The number of hacked websites losing payment card data is rising rapidly - and the attacks are becoming more sophisticated, stealthy and continue to remain very lucrative for criminals. You've all probably heard this before and are tired of the rhetoric. What you may not have heard before is what it means for your online business if your website gets hacked and loses payment card data. What are the potential liabilities and what is the industry doing to try to curb the loss of payment card data?
In May 2016, Visa released a new mandate to the European acquiring banks regarding data compromises and penalties. The new mandate is aimed at encouraging the payment card industry to focus on proactive security management and better risk management.
This mandate is not published publicly, however, we have had feedback from acquiring banks and a detailed presentation delivered by an industry insider, Neira Jones. Neira was previously Director of Payment Security & Fraud at Barclaycard and subsequently holds board positions with several prominant payment companies and security businesses. Neira understands the payment card industry and is very well connected with the industry, therefore we're happy to trust the information provided by Neira and consequently are happy to share it with you.
Let me explain how Visa is encouraging/incentivising proactive security and risk management:
As of the 1st May, the following rules apply to data breaches involving Visa payment card data:
While the penalty structure shows how the costs could stack up in the event of a data breach, Visa has set out a number of ways for a merchant to reduce those penalties - this information is not publicly available, but we have managed to get a feel for the numbers and if you watch Neira's presentation you will glean a bit more info. From what we do know, the penalty reductions support Visa's approach to risk management and their encouragement of proactive security management.
While there are a few different conditions for penalty reductions, the following two are the ones that we feel merchants need to be aware of:
Of course, many businesses will read this and assume that they will not be breached - that these penalties are not relevant to them as they will not be one of those companies that get hacked.
How many people look at health stats and believe that they will be better than average, live longer than average? The honest answer is that most of us think like this, especially if we're taking active steps to keep fit, eat well etc. We are an optimistic species (mostly) and tend to think that we can beat the odds.
Well, just like the health stats, if you take care of your website "health" ie keep it secure, you will stand much better chance of beat the odds and the penalty scenarios outlined above are unlikely to happen to you.
The fact is that on average, data breaches involve active theft of payment card data for 6 months before detection. It usually goes like this:
This process usually takes, on average, 6 months. That means there is, on average, 6 months of data stolen. Do the maths for your business - how many transactions do you process in 6 months. Multiply that number by EUR 18 and you start to get the scale of the potential liabilities your business could face in the typical scenario.
Self-Notification on the other hand can reduce that liability by up to 50%.
Well, firstly, you need to have a very good idea of what is happening on your website. We're not talking about Google Analytics. We're talking about good security monitoring:
If you have these kinds of security checks and balances taking place multiple times per day on your website, you will pick up attacker activity very quickly. If you are checking daily and notice an attack/compromise of payment data, you can take the average of 6 months to identify a breach down to less than 24 hours.
This enables you to Self-Notify and limit your liability. Added to this, if you do have daily checks, then the most you are likely to lose is 1 day of transaction data - compared with the average of 6 months. That is a significant improvement.
Self-Notification involves calling your bank and letting them know you have had an incident. Follow this up with an email outlining what you found and what you are doing to fix the issue. Your bank will then manage the notifications with the card brands on your behalf.
Firstly, understanding the security posture of your website is useful. Go to webscan.foregenix.com to run a free scan against your website to identify any known issues, externally visible malware, indicators of compromise.
Its free - you can run the scan anonymously for a summarised onscreen report. Or you can put in your email and we will send you a more detailed PDF report with recommendations.
Secondly, if you would like to do some further reading on the appropriate security controls for securing a website, we have a free ebook available for download: