Businesses accepting debit and credit cards as a method of payment have an exposure to cyber attacks during the financial transaction process. The Target breach last year has been highly publicized because of its magnitude, obscuring the fact that cyber criminals are attacking merchants of all sizes to access valuable data. Cyber assaults on payment card systems are frequent, sophisticated, and organized.
The Payment Card Industry (PCI), a broad term for financial service organizations such as card issuers, merchant banks, and card processors, incurs serious losses when cardholder data and/or sensitive authentication data are compromised in a security breach. Losses include card replacement costs, fraudulent charges, and forensic costs to investigate the origin and scope of the breach.
In order to mitigate these losses, the major payment brands (Visa, MasterCard, American Express, etc.) created the Security Standards Council to develop global security standards for merchants, credit card processors, and other entities that store, process or transmit cardholder or sensitive authentication data. Designed to protect consumer information and prevent fraud, the 12 basic Data Security Standards and their associated sub-requirements are known collectively as PCI DSS. Merchant Agreements include clauses allowing the PCI enforcement power to assess fees, fines, and penalties for failure to comply with PCI DSS.
Studies consistently show a PCI DSS audit fail rate of approximately 75% when conducted by an outside security assessment firm.
In the aftermath of an attack, the merchant is usually not the first to know. In fact, the merchant or payment processor may remain unaware of a security breach for as long as 18 months before receiving PCI notification.
When fraudulent charges occur, the PCI determines the common point-of-sale by tracing the misappropriated card data back to the merchant. Subsequently, the merchant may be charged an assessment for the services of a PCI Forensic Investigator (PFI) to determine the extent of the breach and the number of individual records exposed. Engaging a PFI starts at approximately $10,000.
The merchant is responsible for notifying affected individuals, legal fees, forensic investigation and remediation charges, costs to revalidate PCI DSS compliance, and reimbursements to card issuers. The merchant may also be subject to additional fees, fines, and penalties as per the terms of the Merchant Agreement. The PCI may impose Payment Network Recovery Assessments, where money is removed from the merchant’s account to establish a reserve fund for reimbursement of fraudulent charges.
Actual merchant costs incurred vary based on the number of affected records and the extent to which their security systems failed to meet PCI DSS. The average total cost of a PCI-related breach is between $3.5 to $3.7 million.
It is important to note that when a breach happens, the PCI assumes the merchant to be out of compliance – even if the merchant has done everything the contract required and has done nothing wrong. The burden of proof is on the merchant, and it can be a long and difficult process to prove “innocence” in the PCI’s eyes.
PCI requirements and governance can be daunting to understand. Organizations subject to the terms of PCI DSS face significant cash outlays during and after a breach investigation. Fortunately, Cyber Liability insurance can cover PCI fines and lawsuits brought by cardholders against a merchant (third-party liability coverage). However, understanding what policy is best can be confusing.
That’s where we can help. INSUREtrust has been specializing in cyber-related insurance since 1997, and we navigate agents and their clients through the intricacies of this coverage every day.
Over the past ten years, INSUREtrust has written more than $100 million in premiums and paid more than $30 million in claims. Insurers are looking for business, and we can find competitive pricing and terms for almost any risk.