by Jason McWhirr, Information Security Consultant, Consulting Services
Sysnet’s QSA community has observed that in recent months merchants have become bolder in challenging why compliance with the Payment Card Industry Data Security Standard (PCI DSS) is necessary for their business; challenging what they see as a costly and time-consuming imposition when they believe there is minimal risk or that their payment card processes and network are secure.
The PCI DSS was created to help protect merchants accepting payment card data from the risk of a data breach by incorporating a minimum baseline of security best practices and controls into their day-to-day business processes and systems.
Yet, for some merchants, the PCI DSS is overly complex, unnecessary, and treated as a “tick-the-box” exercise that must be “got through” in order for them to get back to their primary business goal: selling their goods and services.
A merchant will only thrive if they focus on their business and the activities that help it to develop, grow and increase sales but that must not be to the detriment of cardholder data security, which if compromised could cause their business irreparable damage.
It is smaller level 3 and 4 merchants that are likely to have the least amount of time and money to allocate to cardholder data security but unfortunately they are also major targets for data breaches due to the fact that they tend to have the most vulnerable systems and have minimal capability to detect breaches.
We believe that a change in emphasis in PCI DSS compliance messaging to the merchant community is necessary; make it more personal to the merchant emphasising that a card data breach and the necessary follow-up activities and costs are a distraction from their primary business goal.
This can be achieved by educating merchants with easy to understand infographics and videos. Responding to an account data compromise will require re-allocation of resources and funds to “pick up the pieces” and could have an impact over many months, not allowing the merchant to focus on (or spend money on) activities to develop and grow their business.
Proportionally smaller merchants, with their tighter margins and limited resources, will experience the most damaging impacts to their business in the event of a compromise and acquirers should help them to recognise the benefits of expending time and effort now to properly implement PCI DSS in order to minimise the risk of a card data breach in the future.
The impacts of an account data compromise can be broken down into immediate and longer-term costs and consequences for the merchant’s business:
- Fines/penalties levied
- Intrusive forensic investigations to determine the cause of the breach and extent of cards exposed and the associated costs of these forensic specialists
- Resources to remediate forensic findings and re-establish a secure payment channel
- Costs to achieve PCI DSS compliance and undergo a full on-site compliance assessment
- Legal costs
- Fraud losses
- Unable to accept payment cards: potential loss of business if the merchant is prevented from taking payment on the compromised payment channel
- Unable to access existing funds
Longer term impact
- Higher future compliance costs
- Lost customer confidence & sales
- Reputational/brand damage
- Lost opportunity costs
- Re-prioritisation of other internal business projects and hence reduce business growth/development
- Going out of business
Increase merchant engagement with Sysnet.air
Sysnet Global Solutions can help acquirers easily interact with and educate their merchants on this key
message through use of the Sysnet.air® compliance management and merchant engagement solution. Sysnet.air helps merchants understand what is required of them to comply with the PCI DSS and enables greater engagement by being very user-friendly.
By utilising the portal, acquirers can;
- Encourage merchants to become compliant
- Guide the merchant with their progress towards PCI DSS compliance
- Educate the merchant with expert PCI documentation and guidance
- Gain visibility of the merchant’s risks
Protect your merchants with Data Breach Indemnity Protection*
In the event that a data breach occurs, despite the merchant’s best efforts, acquirers can offer a further service that can help to minimise the impact on the merchant: Sysnet Data Breach Indemnity Protection.
Due to the sometimes large and unexpected expenses associated with a data breach recovery from an account data compromise can easily force many merchants to go out of business, or at the very least significantly set-back their growth plans.
Most merchants do not have a budget set aside to call upon in the event of an account data compromise but acquirers offering Sysnet’s Data Breach Indemnity Protection can help to offset the costs associated with data breach response and recovery allowing your merchants to focus on recovery rather than worrying about any financial implications caused by a cardholder data breach.
Sysnet Data Breach Indemnity Protection is designed to help merchants counteract unexpected costs by covering the expenses for;
- Assessments and/or fines levied by the card schemes for breaches, including actual fraudulent use of the compromised cards
- Forensic assessment costs
- Card replacement cost
- Other related expenses
Remember – being PCI DSS compliant does lower the risk, but does not guarantee protection of your merchants from a payment card data breach!
*other terms and conditions apply
If you are a merchant that requires technical or PCI DSS help, please click here