Merchant breach protection – minimising the impact in the event of an account data compromise

by Jason McWhirr, Information Security Consultant, Consulting Services

Sysnet’s QSA community has observed that in recent months merchants have become bolder in challenging why compliance with the Payment Card Industry Data Security Standard (PCI DSS) is necessary for their business; challenging what they see as a costly and time-consuming imposition when they believe there is minimal risk or that their payment card processes and network are secure.


The PCI DSS was created to help protect merchants accepting payment card data from the risk of a data breach by incorporating a minimum baseline of security best practices and controls into their day-to-day business processes and systems.


Yet, for some merchants, the PCI DSS is overly complex, unnecessary, and treated as a “tick-the-box” exercise that must be “got through” in order for them to get back to their primary business goal: selling their goods and services.


A merchant will only thrive if they focus on their business and the activities that help it to develop, grow and increase sales but that must not be to the detriment of cardholder data security, which if compromised could cause their business irreparable damage.


It is smaller level 3 and 4 merchants that are likely to have the least amount of time and money to allocate to cardholder data security but unfortunately they are also major targets for data breaches due to the fact that they tend to have the most vulnerable systems and have minimal capability to detect breaches.


Webpage URL

Find out more about our Cyber Security and Compliance Solutions

Request a Callback

We believe that a change in emphasis in PCI DSS compliance messaging to the merchant community is necessary; make it more personal to the merchant emphasising that a card data breach and the necessary follow-up activities and costs are a distraction from their primary business goal.


This can be achieved by educating merchants with easy to understand infographics and videos.  Responding to an account data compromise will require re-allocation of resources and funds to “pick up the pieces” and could have an impact over many months, not allowing the merchant to focus on (or spend money on) activities to develop and grow their business.


Proportionally smaller merchants, with their tighter margins and limited resources, will experience the most damaging impacts to their business in the event of a compromise and acquirers should help them to recognise the benefits of expending time and effort now to properly implement PCI DSS in order to minimise the risk of a card data breach in the future.


The impacts of an account data compromise can be broken down into immediate and longer-term costs and consequences for the merchant’s business:


Immediate impacts


  • Fines/penalties levied
  • Intrusive forensic investigations to determine the cause of the breach and extent of cards exposed and the associated costs of these forensic specialists
  • Resources to remediate forensic findings and re-establish a secure payment channel
  • Costs to achieve PCI DSS compliance and undergo a full on-site compliance assessment
  • Legal costs
  • Fraud losses
  • Unable to accept payment cards: potential loss of business if the merchant is prevented from taking payment on the compromised payment channel
  • Unable to access existing funds

Longer term impact

  • Higher future compliance costs
  • Lost customer confidence & sales
  • Reputational/brand damage
  • Lost opportunity costs
  • Re-prioritisation of other internal business projects and hence reduce business growth/development

And possibly…

  • Going out of business


Increase merchant engagement with Sysnet.air

Sysnet Global Solutions can help acquirers easily interact with and educate their merchants on this key
message through use of the Sysnet.air® compliance management and merchant engagement solution. Sysnet.air helps merchants understand what is required of them to comply with the PCI DSS and enables greater engagement by being very user-friendly.


By utilising the portal, acquirers can;


  • Encourage merchants to become compliant
  • Guide the merchant with their progress towards PCI DSS compliance
  • Educate the merchant with expert PCI documentation and guidance
  • Gain visibility of the merchant’s risks


Protect your merchants with Data Breach Indemnity Protection*

In the event that a data breach occurs, despite the merchant’s best efforts, acquirers can offer a further service that can help to minimise the impact on the merchant: Sysnet Data Breach Indemnity Protection.


Due to the sometimes large and unexpected expenses associated with a data breach recovery from an account data compromise can easily force many merchants to go out of business, or at the very least significantly set-back their growth plans.


Most merchants do not have a budget set aside to call upon in the event of an account data compromise but acquirers offering Sysnet’s Data Breach Indemnity Protection can help to offset the costs associated with data breach response and recovery allowing your merchants to focus on recovery rather than worrying about any financial implications caused by a cardholder data breach.


Sysnet Data Breach Indemnity Protection is designed to help merchants counteract unexpected costs by covering the expenses for;


  • Assessments and/or fines levied by the card schemes for breaches, including actual fraudulent use of the compromised cards
  • Forensic assessment costs
  • Card replacement cost
  • Other related expenses


Remember – being PCI DSS compliant does lower the risk, but does not guarantee protection of your merchants from a payment card data breach!

*other terms and conditions apply


Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms