Merchant Account Types

Merchant Account Providers

News & Advice

Merchant Account Tools

Merchant Account Guide > Merchant Account News > What to do after a data breach


Print this article: What to do after a data breach Print 
Email this article: What to do after a data breach Email 

What to do after a data breach

Think data breaches only affect the 'big guys?" Think again. According to Visa, roughly 85 percent of data breaches occur at small businesses.

Still, a June 2012 study by the Hartford Financial Services Group Inc., found that 85 percent of small business owners believed a data breach was unlikely and that many were not implementing simple security measures to help protect their customer or employee data.

Despite this nonchalance, the aftermath of a data breach can be an administrative nightmare for a small business. If a hacker gets hold of your customers' payment card data, here are the first four steps of damage control. data-breach

Step 1: Control the damage
By the time a merchant realizes there's been a data breach, it's generally too late to undo the damage. That's because data breaches are generally discovered after customers report fraudulent use of their cards to their banks (which then trace the fraud back to the merchant).

So, once your systems have been breached, the first step is to immediately contain and limit the exposure to prevent further loss and help preserve evidence for the investigation, according to Visa. Specifically, Visa recommends that merchants do the following:

  • Do not access or alter compromised systems by logging onto the machine or changing passwords.
  • Do not turn off the compromised machine. However, do unplug the cable and otherwise isolate the compromised machine from the rest of the network.
  • Do log all actions your business has taken since the breach, and save all logs and electronic evidence.
  • If you are using multiple machines on a wireless network, do change the network name on the wireless access point and other non-compromised machines that may be sharing a connection. Just don't touch any potentially compromised machines.
  • Do stay on high alert and monitor any systems that contain cardholder data.

Step 2: Contact the authorities
If the compromise could result in harm to a person or business (such as identity theft), call your local police department immediately, the United States Federal Trade Commission (FTC) recommends.

The sooner law enforcement learns about the theft, the more effective it can be. If the local police are not familiar with investigating data breaches, the FTC suggests contacting the local office of the FBI or the U.S. Secret Service.

Step 3: Notify necessary parties
After the initial damage has been contained, contact all parties that are connected to the stolen data.

  • Before you contact your customers, consider calling an attorney who can advise you regarding state-specific laws. Some states, for example, have notification deadlines. If you don't inform your customers that they could be vulnerable to identity theft by that deadline, your business could incur hefty fines.
  • Contact your merchant bank, credit card networks and any other financial institutions linked to the stolen card info. The financial institutions that maintain your customers' accounts will need to monitor those accounts for fraud. Visa, for example, requires compromised merchants to provide all at-risk account numbers so that it can notify the issuing banks.

Step 4: Gather the facts
The Better Business Bureau (BBB) recommends gathering the facts surrounding the breach. Depending on the scale of the breach and the potential for damage, you could find yourself in the middle of a forensic investigation. So be sure to do your best to have the answers to the following questions:

  • How did the breach occur?
  • Was it a malicious attack or an internal error? For example, did cyber criminals strike, or did one of your employees accidentally lose a flash drive containing sensitive information?
  • Was the data encrypted?
  • What information was contained in the data (names, addresses, credit card numbers)?
  • How many people were affected?

The final step: Be prepared
After you have gotten through a data breach, it is time to get serious about defending yourself against the next attack. If you haven't done so already, make sure your business is compliant with at least the minimum Payment Card Industry Data Security Standards (PCI DSS), the data security rules that govern the payments industry. Complying with PCI DSS requirements, although sometimes costly and time consuming, can strengthen your business's defenses on several fronts:

  • Network security: Making sure your system is more difficult to break into.
  • Customer data protection: Ensuring that, even if data is stolen, it's encrypted so that a thief cannot use it.
  • Control measures: Limiting access to cardholder data to a few employees to reduce the chance of a data breach (or narrow down the culprits if one occurs).
  • Regular monitoring: Constantly adapting to the latest data security technologies -- because that's exactly what thieves are doing.

If you need motivation, keep in mind that small- to medium-sized businesses could be increasingly targeted by thieves.  According to a July 2012 white paper from network management company Mako Networks, larger companies are throwing their resources behind sophisticated security measures. Smaller merchants, meanwhile, often find building data security protections to be an "arduous process", making them an easier target.

See related: Restaurant battles bank over security breach, Many small merchants ignoring security standards

Published: August 31,2023

Comments or Questions, Library of Stories

Three most recent Data security stories: