Breach protection helps fill in security gaps after compliance.
Breach protection helps fill in security gaps after compliance.  |
| By Giles Witherspoon-Boyd |
The purpose of the PCI DSS is to address a business’s most glaring security errors. For accidental or missed errors, breach protection helps mitigate a business’s financial risk. The purpose of breach protection is not to change your attitude toward PCI or allow you to abandon PCI requirements, to but act as a failsafe.
When all other PCI security protocols have been followed to the best of your ability, breach protection exists to address the financial hardships your business might endure in the aftermath of a compromise.
The real cost of a breach
Speaking of breaches, the $5,000 to $50,000 compromise fine assessed by most merchant processors is only the beginning of penalties after a data breach. Other costs may include:- A required forensic investigation, from $12,000 to $100,000
- Onsite assessments by a certified Qualified Security Assessor (QSA) for years following the breach, from $20,000 to $100,000
- An increase in monthly card processing fees
- Annual credit monitoring services for compromised customers
- Card re-issuance penalties, from $3 to $10 per card
- Customer fraudulent charge reimbursement
- Federal/municipal fines
- Brand damage, especially if negligence was involved
- Legal fines if customers initiate a class-action lawsuit
Most breach protection programs cover costs relating to a card data compromise up to a financial limit (e.g., $100,000). The best breach protection programs cover all compromise expenses relating to PCI DSS and HIPAA data security standards, and some offer discounts for PCI compliant businesses. Beware of breach protection programs that narrowly interpret industries, or allow expenses to be spent only on specific fines and penalties relating to a breach.
Breach protection makes most financial sense when combined with other tools that reduce actual risk, such as internal scanning tools that help find and remove stored card data, and strong policies that help prevent data loss. Some breach protection programs include such tools.
How much does it cost?
The cost and amount of breach protection varies by provider. To illustrate with an example, SecurityMetrics Assurance includes a card data discovery tool, data protection policy, security consulting, and covers $100,000 in the event of a breach. It is available for as low as $99 per year per merchant ID.Did this post help you? Let me know @Gileswb
Giles Witherspoon-Boyd (PCIP) is Strategic Accounts Manager at SecurityMetrics and assists businesses in defining their PCI DSS scope.