What To Do In The Event Your Small Business’s Data Has Been Compromised
The article content is provided with our sponsor, Bank of America Merchant Services.
As anyone who follows the news already knows, the practice of hackers breaking into the computer networks of businesses with the intent of acquiring consumer credit card data is becoming alarmingly common. In addition to the damage done to the company’s digital systems, businesses that suffer data breaches can also be faced with significant fines and a loss of consumer confidence, especially if they handle the public disclosure of the breach poorly. Here’s a checklist small business owners should use in the event of a data breach.
Contain The Situation
Just like any other emergency, your business should have a plan of action in place in the event a data breach occurs. Many experts recommend having a specific individual at your company or your IT expert (internal or external) assigned to handle a data breach. When one occurs, your IT team member or outside expert can identify the nature of the intrusion, take the appropriate measures to contain it, create a secured disk image of the servers at the time they were breached, shut down your company’s server, and eventually find a way to make sure similar breaches never happen again in the future. Having a data breach response plan at the ready can limit damage to your company’s digital infrastructure. Then, when law enforcement and regulatory officials review your data breach, you will be better able to demonstrate that you acted swiftly to contain the situation.
In the event of a data breach, you will need to notify law enforcement, the bank your business uses, and the company that processes your credit card transactions. As with any other crime, you are required to notify law enforcement as soon as you are aware the data breach has occurred so that they may begin their investigation immediately. You will also need to notify your bank and credit card processor as quickly as possible so they can implement their data breach procedures.
Verifying Your PCI DSS Compliance
After making the appropriate notifications, you should find out if your company was Payment Card Industry Data Security Standards (PCI DSS) compliant when the data breach occurred. Developed by the major credit card brands as a way to curb payment card fraud, the PCI DSS outlines specific measures merchants need to take in order to properly secure customer credit card data. If your company is found to have violated PCI DSS in the aftermath of the breach by a Qualified Security Assessor, it will be subject to significant fines issued by your bank and your credit card processor. Fines for not being PCI DSS compliant can range from between $5,000 to $500,000. Additionally, small business merchants may be charged between $50 and $90 for each individual card holder that had their data exposed during the breach. This obviously could be a significant cost to a small business.
PCI DSS Fee Reduction
Since the fees associated with PCI DSS compliance can be so large, business owners would be wise to take every step they can to mitigate their liability. One such step would be to become EMV®¹ compliant. A recent Bank of America Merchant Services white paper explains how merchants can reduce their PCI data breach fees is by being EMV compliant.² Since it is anticipated that up to 70 percent of U.S. credit cards will be EMV compliant by the end of 2015, merchants should adopt EMV technology as soon as possible. One merchant benefit that the white paper points out is that “the assessment and audit burdens should be reduced if substantial numbers of transactions are processed using EMV-enabled POS devices.” Additionally, the white paper states that “some card networks also offer a reduction in overall fees associated with a merchant data breach if one occurs.”
Making Public Disclosures
After securing your network and notifying the appropriate authorities, it is time to draft an announcement notifying the public of your data breach. As 47 states and the District of Columbia have laws requiring the disclosure of data breaches to consumers, the proper handling of this disclosure is extremely important. As the Bank of America Merchant Services white paper notes, several recent high-profile retailer data breaches have made consumers wary of doing business with brands that are perceived as insecure. As such, you may wish to include information in your disclosure statement that highlights the steps you’ve taken to help protect the credit card data of your customers such as becoming EMV compliant. The paper goes on to explain that “consumer perceptions of what constitutes secure commerce are important, and if consumers grow to accept that reading a chip is more secure than swiping the magnetic stripe, retailers should be prepared to respond to this consumer preference.”
¹ EMV is a registered trademark in the U.S. and other countries, and an unregistered trademark elsewhere. EMV® is a registered trademark owned by EMVCo LLC.
² Why You Should Adopt EMV® Chip Card Technology; Bank of America Merchant Services, Oct 2015
To learn more about the data breaches, EMV and how it affects your business, visit http://merch.bankofamerica.com or contact a Bank of America Merchant Services business consultant.