A Typical Payment Data Breach or One Fine Day Your Business Dies
You own a business. It’s your passion. You love what you do and you are doing well. You have heard about a recent payment data breach and while that does nag at you, you assume you can’t afford the services, technology, and equipment required to ensure your safety. IT in general is hard to prove ROI and security is just not something you think you should be concerned with. Besides, what could a hacker want with your data anyway? There are much bigger companies that should worry about that. You were mad when that large retail chain lost your credit card information and it did change the way you thought about them and made you shop there less, but come on… What’s the big deal for your business? You’re just too small to be a target. You won’t suffer a payment data breach.
The problem is, you’re not too small. Ever got a virus at home? Do you think you were singled out, targeted? In much the same way, your business can be attacked and the results can be devastating. It continues to amaze me when I meet you and our conversation goes toward what we do you always say the same thing. You tell me, “wow, that is a really cool job and I can certainly see how people need your service! But not me, I’m too small to worry about it.” We just met, you don’t know me, I tell you I do cyber security which inevitably I must explain what that is, penetration testing and all the other services which all boils down to the cringe worthy comment that I am a hacker. A hacker, you will in short order tell that you don’t worry about security. You told a hacker you don’t worry about security. You told a hacker you don’t worry about security.
Through the natural course of networking with businesses I have found that all a malicious hacker has to do to find out if you’re going to be an easy target is ask you. That is absolutely absurd, and yet you just told me all I need to know about your stance on security.
So you go about your business, probably ignoring the fact that you actually do have a regulator that cares very much about your compliance with their security regulations. Chance are, you at least have to worry about the Payment Card Industry Data Security Standard (PCI DSS) if you accept credit cards. However, you proceed to roll the dice that you won’t experience a payment data breach. Did you know 90% of data breaches impact small businesses? Not only are you a target, you are highly targeted because every malicious hacker knows you don’t care about security. There won’t be any security checkpoints to stop the attacker along the way or identify the payment data breach ever happened so while maybe there is not as big of a single day pay off as attacking a large retailer, chances are good over time a considerable amount of data can be stolen at incredibly low risk of detection and capture. It’s not just credit card data they are after either. Your computers can be used to do other things like host files (think illegal stuff like child porn), they can be used in a hive of computers to launch large scale attacks at others, they can be used to distribute malware (think ransomware) to others, and much more.
For whatever the reason, the results will probably be the same because you have no security and have no way of knowing you’ve been breached. The breach will happen and your data will be leaking out, your computers used for illegal activities, and more. It will take them some time (typically around a year), but eventually the source of these stolen credit cards will be tracked to a common purchase location, you. Maybe the ransomware server will be flagged and they will come for you, or the child porn ring will get discovered and they will find you. Who are they? Law enforcement. Do you know what they do when they knock on your door? They seize your equipment. How are you feeling about not having security in place now? How are you going to continue to operate? Do you even have a Business Continuity Plan? Probably not since you don’t care about security and haven’t prepared for emergencies. Can you even make payroll now? Do you have enough paper checks on hand to cover yourself, or are your employees going to suffer along with your customers and everyone else affected by the breach because you are too small to be a target? Their employee files have probably been lifted as well, so they should expect to be victims of identity theft in the future because you are too small to be a target.
These are just some of the side effects of a data breach. Your reputation is plummeting, you don’t know where to begin rebuilding your business, customers are scared to do business with you and are flat out angry and want your head on a platter and your phone never stops ringing. Lawsuits loom on the horizon. The cost of this is going to be huge. So huge in fact, most business don’t recover and shut down within a year, but even that won’t stop the bleeding.
What’s that you say? You have cyber insurance coverage? I’ve got some bad news for you sunshine, those companies are now suing their customers over their lack of due diligence in trying to keep the data protected. They will not bail you out if you didn’t bother to try to keep things safe, and you didn’t, you told me so. Even if they stopped some of the monetary damage, the long lasting effects may cripple your ability to continue to operate and your customer base may never return.
When the Credit Card Companies Bite Back After a Payment Data Breach
Have you thought about what will happen if you are a victim of a payment data breach? Even if a payment data breach is merely suspected you are in for a wildly damaging ride. The financial damages are going to be high and the other consequences are going to be damaging as well.
