Small and medium-sized merchants who accept credit and debit cards became acutely aware of an added business expense last year. In October 2008, stringent requirements from the Payment Card Industry (PCI) Security Standards Council became mandatory for all entities that process, store or transmit cardholder data.
Complying with PCI regulations is a significant responsibility. According to the analyst firm Gartner, Inc., even small (Level 4) merchants can spend thousands of dollars on the security assessments and technology improvements needed to meet PCI requirements*. What's more, maintaining PCI compliance requires constant vigilance. Merchants who fail to verify and maintain compliance may face severe penalties, including audits or fines. Some businesses lose the ability to accept payment cards altogether.
Still, the drive to protect sensitive cardholder data is vital. Security breaches, and the resulting financial losses, are on the rise. From 2002 through 2008, the Verizon Business RISK Team conducted more than 600 investigations of security breaches or suspected breaches across multiple industries. The group published its latest findings in the 2009 Data Breach Investigations Report**. Below are some key points.
- Payment card data breaches comprised 98% of all records compromised in 2008. Fraudulent use of stolen card data was confirmed in 83% of the cases studied, and 91% of all compromised records were linked to organized crime.
- Three-quarters of the breaches in 2008 occurred in just three industries: Retail, Financial Services, and Food and Beverage.
- Four out of five firms (81%) that suffered payment card breaches were not compliant with the PCI Data Security Standard (DSS) or had never been audited.
- In 66% of the cases, the breach involved data that the organization didn't even know was on the system.
- Data breaches often result from a combination of events rather than a single action. In most cases, the attacks were not complex and would likely have been prevented if basic security controls had been in place at the time of the attack.
- Three-quarters of the attacks weren't discovered by the victimized company; often it was law enforcement agencies or individual victims who pointed out the problem. Breaches go undiscovered for weeks or months in 75% of cases.
When data breaches and fraud occur, merchants are often left holding the bag. Add to that financial loss the risk of fines, legal expenses, lost opportunities for future revenue and long-term damage to a company's reputation, and the costs of a security breach can be devastating to a small business.
Even a suspected breach can have a financial impact on a company. In an April 2009 article titled, "The Real Cost of Data Breach," Robert Halsey, president of Royal Services Group Ltd., notes that "once a merchant is even suspected of a breach, a team of PCI DSS-certified forensics security examiners swoops in to review and inspect its business practices. This examination can take anywhere from a few days to several weeks, depending on the complexity of the systems involved.
"That means that for a minimum of several days, your business is brought to an absolute standstill while the examiners comb through your policies, records, computer and phone systems, and employees-and eat away at your productivity, sales and profits. And, as if that's not enough, at the end you'll have to pay the costs of the forensic examination, whether there was an actual breach or not: somewhere between $8,000 and $20,000 if you're a Level 4 merchant."
Fortunately, there are steps small and medium-sized companies can take to reduce risks. One of the top reasons businesses fail PCI audits-and a leading factor in data theft-is inability to adequately protect stored data.
* "PCI Compliance Remains Challenging and Expensive," Gartner, Inc., May 2008
** "2009 Data Breach Investigations Report," Verizon Business RISK Team, March 2009
| 
