Fraud Prevention Pt. 3: Responding to Credit Card Fraud and Data Breaches
Data breaches are a problem for all companies, but are of particular concern for small e-commerce businesses. To safeguard your business and find out how you can be Payment Card Industry compliant, see Fraud Prevention Pt. 1: Protect Your Business Against Data Breaches.
Unfortunately, having fraud prevention procedures in place does not guarantee your business is safe from fraudsters who find ways to steal customer credit card data. Even employees can inadvertently email sensitive information or use a shared computer network to access private company data.
In the event a data breach does occur, it is important you know your responsibilities and how to respond.
What To Do If A Data Breach Occurs
If you are the victim of credit card data theft, you have multiple responsibilities and must take action immediately.
Action: First, disconnect the compromised computer from the Internet and make sure no other computers are networked to it. Leave it turned on, but make sure no one uses it. Next, contact your merchant account provider immediately to notify them of the breach. Many company policies require notification within 24 hours of the discovery of a data incident. Your merchant account provider will provide instructions on how to notify individual credit card companies and legal authorities. It is a good idea to contact your own legal counsel at the same time. Be prepared to answer questions about whether you are PCI compliant, (which may include providing the results of your network security scans), your security procedures, and about who had access to the stolen data.
Follow all instructions provided by your merchant account provider. This will include performing an initial investigation to determine how the incident happened and which data was compromised.
Other steps you may have to take include conducting a more extensive forensic investigation (which includes extracting and analyzing deeper analytical data from your network), providing all compromised card numbers to the credit card companies, notifying card holders of the breach, and complying with state data breach notification laws (46 states now have data breach laws).
The requirements needed in the event of a data breach can be costly, so before it even happens, consider purchasing insurance to cover data breaches, fraudulent credit card use, and cyber liability. For a comprehensive overview of coverage options see this article from EInsurance. If you do experience a data breach, notify your insurance provider and familiarize yourself with your liability and legal expense coverage in case of any legal events from your customers or card-issuing financial institution. Also consider consulting a specialist like Experian or Terremark to help you fulfill all of your legal obligations.
Discovering and responding to a data breach can be a daunting process, but act quickly, inform your merchant account provider, and follow the guidance above to help limit the damage to your business.