Most people generally understand what happens after a data breach: the crooks use or sell the information to make a quick profit, and organisations must spend money recovering from the incident and paying legal fees and penalties.
But that’s only an overview. In this blog, we continue our discussion of the ongoing threat of debit and credit card fraud by looking at the financial effects of payment card breaches – from both cyber criminals’ and organisations’ perspectives. We also look at how the PCI DSS (Payment Card Industry Data Security Standard) gives organisations all the information they need to prevent attacks.
Stolen information is worth less than you might think
When cyber criminals steal payment card data in bulk, the information usually ends up for sale on the dark web for as little as $15 (about £11) per card. This is obviously substantially less than the card’s use value: criminals can typically make 50 times that from each card.
So why is the information so inexpensive? The reason is sellers are eager to unload the information quickly and the criminal underworld is flooded with stolen payment card details. For evidence of that, you only need to look at how many card-related data breaches there have been in the past year.
Things change slightly when the stolen data contains rarer information. CVV numbers (the three or four digits on the back of cards), National Insurance numbers and answers to the card owner’s secret question (such as their mother’s maiden name) all increase the information’s value – but not by much. The value of payment card details generally tops out at about $30 (£23) per card.
The cost for organisations
The financial costs for breached organisations vary based on several factors. The size of the breach is the most important, but the affected payment channel, the number of servers and how those servers are interconnected also play an important role.
There is also the cost of the breach response. Organisations will need to notify their regulator and affected parties. If they have planned for a breach, this will be less expensive than having to do it on the fly. The same is true if they intend to create a help page on their website and a phone line for customers to use to learn more about the incident.
Organisations will probably also be required to cover the cost of a forensic investigation. A PCI Level 2 investigation will cost about £25,000–£50,000, and a Level 1 investigation will cost upwards of £100,000.
Depending on the investigation’s findings, organisations might face tough disciplinary action. Fines for non-compliance are levied on the payment processers or card companies rather than the breached organisation. However, the processers can recoup the money from the offending organisation or refuse to continue doing business with them.
Payment card breaches might also be considered punishable under the EU GDPR (General Data Protection Regulation). If so, supervisory authorities can impose fines of up to €20 million (about £17 million) or 4% of annual global turnover, whichever is greater.
Stay secure with the PCI DSS
Organisations can ensure they are doing everything possible to avoid a breach by following the requirements of the PCI DSS.
Unveiled in 2004, the PCI DSS is the result of a collaboration between major credit card brands (American Express, Discover, JCB, Mastercard and Visa) and aims to facilitate the broad adoption of consistent data security measures involved in payment card processing. It provides a detailed list of best practices for staying secure. As a general guideline, any merchant or service provider that stores, processes or transmits cardholder data is required to comply.
Download our PCI DSS green paper
Security testing and the PCI DSS unpacks the complexities of the Standard, and helps organisations understand how they can achieve and maintain compliance.
Download this free green paper to receive practical guidance on how to test the security of your systems and processes, and better protect the payment card information you store.