Maybe it’s law enforcement that tracked it to you, or maybe it’s a different agency such as a bank or credit card company who noticed an increase in fraud which kicked off a number of their security protocols that traced it back to a single merchant, you. When a payment data breach or a suspected payment data breach is reported it starts a series of costly activities that may include forensic analysis of your payment system and an in depth audit of your network infrastructure.
Mandatory Forensics Examination of Payment Data Breach
PCI DSS, the regulations of the Payment Card Industry you agreed to uphold when you started accepting credit card payments, requires you to undergo a forensic examination to determine if a payment data breach has occurred and to what extent the damages are even if you are only suspected of being breached. That will require you to hire a third party examiner such as Shades of Gray Security to conduct the investigation. This exam is going to take days to weeks depending on the complexity and size of the network we have to focus on. If you’re equipment hasn’t been seized, it will be required to be shutdown immediately in order to preserve evidence (and you really don’t want to lose that and make this even worse) until the examiner approves its return to production which may be days or weeks before the examiner can get to your case. Depending on size and complexity, you are looking at a ballpark figure of around $30,000 to $50,000 for the examination because you may have been breached. If only you didn’t think you were too small to be targeted and had checks and balances in place that could be used to stop them in their tracks or at least greatly reduce the time required to perform the examination.
Those Pesky Customers
Most states require you to notify all your customers that have been affected by the breach. Trouble is, you don’t know who those are until after that forensics examination determines the scope of the breach. That get’s compounded in some state laws like Louisiana that says you have to notify all parties that may have been affected within a reasonable time. Well, everyone MAY have been affected, and a reasonable time is now since this has been going on for a year. Trouble is, what if you were just suspected of being breached? Time to invest in lawyers to keep that at bay while your forensics examiner is trying to determine the extent of the damages. You’ll also be expected to provide credit monitoring and/or ID theft prevention services for at least a year for those affected. This will be forced by law in some cases and highly recommended otherwise to help repair your damaged reputation. Some states require multiple notifications be sent via traditional mail as well. The time it takes working with attorneys to craft the letters, mailing those notifications, providing those credit services, operating a call center (your phone will blow up) can get real high real fast. These costs can easily approach six figures per every 5,000 people you have to notify.
Who is Liable for the Chargebacks on Fraudulent Charges?
If you aren’t PCI DSS compliant, you are Magoo! That’s right. Visa isn’t eating that cost because you didn’t live up to the agreement you signed. Reading EULAs, it matters. PCI compliance fines are going to be levied against you if you did not secure your system properly and have it verified. PCI has found that over 90% of merchants experiencing a payment data breach had not complied with the PCI DSS. You are one of those by virtue of you being too small to be targeted. If the forensic examination shows your business was not in compliance with the regulation at the time of the breach, the payment card associations and associated banks may levy hefty fines against you. They will do so if those stolen cards are used in fraud cases. Those fines can reach and exceed $50,000 and that’s just the fines for not being compliant. They can go up to cover the losses. Oh, you assumed you have no liability for fraudulent charges didn’t you? Not only are you probably facing the above fines, but if not everyone is satisfied liability lawsuits are heading your way.
Other Costs of a Payment Data Breach
You may be required to replace your POS, servers, network, etc., if the source of the breach calls for it, or if you can’t gain PCI compliance without doing so. By the way, you will be required to bring your network into compliance, pay for an assessment for PCI compliance to verify you are compliant with PCI DSS, and receive a positive Return on Compliance from that assessment in order to qualify to accept credit cards again. Yes, I said qualify. Doesn’t mean you ever will be allowed to accept those forms of payment again. That is going to require you to hire a third party Qualified Security Assessor (QSA) to conduct the assessment. By the way, you should have already had that QSA assessment before this whole mess started and you really want to let another person make sure you are going to pass that before you hire him so that’s really two audits you are going to have to fund. You’re a high risk client now, so there won’t be a net 30, you’ll pay up front.
Have you ever been issued a new card because yours was involved in a payment data breach? Those cards are not free. Card issuers may require that you pay the cost of reissuing all those debit and credit cards to every customer that was affected by the payment data breach. Those fees can be about $10 per card. So those 5,000 customers that already cost you about $100,000 to notify and manage concerns and credit monitoring, well you may need to add another $50,000 to give them new cards.
