Have you ever wondered what happens if your e-commerce site is breached?
Usually, when you think about data breaches, you think about big enterprise websites. Does that mean that big brands are the ones who suffer the most from data breaches? Actually not.
Recently, Trustwave put out a report that states approximately 90% of breaches impact small merchants.
Here are the top 3 compromised industries:
- 1- Retail – 45%
- 2- Food and Beverage – 24%
- 3 – Hospitality – 9%
This graph shows the top 3 compromised industries due to vulnerabilities that allow attackers to steal data; however, bear in mind that any website could become a victim.
For larger websites, PCI standards show that the average cost for a breach is 4 million dollars, whereas the average cost of a data breach for small businesses can be over $36K. There are also non-monetary costs involved, including time and resource allocation.
Why is a Data Breach that Expensive?
Before we start discussing the cost factors for a data breach, we would like to make sure that you know what PCI standards are and what you can do to become PCI Compliant. We have a series of posts about PCI Compliance that you can use as a reference.
Here are some data breach cost factors:
Mandatory Forensic Examination
PCI DSS require merchants that are suspected of having a data breach to have a mandatory forensic examination.
According to Verizon Business, a small business examination may cost between $20K to $50K.
Notification of Customers
If financial information is suspected of being compromised, most states require that customers be notified.
The University of North Carolina at Chapel Hill stated that a 2013 data breach of 6K records has cost the school nearly $80,000 in working with affected parties. In this case, people who were affected by this data breach received notification letters explaining that their sensitive data had been compromised.
Laws were enacted after the surge of a huge number of consumer database breaches containing personally identifiable information (PII).
In 2002, the first law notifying customers after a data breach was passed called the California data security breach notification law. After that, as of April 12, 2017, NCSL.org reports that 48 American states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information. What all of these laws have in common is that:
Companies must immediately disclose a data breach to customers, usually in writing.
Affected Customer Credit Card Monitoring
If you experience a breach, you may need to produce up to a year’s worth of credit monitoring and/or counseling services to customers affected by your breach.
For example, Target had a data breach in 2013 and after that, offered a year of free credit monitoring to affected customers.
PCI Compliance Fines
In 2011, 96% of the merchants experiencing a data breach had not complied with the Payment Card Industry Data Security Standard (PCI DSS) which means that these merchants did not follow the requirements of the information security standard for organizations that handle credit cards.
Here is an overview of the PCI DSS Goals and Requirements:
If the forensic investigation shows that your business was not in compliance, heavy fines could be levied against you.
According to the pcicomplianceguide.org:
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees.
Liability for Fraud Charges
Many merchants assume they have no liability for a data breach. This is not necessarily the case. Lawsuits may claim liability on merchants for security breaches. In other words, merchants can be held responsible for a security breach.
It is important to emphasize that protecting your customer’s sensitive information is your responsibility as a business owner. That is why having a secure website is vital to having a good online posture.
Credit Card Replacement Costs
Merchants may be required by card issuers to pay the cost of reissuing cards to customers.
According to the Consumer Bankers Association, the actual cost to replace a credit or debit card includes:
- the card itself,
- informing consumers of a card reissuement,
- shipping and activating the card,
- supplemental communication via call centers and the internet.
These fees can range from $3 to $10 per card.
POS System Improvements
Depending on the source of the breach, you may have to invest in upgrading or replacing your point of sale system (POS).
A POS system usually includes:
- debit/credit card swipe devices.
Reassessment for PCI Compliance
In order to qualify to accept cards again, a complete PCI assessment by an external Qualified Security Assessor (QSA) must be performed.
Qualified Security Assessor (QSA) companies are entitled to validate a vendor’s adherence to the PCI Data Security Standard (PCI DSS). They make a complete assessment of a company that handles credit card data against the control objectives of the PCI DSS.
The cost of the reassessment can vary according to the chosen QSA.
There are also non-monetary damages that can be very hard on you as a vendor. A recent study conducted by Ponemon Institute shows that:
- 57% of people lost trust and confidence in the organization after a data breach.
- 31% of people terminated their relationship with the organization after a data breach.
- 75% of executives said that data breach had an impact on the business’ reputation.
We can also consider other side effects, such as:
Imagine one of your clients have a big social media presence, they could negatively impact your brand by spreading out a message that their credit card was frauded after purchasing from you.
The damage that your brand reputation may suffer can take years to rebuild if it could ever be rebuilt at all. Unfortunately, many companies who suffered from serious data breaches have had their reputation stained for good.
Loss of payment card privileges
If you are found in a PCI violation your business can be prohibited from accepting credit cards, such as Visa or MasterCard, which would cause a huge negative impact on any e-commerce website. Not being able to accept credit card can take a vendor out of business very quickly.
Loss of time
Sometimes the amount of time you lose allocating your resources to deal with a data breach can feel worse than the financial loss itself. Think about the amount of time you would not be able to spend doing your work and building up your brand if you need to focus on remediating a security breach.
Even though it is very hard to quantify your time, you would need to account for spending time on:
- trying to react to a data breach,
- to understand what happened,
- to deal with legal issues
- to take other measures
It is not an easy task to quantify all of the impacts of a data breach in an e-commerce website. The main objective of this post is to make you start thinking about the importance of having a secure website. There are going to be more posts about e-commerce security, feel free to register to our blog feed so you don’t miss any of them.