Three Steps for Organizations to Protect Credit Card Data
10/9/2017 9:00:00 AM
As individual consumers, we have become so accustomed to dealing with breaches of our credit card information that it almost feels routine: your bank calls you to question suspicious charges on your account, you confirm the charges were not authorized, and you wait three to five business days for a new card. While the process can certainly be an inconvenience (think of all of those accounts you've set up on auto-pay that now have to be updated), individuals typically do not face any appreciable harm since they aren't liable for the fraudulent charges.
For businesses accepting credit cards, however, the costs can be considerable and potentially catastrophic. As with a breach of any type of personally identifiable information (PII), entities suspecting a breach of cardholder data are required to investigate and remediate the breach, notify the affected customers, and in some cases provide credit or identity theft monitoring in accordance with state breach notification laws. Many retailers have also found themselves defending lawsuits from customers and other third parties holding them liable for damages suffered as a result of the breach.
On top of these first party breach response and third party defense costs, businesses uniquely face the threat of fines and penalties, which may be assessed for their failure to comply with the Payment Card Industry Data Security Standard (or PCI-DSS). To be clear, any business or organization which accepts cards as payment for goods, services, or donations - including retail stores, e-commerce sites, hotels, restaurants, and non-profits - is subject to the PCI-DSS, which was developed by the major card brands (e.g. Visa, MasterCard, Discover, and American Express) and dictates certain procedural and technological controls that businesses must implement in an effort to secure and protect cardholder data. As a mechanism to reimburse banks and other card issuers for their costs in covering fraudulent charges and re-issuing cards to consumers, card brands may enforce PCI-DSS compliance by assessing fines in the event of a data breach. These fines - which can range from tens of thousands of dollars to $500,000 or more - are typically levied against businesses' merchant banks or payment processors, with the business contractually liable to indemnify those merchant banks for the assessments. With these funds often directly withheld and extracted from their accounts, cash flow can be severely disrupted and in some cases, businesses may lose their ability to accept cards entirely.
In order to protect the credit card information of their customers and/or donors - and avoid expensive breach response costs and fines - businesses and organizations should follow these guidelines:
1. Understand and review the PCI-DSS and ensure compliance by working with their payment processors and third party vendors.
2. Implement technology such as end-to-end encryption and/or tokenization which can allow businesses to avoid holding cardholder data in their systems and, through proper implementation, greatly reduce the likelihood of a breach.
3. Purchase a comprehensive cyber insurance policy as an additional layer of protection. Coverage is available for first party breach response, third party liability, and even PCI fines and assessments. By transferring the risk of accepting payment cards, and taking advantage of a carrier's network of legal and technical experts, businesses can ensure continued operation and minimize the financial impact of a credit card breach.
All PHLY Cyber policyholders receive complimentary access to the eRiskHub, our online cyber risk management portal. Access information can be found in your policy, or by contacting your agent or broker.
Written by Evan Fenaroli
Cyber Liability Product Manager, Management & Professional Liability
IMPORTANT NOTICE - The information and suggestions presented by Philadelphia Indemnity Insurance Company in this E-Brochure is for your consideration in your loss prevention efforts. They are not intended to be complete or definitive in identifying all hazards associated with your business, preventing workplace accidents, or complying with any safety related, or other, laws or regulations. You are encouraged to alter them to fit the specific hazards of your business and to have your legal counsel review all of your plans and company policies.