You can see how quickly the payment data breach adds up. We are already over $250,000 per 5,000 customers in potential costs, and we haven’t discussed the more difficult aspects to quantify.
Payment Data Breach Damages You Can’t Easily Assign a Value
Remember when I said you will have to prove you are compliant with PCI DSS regulation in order to qualify to accept card payments again? That doesn’t mean you will be allowed to accept cards again. Ever. Don’t think you can hide behind a new LLC either. They know your organization. Are you prepared to be cash only? Can you remove pay at the pump at the gas station and survive? Speaking of cash only, retailers who have suffered a payment data breach discover that there is a reduction in the amount of credit and debit card usage at their stores. People paying with cash have a hard limit on what they can spend and as a successful business you know the natural instinct is to spend less when you are paying with cash. Even if you are allowed to once again accept payment cards you can still expect the reduced amount of customers who shop with you are still going to be spending less on average per ticket than before because some will never use a card again. Ouch huh?
The main thing I’m talking about is reputation damage. Your customers, employees, partners, vendors, just everyone you come in contact with in general, place a high level of trust in your business. They don’t think much about it while interacting with you (otherwise they question why you still use swipe when it’s required to use the chip), but they certainly think about that trust immediately when it is broken. That is exactly what a payment data breach does, it breaks all trust those people have with you.
We’re focusing on payment data breaches, so let’s stick with just the customers though. Studies show that about 60% of people receiving a payment data breach notification say they lost trust with the company. About half of those terminate their relationship and never return. Regardless of how the payment data breach happened, maybe it was a third party breach that got into your network, maybe it’s a POS that was installed pre-compromised, maybe you just left the server room unlocked, or maybe just maybe you said to yourself and anyone who asks, “I’m just too small to be a target,” maybe you outsource that entire system from the swipe to the server located half around the world that authorizes the transaction that and you have absolutely no control over any part of it. Whatever the reason, consumers blame you. Don’t think you can play a victim and blame your provider and walk away from this. It. Is. On. You. In fact, the consumer will never know that you outsourced everything and it was beyond your control. It happened at your business, it is your fault.
When consumers point the finger, they can get real vocal. Ever see a gas station that was victim to a credit card skimmer? I have. Aside from every major local news station blasting the location on the evening news, the papers plastering it on the front page, social media is where you get burned. That spreads like wildfire. Just take a look at any post about a business suffering a payment data breach and you will see victim after victim proclaiming they will never shop there again. They will share it, like it, and whatever else they can do to make a big deal about it in their rage. Everyone they know will know and those people will start to panic wondering if they visited your store during the time, are they affected? Well, they won’t be returning anytime soon either. When a big enough stink is made, it will get syndicated. It may not be national news worthy, but you can expect local news affiliates all over to pick it. Suddenly, your little store in Plaquemine, Louisiana is on the news in Scottsbluff, Nebraska and not for any reason that is going to help you out. Radio stations will run with it, public broadcasting, security service providers will post it on their site. It will be used as an example of failure over and over again. Kind of hard to quantify that isn’t it, but don’t worry, you are too small to be targeted.
Your time is going to be consumed by this event for some time as well. Stress is going way up, blood pressure? Yeah that’s spiking. Good luck sleeping. Your health is going to decline while you spend so many days and nights working with security firms to stop the breach, forensic examiners to determine the scope of the breach, lawyers, phone calls, press, etc. You just want to get back to the way things were when you were too small to be targeted but you can’t.
We Can Help
Shades of Gray Security offers a full line of security services for all types and sizes of businesses. We can help ensure you are doing your level best to protect your network and your customers. No one can be 100% secure, but we can put you on the path to being the best you can. We work with you and your budget to help determine the best strategy to protect your organization. If you have security, we offer testing to ensure it is optimal, if not, we offer managed security services through our vCISO program to guide your security program from the ground up. We have arrangements with our clients who engage in some of our package plans to greatly reduce the costs of Incident Response and Digital Forensics in the event you do have a breach. Those include free initial evaluation and a discounted rate for those services. Our offerings are a fraction of the cost of dealing with a payment data breach and we can save you untold hours and expenses along the way if we are already working with you. You can always continue to believe you’re too small to be targeted and we will gladly welcome your business when you are breached.
Contact Us Today
Contact us today to prepare and help prevent the catastrophe of a payment data breach.