The rules and regulations around online security change from time to time, and naturally it’s important for merchants to stay up to date. But there are currently some big changes on the way that are making that more important than ever.
There’s no point beating about the bush. If you fall foul of the new rules, the impact could be devastating.
The first major change regards fines the card schemes (Visa, MasterCard etc) issue when merchants lose card data in a security breach. These have increased this year.
The fine structures vary between card schemes and the amount of data that is lost, but let’s take one example. Say a business loses card and CVV numbers for 46,706 Visa and 28,336 MasterCard customers. Under the old policies, the business would have paid just over £35,000 in penalties. The new ones will see them pay over £134,000.
How fines for data breaches could really hit home
Type of cost
What that means
|Visa penalty||£108,776.90||Based upon Visa cards impacted and business turnover capped at 5%|
|Visa management fee||£2,197.07||This is a new fixed penalty|
|MasterCard penalty||£0.00||There's no fee as less than 30,000 MasterCard accounts were affected|
|Forensic investigation costs||£12,000||That's based on the average cost of a full investigation|
|Post-breach compliance report signed by a Qualified Security assessor (QSA)||£12,000||Also based on average costs|
|Additional costs depending on business|
To put that into perspective, what would have been an £80,000 fine under the old regime could turn into a £1.2m fine. That’s potentially life-threatening for a small business.
If you are breached but are PCI-DSS compliant and you notify the card scheme yourself, you may get some of the fine discounted. But it’s another reason why it’s a good idea to use a hosted payment page rather than process card data yourself.
There’s more than card data to think aboutThere’s a lot more than card data at risk from a cyber attack, and the forthcoming EU data protection regulation1,2 is likely to make losing that a significantly greater headache than it currently is.
That’s because companies that suffer a breach where personally identifiable information is lost will have to make it public by notifying the relevant authorities. That alone will mean companies have to be much more aware of this stuff.
But on top of that, the EU will also introduce stiffer penalties that could be up to 4% of a breached merchant’s global revenue. And I have no doubt that very significant fines will be applied.
The aim of these heavy fines and threats of unwanted publicity, of course, is to make businesses up their game in the fight against the criminals. And hopefully that will mean we’ll see fewer data privacy breaches.
But one thing we do know is that the criminals will keep going. Merchants not only have to be engaged, they have to stay engaged. It’s not something to be thought about once and then forgotten.
Ensuring software is up to date, making sure security settings remain turned on and monitoring transactions closely are all important, as is keeping an eye out for anything unusual happening on the website. Simply staying abreast of developments can help merchants to be more aware of the dangers too.
And, of course, they should keep talking to their payments provider for guidance.
Speak to us today to find out how we can help your business – 0800 046 6814*