Data Breach Liabilities - PCI Penalties, GDPR and a Warranty

The Foregenix Digital Forensics and Incident Response team is one of the most active PCI Forensic Investigation teams globally. According to banking partner sources in the UK and across Europe, we help more hacked eCommerce organisations with our forensic and incident response capabilities than all of our European competitors combined. The reason for telling you this is to make the point that we get to see emerging trends a lot earlier in the trend cycle due to the volume of hacked eCommerce websites that we are helping.

What we learn from all of these investigations is then passed on to our clients and partners to educate them in protecting their businesses from similar attacks.

The unique view that we have on early cybersecurity trends in the market has led us to create solutions that help small to medium sized eCommerce businesses protect themselves against the threats we're encountering daily. Two of the products we’ve developed are:

ThreatView

We monitor over 12 million websites globally for attack trends, vulnerabilities and risk of compromise. We can tell you very quickly if your website is at risk of being breached, or if it is already hacked. We provide this for free to use, enabling adhoc scans as well as ongoing monitoring of an eCommerce website for threats:  www.foregenix.com/threatview. 

Help yourself - it’s FREE with no strings attached - and uses the latest threat detection capability from our Threat Intelligence Group.

The Cost of PCI Data Breach

In conversations we have with clients and prospects, the subject often turns to the cost of a breach and what exactly could a small to medium business expect to pay. A considerable number of articles have been written over the years highlighting the cost of a data breach to small and medium sized organisations. Here are a couple of articles we’d recommend you reading:

• According to WorldPay/Vantiv, the average cost of a breach for small to medium sized organisations in the US is $117,000
• Dave Whitelegg - a respected UK-based security blogger posted an article showing how the costs can scale from fairly modest levels to significantly expensive
• Barclaycard has a fairly old - but useful - article they published on an example small eCommerce business breach costs
• Hiscox - a UK-based insurance company, conducted a study in late 2018 and found that the average cost of a breach for a UK SME business is £25,700.

Feedback that we have had from the card brands, acquiring banks and breached organisations is that the typical cost for a breach of an eCommerce merchant processing over 10,000 cards in a year is €18/card. When you factor in the average time between breach and detection being 5.5 months (based on our forensic team's experience), it is fairly easy to work out how many cards could have been stolen and what the associated costs could be.

As a first example, let’s imagine an eCommerce business was processing 60,000 transactions (let’s assume a unique card per transaction to keep it easy) in a year. And let’s assume the business was average in their capability to detect the hack.

• Transactions/year: 60,000
• Dwell time: 5.5 months
• No of cards stolen: 27,500
• Liability: €495,000

This excludes forensic investigation costs and any other potential fallout such as legal, PR, etc.

You can see how the numbers stack up quickly. Fortunately the card brands have favourable terms for businesses who identify the breach and notify their bank and the card brands quickly - in fact there are a few ways to get the cost down, but all require the victim to be proactive, to work with their bank and the brands and to sort out the breach quickly. Our advice would be to contact your acquiring bank to get more detailed information as this is not published publicly.

As a second example, let’s imagine a small eCommerce business, processing under 8,000 transactions (let’s assume a unique card per transaction again) in a year. Let’s assume again that they’re also average in their capability to detect the hack.

• Transactions/year: 8,000
• Dwell Time: 5.5 months
• No of cards stolen: 3,660
• Liability: for breaches of smaller organisations with eCommerce only channel, both card brands waive liability costs and an assessment charge of roughly €3,000 is charged to handle the incident by Visa. In addition, the organisation will be required to undergo an Acquirer Led Investigation (also known as an Alternate Acquirer Investigation) -there are specific qualifying criteria - check with your bank if you qualify - which will cost up to €5,000.  Total liability to expect: ~€8,000 (excluding legal etc)

A point to add to this is that no GDPR penalties have been factored into this article - there are a huge number of articles with information on the GDPR penalty structures. A good place to view the penalties issued by the ICO is: https://ico.org.uk/action-weve-taken/enforcement/

If you’d like to get  proactive about your website security and reduce the risk of a breach - you can create a free ThreatView Community Account to monitor your eCommerce website's security and risk status here: