Today The Official Merchant Services Blog has a quick follow up to its ongoing coverage of the Global Payments Data Breach. The past two entries in our blog have taken a sweeping look at the big picture of data breaches and PCI DSS and how effective those security standards are. PCI Compliance is a topic very near and dear to Host Merchant Services because the company pushes an aggressive initiative among its customers to keep them PCI Compliant.
PCI Compliance: The Foundation of Security
Past studies from Verizon and Gartner Research have suggested that business owners slack on their security needs, especially in terms of PCI DSS compliance. The most oft suggested reason for this lax outlook on security has to do with PCI itself not having a lot of traction with those business owners. The merchants tend to think any security issues are the responsibility of the third party processor or the bank or the credit card companies; they don’t see a direct link to their business because of the simple fact that their terminal that swipes cards wasn’t theirs to begin with. Other issues include Merchants getting lost in the complexities of the PCI DSS website and its many forms that need to be filled out, and the recent change to PCI version 2.0 in October 2010 changing the structure of the system. Merchants get distracted by their day to day responsibilities of the business and gloss over the minutiae of PCI compliance.
Host Merchant Services understands these problems. Part of their service mantra is that the company designs payment processing solutions that let their merchants focus on running their company. The general theme is to make payment processing seamless and easy for the merchants. This includes transaction security and was the catalyst that fueled the company’s PCI Compliance Initiative.
But as we’ve seen with the Global Payments Data Breach, security needs to go beyond just PCI Compliance.
An Extra Layer of Protection
This Article from The Data Center Journal suggests that better admin priveleges could have helped stave off The Global Payments Data Breach completely. From the article: “Avecto says that the possibility that the breach was caused by a compromised administrative account that was insufficiently protected shows that governance is a central requirement of modern IT security.”
The article maintains that multiple layers of security can go a long away to helping to prevent future data breaches of this type. Paul Kenyon, chief operating officer with Avecto, said in the article that “Our observations on this breach suggest that minimizing administrative privileges—an exercise in the principle of least privilege—would have gone a long way to preventing the breach.” It was suggested to Kenyon from another IT Security analyst that the privileged accounts that are reportedly at the heart of this breach need several layers of protection to properly insulate them from hackers.
Most articles looking at the aftermath of the data breach arrive at the consensus that security measures need to go beyond just PCI compliance. This article gives some very specific and clear advice on a step to take — a data breach solution.
Data Breach Penalties Stack Up
Yesterday’s blog also delved into the cost and fees companies face when they suffer a data breach.
And this article by Bank Info Security gives even more insight into the cost and impact of a data breach. It interviews Larry Ponemon, founder of the Ponemon Institute, which conducted this year’s Cost of a Data Breach study with sponsorship from Symantec. The study revealed that the average cost of a Data Breach has gone down this year. Which makes sense when you consider that even with the Global Payments Data Breach in the news right now, the scale is a lot smaller than the scale of the Heartland Data Breach.
In fact, this article, also from Bank Info Security, gives a side by side comparison between the much bigger Heartland Data Breach and the Global Payments Data Breach.
But back to Ponemon’s interview and his company’s study: “According to the annual report, the average per capita cost of a data breach has declined from $214 per record to $194 since 2011’s report.”
Ponemon suggests two reasons for the decline in average costs.
- Complacency: “We think people in general may be becoming numb to the data breach notification process. Most people have received at least one data breach notice; they may not even be aware of it because they don’t open their mail. The may see it as junk mail.”
- Topical Shift, or rather the rise of intellectual property breaches, which are not a part of the annual study: “We focus on one type of data breach – the type of data breach [of personal records] that requires notification in the United States and then other parts of the world – but in reality there are other, maybe more costly, data breaches that companies are experiencing every day.”
HMS Data Breach Security Program
The hackers that go after credit card information are a creative group of criminals who are constantly pushing technology forward and tying security systems in knots. Many times a discussion about data breaches ends up with the conclusion that “it’s not if a data breach is going to happen, it’s when a data breach is going to happen.”
Host Merchant Services offers a key resource in preparing a business to tackle that issue: Its Data Breach Security Program. This program protects a business and a merchant can get up to $100,000 in coverage per location for the most common forms of data breach:
- Employee Dishonesty
- Theft of Credit Card Receipts
- Theft of POS Terminals
- Stolen Card Numbers
- Theft of Computers
The Data Breach Security Program helps cover fees for any industry-mandated audit of a suspected breach, card replacement costs and related expenses, and industry fines and assessments. All of these fees come from non-compliance with PCI DSS and are fees and issues that any company even suspected of a breach can face as we described yesterday in our blog. The coverage would exceed even the penalties that Cisero’s faces as we saw in the article about their lawsuit targeting the PCI itself.
How Does It Work?
Host Merchant Services makes it easy to file claims once you’ve gotten on board with the Data Breach Security Program. A simple online form starts the process:
- Step 1: Fill out the online claim form at www.merchantdatabreach.com
- Step 2: Upload or fax the notice from the acquiring bank, which stipulates that there has been a breach or a suspected breach at your location and choose an authorized, qualified security assesor.
- Step 3: When the forensic audit is complete, upload or fax a copy of the assessor’s report.
- Step 4: HMS takes it from there. We process the claim for payment and if all documentation is in order you will receive a check for the expenses incurred from the audit and/or card replacement costs and/or fines incurred for a breach.
Data Breaches can and will occur. They are costly. The recent Global Payments Data Breach reminds us all how important transaction security is for all parties involved. Merchants need to understand how important PCI Compliance is for their business. And they also need to take more steps than just PCI Compliance. Host Merchant Services is committed to keeping its merchants safe and secure. The company takes the lead in the industry in terms of PCI Standards with its PCI Compliance Initiative. And the company offers added layers of protection to its merchants through its Data Breach Security Program.