Cyber criminals are in hot pursuit of consumers’ payment card information because the payoff is a potential gold mine.  Any retailer – large or small – that takes credit and debit cards needs to prepare for the threat of a hacking attack.  Even if the card data is stored offsite and not kept in the retailer’s computer network, the bad guys can still wreak havoc.

That’s precisely what happened to convenience store chain MAPCO, which revealed earlier this month that its payment card system had been hit.  According to StorefrontBacktalk, card data might have been stolen from all 377 MAPCO stores, located in several states around the South.

MAPCO only transmits payment card information to its card processing vendor, but does not retain the data sent to the processor.  Still, malware installed by hackers was able to intercept the information at some point along the way, and the result has been a massive and expensive headache for MAPCO.

Though fully encrypting communications between retailers and card processors would be ideal, that probably isn’t likely in the short-term, so hackers will continue to go after this systematic vulnerability.

In a press release, MAPCO states that it has already consulted with computer forensic experts and that the FBI is investigating.  If it is in compliance with the various state laws regarding consumer rights, it has begun, or will begin soon, notifying its customers that their credit and debit cards could have been compromised.

INSUREtrust producer Zane Goldthorp explains how some of the costs can pile up:  “The average cost of customer notification can be between $10-14 per record breached, so a breach affecting 100,000 records can cost a company well over $1,000,000 in first party losses.”

Goldthorp advises firms to implement proper notification procedures following a loss, so as to potentially limit some the damage.  “But even then, third party lawsuits still happen,” he notes.

Small and medium-sized merchants have an especially dangerous exposure in a payment card breach, because the retailer’s balance sheet is less able to weather the financial storm than that of a big-box chain.  Make no mistake about it:  Cyber breaches can be very expensive.

If the retailer is dubbed somehow liable for the breach by the payment card industry (PCI), then PCI fines and penalties are another layer of cost to the business.

So it makes a lot of sense for retailers to transfer some of the risk of an inevitable breach to an insurance policy.  Just focusing on prevention misses the point – there is no way to be completely safe from a hacking event, and in fact, experts say that is not a matter of “if” your business will be attacked, but merely “when.”