Major breaches like TJX have been widely publicized but breaches at smaller businesses have received very little attention. This is the case because information about these smaller occurrences have been very hard to come by due to two reasons.
First, not all states have disclosure laws requiring merchants to disclose breaches and secondly, Card Associations are not required to disclose individual cases. For this reason, I thought Robin Sidel's recent WSJ article In Data Leaks, Culprits Often Are Mom, Pop , where an actual breach is analyzed, was very helpful in putting the costs and risks of smaller breaches into perspective. Robin, if you're willing to share some of your journalistic research tricks about finding this sort of information, I'm all ears! Here are some of the highlights:
- Since 2005, more than 80% of the credit card breaches have occurred at small businesses.
- Since October of 2006, Visa has levied $3.3 million in fines for non compliance.
- MasterCard did not disclose their fines but I bet Robin could find them!
- Lodi Beer, a microbrewery and restaurant in California had unknowingly stored 11,728 credit card records in their point of sale system. Track data from the credit card's magnetic strip cannot be stored. When that data was breached, Visa and MasterCard fined Abanco, the restaurant's merchant account provider, $27,000. Abanco then in turn passed that fine onto the restaurant. In addition to the fines, this merchant has spent over $50,000 in remediation costs, legal fees, upgrades, etc. That is a huge amount of money for a small business.
There are a few interesting things to note about PCI Compliance and small businesses. First, in trying to get merchants compliant, Visa, MasterCard and the other card brands have put the responsibility squarely on the merchant acquirer (aka the processor or merchant account provider). They've successfully done this with a policy of making them responsible for paying fines when breaches occur.
The second interesting thing to note is that while these merchant acquirers are responsible for fines, they will almost always pass whatever they're fined onto the merchant. Finally, if merchants are ultimately responsible for the fines, it would be helpful if they could get a heads up as soon as possible so they could act accordingly.
To this end, I know acquirers have been trying to reach out to their merchants. One strategy has been including warning messages on monthly processing statements, which are never read anyways because merchants gave up long ago trying to read those undecipherable things. I've seen others announce, again via monthly statements, the availability of educational conference calls to explain the risks and process of becoming complaint.
I'm not critiquing the outreach, rather just highlighting the difficulties small businesses face in gaining a proper understanding what they have at risk. The owner of Lodi Beer said it best, "All someone had to do is tell us you can't do that. We would have changed it." Anyway you look at it, helping 7 million businesses become compliant, 85% of which are small businesses, is a tall order.
Other related posts:
PCI Compliance and the cost of a credit card breach
PCI Compliance basics for credit card security
Braintree solutions: Simplified PCI Compliance through remote storage of credit card data