Payment Card Industry Data Security Standard (PCI DSS) non-compliance can have serious consequences. Businesses can face fines of up to $500,000 per security incident, plus litigation costs. The sobering reality of PCI data breaches has made national and international headlines. Here are just a few noteworthy cases from 2011.
April, 2011: 86 Michaels stores in 20 states are made aware “of PIN pad tampering.”
April, 2011: Approximately 80 million people’s names, addresses and credit card numbers are affected when a Sony site was hacked.
September, 2011: 40,000 people were affected by a Vacationland Vendors breach. The intrusion occurred through point-of-sale systems where hackers stole credit and debit card numbers between Dec. 12, 2008, and May 25, 2011.
These stories and more are unfortunately reported in the news all too frequently. Predictions indicate that as larger businesses tighten up their security, hackers are focusing on smaller businesses.
Data breaches can happen to any business or organization regardless of the size or type. Fines imposed for being non-compliant at the time of a breach can be staggering:
- $500,000 per data security incident
- $50,000 per day for non-compliance
- Liability for all fraud losses incurred from compromised account numbers
- Cost of re-issuing cards associated with the compromise
- Risk of loss or suspension of ability to process credit cards
In addition to the above potential consequences, you risk the loss of customers. Research shows that 43% of customers who have been victims of fraud stop doing business with the merchant where the fraud occurred.
PCI DSS was created by Visa®, MasterCard®, American Express® and the Discover® Network to protect cardholder information and reduce data theft. PCI Compliance applies to any business that accepts credit or debit cards as a means of payment for good or services. PCI DSS establishes and enforces the security requirements.
Data Genesis™ has partnered with SecurityMetrics Inc. to assist you in becoming PCI Compliant. For assistance, please contact our SecurityMetrics Relationship Team directly at 802.623.5690.
For complete information about PCI Security Standards, please visit www.pcisecuritystandards.org
While we sincerely hope your business is never compromised, we’ve listed a few important steps to follow in the event you do experience an incident:
» Immediately contain and limit the exposure:
- Do not access or alter compromised system(s).
- Do not turn the compromised system(s) off. Instead, isolate the system from the network; unplug the network cable.
- Preserve evidence and logs.
- Document all actions taken.
- If using a wireless network, change the Service Set Identifier (SSID).
- Be on high alert and monitor traffic on all systems with cardholder data.
» Alert all necessary parties immediately:
- Contact affected customers.
- Contact your merchant service provider.
- If unable to locate name/contact, notify Card Brands directly.
» Within 3 business days of the reported compromise, provide an Incident Report document to your merchant provider.
» Provide all compromised card accounts to your merchant service provider within 10 business days.
For further information, Visa publishes a complete document “What to Do If Compromised”. You can view the document by visiting the Visa website at: http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf?