Keeping on the right side of the regs

Mon Oct 30 2017

The rules and regulations around online security change from time to time, and naturally it’s important for merchants to stay up to date. But there are currently some big changes on the way that are making that more important than ever.

There’s no point beating about the bush. If you fall foul of the new rules, the impact could be devastating.

What's happening

The first major change regards fines the card schemes (Visa, MasterCard etc) issue when merchants lose card data in a security breach. These have increased this year.

The fine structures vary between card schemes and the amount of data that is lost, but let’s take one example. Say a business loses card and CVV numbers for 46,706 Visa and 28,336 MasterCard customers. Under the old policies, the business would have paid just over £35,000 in penalties. The new ones will see them pay over £134,000.

How fines for data breaches could really hit home

Type of cost


What that means

Visa penalty


Based upon Visa cards impacted and business turnover capped at 5%

Visa management fee


This is a new fixed penalty

MasterCard penalty


There's no fee as less than 30,000 MasterCard accounts were affected

Forensic investigation costs


That's based on the average cost of a full investigation

Post-breach compliance report signed by a Qualified Security assessor (QSA)


Also based on average costs

Additional costs depending on business



As a breakdown, an initial baseline fine of several thousand pounds will be accompanied by a fine of €18 per card where the number and CVV number was lost. If just the card number is lost, then it’s €3 per card.

To put that into perspective, what would have been an £80,000 fine under the old regime could turn into a £1.2m fine. That’s potentially life-threatening for a small business.

If you are breached but are PCI-DSS compliant and you notify the card scheme yourself, you may get some of the fine discounted. But it’s another reason why it’s a good idea to use a hosted payment page rather than process card data yourself.

There’s more than card data to think about

There’s a lot more than card data at risk from a cyber attack, and the forthcoming EU data protection regulation1,2 is likely to make losing that a significantly greater headache than it currently is.

That’s because companies that suffer a breach where personally identifiable information is lost will have to make it public by notifying the relevant authorities. That alone will mean companies have to be much more aware of this stuff.

But on top of that, the EU will also introduce stiffer penalties that could be up to 4% of a breached merchant’s global revenue. And I have no doubt that very significant fines will be applied.

The aim of these heavy fines and threats of unwanted publicity, of course, is to make businesses up their game in the fight against the criminals. And hopefully that will mean we’ll see fewer data privacy breaches.

But one thing we do know is that the criminals will keep going. Merchants not only have to be engaged, they have to stay engaged. It’s not something to be thought about once and then forgotten.

Ensuring software is up to date, making sure security settings remain turned on and monitoring transactions closely are all important, as is keeping an eye out for anything unusual happening on the website. Simply staying abreast of developments can help merchants to be more aware of the dangers too.

And, of course, they should keep talking to their payments provider for guidance.

Speak to us today to find out how we can help your business –  0800 046 6814*

Want to accept card payments?

Call us

If you need to speak to an advisor, give us a call on:

0330 159 6407


Request a call back

Fill in some details and we'll call you back

Find a solution that's right for you