What would a credit card breach cost your company?
We’ve noted recently that many companies store credit card information in an unencrypted form, sometimes several years' worth. So what happens if your systems get hacked before you get around to securing that credit card data? Sure, there’s the embarrassment of telling your customers their data has been exposed–a legal requirement in more than 40 states–but what about the hit to the bottom line, the cost in dollars and cents (or euros or pounds, etc.)?
Small businesses increasingly conduct payment card transactions online, a trend that will grow in the coming year. Also, many small businesses don’t have access to trained staff which might have more sophistication regarding securing a payment system, a fact that hasn’t escaped the scammers’ attention. Attacks on larger organizations are much more likely to be met with sophisticated defenses, but small and medium sized organizations simply may not have the budget for a dedicated security specialist, or specialized security equipment to guard against a breach.
But if they can’t afford the dedicated staff or specialized equipment, they can hardly afford the expense of a breach either. So if it happened to your company, what would it cost? Tracy Reed, of Copilotco, was asked to tell a company just that. Although some of Reed's data points are in 2009 dollars, inflation isn’t your friend. Whatever the 2011 numbers are, this dataset is a sobering picture of just how much a breach might cost.
“According to Gartner the average loss to the customer is $939 per credit card,” says Reed, “So if your company has transacted roughly 65,000 cards, half of which would theoretically still be current and valid at the time of a breach, the reimbursement costs of the fraudulent charges to the cards alone would be $15,258,750.” Reed adds, “The card companies further charge to replace compromised credit cards.” Costs to a merchant can be as much as $50 per card. The banks themselves have a card replacement cost that ranges from $2 to $5 per card. Reed put the merchant cost in this scenario at $812,500.
After the notifications, charge-offs, and card replacement comes a security audit. About this Reed says, “The card companies will require a forensic audit of the systems to determine how the compromise happened. According to Security Metrics, the cost of a forensic audit starts at $50,000.” Rounding out the audit costs, he continues, “After an intrusion a company is then classified as a Level 1 merchant and is subject to the strongest security and audit procedures. This means an annual on-site audit which will typically cost $100,000.”
And then there’s the fines. Tracy says, “Major payment brands can impose fines as a result of the data exposure. Fines can be as high as $500,000. Non-compliance is a major determining point whether fines will be imposed.”
All told, that’s a bill of $16,471,250. Let’s say he’s only half right, you’re expenses would “only” be the cost of a nicely equipped mid-size business jet and all the entertainment for your staff after you fly them to Cancun in style. You could probably pay for the ride home too, along with all the umbrella drinks for the week.
We haven’t yet spoken about the brand damage. Awhile back I read that Sony’s data breach costs topped $171 million and were still rising. Let’s just say it would cost your company dearly. Now, what would it cost you to protect your systems? A few extra developer hours? Maybe some System Administrator time? That suddenly seems very cheap, and your customers would agree. That sort of thing would make everyone happier, and a lot less stressed in the new year, though you still may have to spring for staff bonuses to get everyone to Cancun. But you can make them pay for the drinks.
What would a credit card breach cost your company?
We’ve noted recently that many companies store credit card information in an unencrypted form, sometimes several years' worth. So what happens if your systems get hacked before you get around to securing that credit card data? Sure, there’s the embarrassment of telling your customers their data has been exposed–a legal requirement in more than 40 states–but what about the hit to the bottom line, the cost in dollars and cents (or euros or pounds, etc.)?
Small businesses increasingly conduct payment card transactions online, a trend that will grow in the coming year. Also, many small businesses don’t have access to trained staff which might have more sophistication regarding securing a payment system, a fact that hasn’t escaped the scammers’ attention. Attacks on larger organizations are much more likely to be met with sophisticated defenses, but small and medium sized organizations simply may not have the budget for a dedicated security specialist, or specialized security equipment to guard against a breach.
But if they can’t afford the dedicated staff or specialized equipment, they can hardly afford the expense of a breach either. So if it happened to your company, what would it cost? Tracy Reed, of Copilotco, was asked to tell a company just that. Although some of Reed's data points are in 2009 dollars, inflation isn’t your friend. Whatever the 2011 numbers are, this dataset is a sobering picture of just how much a breach might cost.
“According to Gartner the average loss to the customer is $939 per credit card,” says Reed, “So if your company has transacted roughly 65,000 cards, half of which would theoretically still be current and valid at the time of a breach, the reimbursement costs of the fraudulent charges to the cards alone would be $15,258,750.” Reed adds, “The card companies further charge to replace compromised credit cards.” Costs to a merchant can be as much as $50 per card. The banks themselves have a card replacement cost that ranges from $2 to $5 per card. Reed put the merchant cost in this scenario at $812,500.
After the notifications, charge-offs, and card replacement comes a security audit. About this Reed says, “The card companies will require a forensic audit of the systems to determine how the compromise happened. According to Security Metrics, the cost of a forensic audit starts at $50,000.” Rounding out the audit costs, he continues, “After an intrusion a company is then classified as a Level 1 merchant and is subject to the strongest security and audit procedures. This means an annual on-site audit which will typically cost $100,000.”
And then there’s the fines. Tracy says, “Major payment brands can impose fines as a result of the data exposure. Fines can be as high as $500,000. Non-compliance is a major determining point whether fines will be imposed.”
All told, that’s a bill of $16,471,250. Let’s say he’s only half right, you’re expenses would “only” be the cost of a nicely equipped mid-size business jet and all the entertainment for your staff after you fly them to Cancun in style. You could probably pay for the ride home too, along with all the umbrella drinks for the week.
We haven’t yet spoken about the brand damage. Awhile back I read that Sony’s data breach costs topped $171 million and were still rising. Let’s just say it would cost your company dearly. Now, what would it cost you to protect your systems? A few extra developer hours? Maybe some System Administrator time? That suddenly seems very cheap, and your customers would agree. That sort of thing would make everyone happier, and a lot less stressed in the new year, though you still may have to spring for staff bonuses to get everyone to Cancun. But you can make them pay for the drinks.
Follow this link:
What would a credit card breach cost your company?