Companies offer to pay breach fines
Two credit-card payment processors are offering to cover merchants' fines and penalties in the event of a data breach.
However, the two companies, Heartland Payment Systems and Mercury Payment Systems, have different requirements that must be met before a merchant would qualify for coverage.
For Mercury, the retailer would have to prove it was Payment Card Industry Data Security Standard-compliant (PCI DSS) at the time of a breach.
“This is an enticement program to get merchants involved in PCI compliance,” Jim Mackay, Mercury's vice president of marketing, told SCMagazineUS.com Friday. “Though there are critics who say that PCI does not go far enough, at least it's a step in the right direction.”
There are some limits on what amount of costs would be covered.
“The [Mercury] reimbursement is $15,000 for a forensic audit (required in the event of a breach), and $25,000 towards fees and fines,” Mackay said. “Given the size of typical merchants and the typical size of a breach, that should cover primary costs.”
Criminals increasingly target smaller merchants, those designated as Level 4 merchants, which typically process fewer than 20,000 transactions annually. And many of these have not done all that is necessary for security, Mackay said. They may still have default passwords and default configurations for firewalls and routers, and may not have safeguards for critical data access in place.
Still, many smaller merchants do not see the need to be compliant.
“Most of them are aware that they can be breached, but are not aware of the potential severity of a breach, and how susceptible they may be,” Mackay said. “And they rely on their vendors. They believe that their vendors have done everything possible to make them secure.”Perhaps more than 50 percent of Level 4 merchants would be unable to pass compliance requirements at this point, Mackay estimated.
The Heartland program is different because, to be eligible for the reimbursement, merchants must have purchased its end-to-end encryption system, dubbed E3 and scheduled for roll-out by the end of the year. Company officials said Heartland was planning the technology even before it announced in January that it had been breached of potentially a hundred million records.
"We're still working on the language, but our present plan is to in essence say that if a merchant is properly deploying end-to-end encryption with Heartland, we will indemnify them for fines or fees that result from a hack or a breach of their system," Steven M. Elefant, Heartland's executive director of end-to-end encryption, told SCMagazineUS.com Tuesday.
There is a big difference between passing a PCI audit and having end-to-end encryption, he said.
“While PCI is a great beginning, it is not in and of itself enough to make you secure,” he said.
End-to-end encryption, as Elefant described it in reference to the Heartland program, means that from the time the digits leave the magnetic stripe on the credit card at the point-of-sale device, they are encrypted all the way through the network to the payment processor, and onto the card brand.
“That's what will change the paradigm in the credit card industry, not checking boxes on a form,” he said. “One is a solution and the other is a Band-Aid.”