The costs of a data breach
A single data breach can result in several types of financial damage. For instance, businesses might face penalties for noncompliance with Payment Card Industry Data Security Standards and be required to reimburse issuing banks for the cost of replacing cards that may have been stolen from the business.
If a company suffers a breach in which 30,000 or more cards have been compromised, it may be required to retain a forensic investigator to help pinpoint where the breach happened and prevent future attacks, reports Monica Kennedy, merchant specialist executive at Bank of America. Merchants could also have to hire outside legal counsel to help manage the response to a breach and advise them on their obligations, and they. Companies also may decide they need a PR firm to help with public announcements about the breach and to develop and execute campaigns to win back public trust.
The expenses can add up quickly: The average cost per lost or stolen record in a data breach is $164, reports IBM, with a mega breach of 1 million to 10 million records having an average total cost of $49 million in 2022. Globally, the average cost of a data breach is $4.35 million.3
What’s more, merchants with compromised data may also incur considerable reputational costs. “Customers lose trust in a business after a breach,” says Kennedy. “And canceling and replacing cards is a hassle and disruptive to their lives.”
New security threats often require solutions that bring several technologies into alignment. For example, even more secure chip cards aren’t a cure-all, says Bradshaw. “But you can combine it with data encryption and tokenization to protect customer card data further,” she says. Tokenization — which retrieves credit card data using randomly generated one-time tokens — enables companies to remove credit card data from their internal networks, she says.
“Payment processors like Bank of America, which provide technology-based solutions to merchants, are developing a broad, holistic view of fraud activities to see and try to prevent both card-not-present and card-present crimes,” Fador says.
Examples of fraud solutions include:
Machine learning systems that can track fraud before it occurs. Machine-learning software combs through company and online data to automatically identify characteristics of fraud. It looks for patterns in credit card use, identifies anomalies in those patterns and flags the anomalies as potential fraud activity.
Integrated card-not-present risk solutions. These may include ATO protection, vertical-specific risk services, and one-time passcode (OTP), a protocol that requires customers to complete an additional verification step when paying, typically entering a number or password sent to their phone.