs, even those with a good working knowledge of insurance practices and a commitment to carrying robust policies, may discover their payment card breach coverage isn't as inclusive as they thought it would be. Payment card exposures, once the assessments and increased legal and investigative costs are finally tallied up, are tremendously expensive.

Many carriers shield themselves from these exorbitant financial impacts by specifically excluding payment card breaches from their policies. Small businesses interested in obtaining coverage will want to work with a producer experienced in the arena who can connect them with a specialty policy solution. The coverage is generally quite costly, but merchants with a significant payment card transaction load may still choose to pay the premiums as a way to mitigate their risk.

Financial impacts in payment card exposures

Many of the potential costs that result from a data breach are well known among small business owners, including expenses associated with providing credit monitoring services to victims. Fines levied by regulatory agencies and victims' lawsuits are also sometimes thrown into the mix, depending on the nature and scope of the exposure. Payment card breaches, however, bring with them additional financial impacts. A number of these more unique expenses often come as a surprise to small businesses, even those that have endeavored to read and understand their payment card system's operating agreement and familiarize themselves with payment card industry (PCI) security mandates.

When the payment card activity that a company processes appears suspicious, a major card issuer such as MasterCard or Visa will flag the merchant account for review. The issuer then provides the business with a statement outlining the number of potentially fraudulent payment card transactions that have been attributed to that specific payment card system. This statement, rather than providing a detailed accounting of the concerns, is often just a single page and offers only a top-level review of the situation.

Related: More people, more problems: Risks in automating insurance payments

The assessment, investigative and responses phases of a breach often leave small retailers facing large legal costs. (Photo: Shutterstock)

At this point, the business is now responsible for following the required steps outlined in its merchant agreement, all of which must happen in quick succession. An analysis of the suspected breach must be conducted by one of the country's few certified PCI forensic investigators. These firms, in high demand due to their very niche nature, are typically more expensive than companies hired to review standard data breaches. It's common for a payment card breach investigation to cost at least $10,000 for even the most basic research. Complex investigations run far higher.

If the results of the forensic investigation point to a security weakness on the part of the small business — in other words, if they aren't in compliance with PCI Data Security Standards and their noncompliance contributed to the breach — then the merchant is issued an assessment. The language in the payment card system contract provides the foundation for charging these assessments, but the calculations used to arrive at the final sum are convoluted. Some of the factors involved are kept secret and known only to the card issuers. It's nearly impossible for a business to know what their assessment charges may be until the final bill arrives and the individual components of the assessment aren't always clear.

The assessment is just the beginning of a merchant's financial woes. Because the card issuers are in the driver's seat, the assessment, investigative and response phases of a payment card breach often leave small retailers facing larger legal costs than they might incur after a standard data exposure. Assistance typically offered by vendors and other business partners may not be available if those firms opt to extricate themselves from the relationship before their systems become targets in the investigation as potential weak points.

Next-level support mechanisms, such as those included in franchise agreements, have been known to evaporate as franchisors seek to separate themselves from a non-compliant franchisee. The small business must then fend for itself against a massive and well-financed card issuing entity.

Further complicating matters for small businesses is the cumbersome appeals process that follows an assessment. Because appeals are presented to the card issuers themselves — the very same group that levied the assessment originally — it's rare that appeals are upheld or assessments reduced. While appeal procedures may exist, the reality is that, unlike conventional data breaches, there is no workable method for successfully appealing any portion of an assessment.

Proactive steps

The best strategy a firm can adopt is to prevent a payment card breach from happening in the first place. A risk assessment of the business, carried out by an experienced expert, can often pinpoint potential vulnerabilities. This gives the merchant an opportunity to resolve problem areas, ensuring their compliance with PCI regulations and improving the security of their systems overall.

Something as simple as software that's out of date can give cyber hackers the opening they need to siphon off valuable payment card data, setting the small business up for big financial problems later. Remediation efforts don't need to difficult or expensive, and they will almost certainly be less devastating to the bottom line than an assessment levied by a card issuer and all the resulting costs that come along with it

Related: Target settles with banks over 2013 data breach for $39 million

Eduard Goodman is chief privacy officer at IDT911.