“Data breach protection” are three words that should be foremost in the minds of all businesspeople who operate on the Internet. Recent statistics on the tremendous costs faced by merchants who experience a data breach underscore the fact that the stakes are just too high for breach protection to be relegated to your “to do” pile.
What is a data breach?
Simply put, a data breach occurs when a person’s private identifying information — name, address, email address, Social Security number, driver’s license number and/or financial, credit or debit card data — is put at risk either electronically or on paper.
Electronic data breaches take many forms including hacking, malware, spyware, skimming, an insider breach or the physical loss of the card or a device like a computer, laptop or CD. While the type of data breach may vary, they all have one thing in common: Unencrypted personal identifying information falls into jeopardy in the hands of thieves or fraudsters.
In its 2011 U.S. Cost of a Data Breach Study, the Ponemon Institute presents the findings of its seventh annual benchmark study concerning the cost of data breach incidents for U.S. – based companies. It examined 49 data breach cases with a range of nearly 4,500 to 98,000 affected records, from 14 different industries ranging from finance to retail and transportation.
For the first time in seven years, the Ponemon study reports a decline in both the organizational cost of data breach and the cost per lost or stolen record. The organizational cost has declined from $7.2 million to $5.5 million and the cost per record has declined from $214 to $194.
It’s important to note that the cost figures laid out in the Ponemon study reflect a long list of data breach factors that many vulnerable businesses may not consider. Among them: expensive breach-related outlays for detection, escalation, notification and response; legal, investigative and administrative expenses; penalties and fees; customer defections; reputation management; lost opportunities; and customer support costs like information hotlines and credit monitoring subscriptions.
The genesis and biggest cost of many breaches is due to negligence. More than a third of the breaches Ponemon studied were as a result of lost or stolen devices, including laptops or USB thumb drives that contained confidential or sensitive information. In addition to malicious attacks, negligent insiders are the main cause of data breach.
On a positive note — the recent decline suggests that organizations represented in this study have improved their performance in both preparing for and responding to a data breach. It reveals more organizations are using data loss prevention technologies and fewer records are being lost in these breaches.
The Ponemon Institute concludes that its research “supports statements by leading industry and government experts who advocate proactive, automated data protection in addition to written policies, procedures and training.”
Data Breach Protection
All businesses that deal in credit or debit cards and/or electronic fund transfers — regardless of size, experience and transaction volume — can become the victim of a security breach. It follows, then, that they all need data breach protection.
Unlike Canada and countries in the European Union where strong data protection acts have been in effect for years, the United States government has not highly legislated or regulated data privacy; however, 46 states and the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.
Partial federal regulations exist that govern the acquisition, storage and use of personal data in this country, but it’s up to individual merchants and businesses to proactively implement data breach protection programs. It is their responsibility to provide policies and technologies to shield both the business and its customers from the potentially devastating fallout generated by a security breach.
Data Breach Protection Best Practices
One of the first and best steps to take to protect yourself, your business and your customers from a data breach is to adhere to the Payment Card Industry Data Security Standard (PCI DSS); this is known as being in PCI compliance, or PCI compliant. The requirements of PCI DSS are focused on boosting security for the storage, transmission and processing of cardholder data.
Beyond PCI compliance, businesses should strive for the tightest security possible against fraud and other data breaches by using standard and advanced detection and prevention tools like those offered by Merchant Express® through Transaction Express®. Transaction Express’s secure processing platform is fully PCI compliant, and member merchants have access to fraud prevention tools including Address Verification Service (AVS) and Card Security Code (CVV2/CVC).
Transaction Express also offers multiple interface options that allow merchants to choose their preferred method for submitting and processing payments securely. The optional Tokenization service hosted payment page reduces your PCI burden by eliminating the need to store sensitive card data by only sending back minimal information such as a transaction ID, reference ID and authorization code.
Other best practices to protect your system against a data breach include:
- Using AIM to connect to the payment gateway, enabling you to host your own secure payment form and submit transactions using an end-to-end secure sockets layer (SSL) connection.
- Maintaining your API Login ID and Transaction Key to validate your access and authenticate transactions to the payment gateway.
- Changing your user account password, along with your secret question and answer, every 45 to 60 days as a safeguard.
- Using a third-party solution, such as certified Transaction Express integrated shopping cart technology, to maintain the strictest security standards for submitting transactions to the payment gateway.
- Requiring and validating complete order information — including a full address and phone number — for every order before shipping.
- Monitoring your transactions, particularly those from abroad, with an eye towards potential fraudulent practices, including a higher-than-usual number of transactions or transaction amounts or orders where the billing and delivery addresses do not match.
Computers can be a weak link that contributes to a data protection breach. Standard computer security best practices include:
- Installing a firewall (hardware or software) to monitor external connections.
- Using anti-virus software that’s regularly updated, and downloading and installing all service and security updates in a timely fashion.
- Storing sensitive and/or confidential information (such as credit card numbers) separate from Web servers in an encrypted database that is not connected to the Internet. Transaction Express member merchants who do not want to collect or store sensitive payment data on their own systems can link to a Secure Hosted Payment Page and replace Permanent Account Numbers (PANs) with tokens for reduced data breach risk.
- Sharing access to network drives and individual computers only when and with users who are absolutely necessary.
- Avoiding sending or requesting confidential information via insecure methods such as email or online chat sessions. If you receive such a request, always confirm the request by phone before responding.
Make no mistake — data breach protection is your first and best line of defense against online fraud. Make it your top priority to protect your bottom line. Start by consulting with a Merchant Express representative about breach data protection through Transaction Express.