By Jeremy Lacy, Senior Cyber Security Consultant
Working as an information security professional, I often assist businesses with their cyber security. Though much of my work is focused around making sure that a business does not become a victim of cybercrime, I never really considered how credit card fraud could affect me on a personal level and in turn everyone who uses payment cards. That all changed when a few years ago I received a call from my credit card company. The representative of the credit card company inquired if in the last 10 days if I had visited San Diego and Los Angeles. I communicated to the credit card representative that I had not left my home state of Texas for a few months. The representative went on to clarify that some small online purchases had been made recently on my card.
I learned soon after this that my credit card number had been hacked and my credit card information compromised. It turns out that the criminal made a number of small purchases in the Southern California area to test the card to see if it worked and if they would get away with using it. After success, they were planning to buy much bigger valued items. Obviously I had to close my credit card account and go through the hassle of opening a new one and everything that is associated with that process. At that point I started thinking; it may be awkward and difficult for me, but what are the consequences of any company that gets compromised?
The reality is if your company processes credit or debit card transactions, then you need to comply with the PCI DSS standard, otherwise known as the Payment Card Industry Data Security Standard. But what if you fail to comply – even if it’s a completely unwitting error on your part? Well, here are 7 serious consequences you can expect, based on other well-known PCI compliance failures in retail and other industries. (By the way, these consequences are a lot more serious than the petty irritations I experienced from having my card number stolen.)
Consequence #1: Lost Sales
Unfortunately, bad news travels fast and if your business has experienced a hack in which data has been compromised, then you can be sure that people will avoid your business at all costs. After a well know US retailer’s profits dropped drastically following a major hack, you can be sure the same would apply to any other business that gets hacked.
Consequence #2: Damaged Reputation
Once the damage is done, it can be very difficult to reverse. Consumer trust is something that is not easily won over and even harder to win back. At best, it can be ameliorated with countless hours of reputation management, marketing, and public relations.
Consequence #3: Compensation Costs
You may have to reassure people with compensation in the form of free credit monitoring and/or identity theft insurance. It’s free for your customers … it’s not free for you.
Consequence #4: Legal Action
Unfortunately lawsuits are commonplace nowadays. Regardless if your business wins or loses, legal action costs can be huge. If the breach occurred because your business made some mistakes, then it’s safe to assume that the law is not going to be on your side.
Consequence #5: Fines
The good news: if customers’ credit cards are actually used to purchase stuff fraudulently, you don’t have to foot that bill; the banks do the reimbursing. The bad news: the banks pass on those costs to you in the form of fines.
Consequence #6: Government Audits
Regardless of the country your business is in, if your business is large enough then there is a big chance that a government organisation such as the Federal Trade Commission (US) will be knocking on your door to carry out an audit. They may even decide to then fine your business if they find that guidelines such as PCI DSS were not followed.
Consequence #7: Remediation Costs
You’re also going to have internal remediation costs: costs to investigate what happened, improve your security posture, fire and hire employees … whatever it takes to fix your internal information security environment.
With consequences like these, it can be easy to see how costs could mount up. Most businesses would find it difficult to recover from not being PCI compliant.
So what do you do? The wisest course of action for most organisations – whether small or large – is to work with a quality security advisory partner. Someone who knows the entire PCI playbook, who can deliver cloud and physical environments that have PCI compliant infrastructures, and who can monitor your transactions 24/7.
Remember: nothing is worth the risk of getting hacked. I just had to close my credit card account and open a new one. Your ENTIRE business is on the line.