At the beginning of September 2014, another US retailer hit the headlines as Home Depot became the latest well known name to suffer a fraud attack on its customers’ payment cards.
The details of no fewer than 56 million cards were stolen and the cost to the company is already estimated to be $62m. Judging by the experience of fellow retailer Target, this number is likely to represent just the tip of the iceberg.
The majority of the immediate costs following a breach come from claims made by payment card networks alleging fraudulent transactions, but this is not the full picture. The Ponemon Institute, in its 2014 Cost of Data Breach Study, details a host of other factors that contribute to the cost, including hefty fines from regulators and technical costs as companies struggle to make fixes to computer systems. The report concludes that the average cost to a company in the current climate is $3.5m; 15 per cent more than in the previous year.
By far the most damaging factor in the aftermath of a breach, however, is the loss of business as a result of diminished trust from customers.
Our own research this year showed that 86 per cent of people (91 per cent of women and 81 per cent of men) would be unlikely to do business with an organisation that had suffered a security breach involving credit or debit card data.
When such a disaster occurs, companies find themselves spending heavily on advertising and communications to restore a positive brand image, and in extreme cases, building an entirely new customer base from scratch. This problem has been shown to be particularly acute in industries where trust is at the heart of the business, such as healthcare and pharmaceuticals.
Organisations have always needed to balance the risk of an attack against the costs involved in preventing it and in recent years the price of effective prevention has frequently been judged too high.
Compliance with Payment Card Industry Data Security Standard (PCI-DSS) regulations, for example, has often been by-passed.
These regulations, drawn up by the card providers to protect customer data, require many technological checks and controls and can be expensive and labour-intensive to implement.
At the same time, the consequence of a data breach has been perceived to be relatively mild, consisting largely of a fine and an element of compensation to the customers affected. When faced with the prospect of spending thousands to implement and maintain proper security for a contact centre, the risk of a breach can seem to be worth taking.
Compliance with PCI regulations is still not cheap. Four years ago the average annual spend for an organisation handling over 6 million card transactions a year was £150,000.
Today, additional requirements such as the increased use of external auditors have been added to the check list, driving the cost even higher. While technological advances are helping organisations to avoid handling card data wherever possible, PCI compliance is still a serious matter.
Fraud and fines
But the balance has changed. The scale of fraud has reached new levels; Home Depot’s attack has been labelled “the biggest data breach in retailing history” and is just one of several to hit the headlines during the past twelve months.
And as card fraud becomes better organised, customers are becoming more nervous. It is no longer simply a question of worried individuals discussing the matter on social networks; stories like those of Target and Home Depot have been communicated far beyond national boundaries and it is apparent that an entire brand can be tarnished globally in a matter of days as a result of an attack.
Legislation, too, has become fiercer. The revised European Data Protection Regulations threaten large corporations with a fine equal to 5 per cent of their global revenues if they can be shown to have been negligent with customer data. The new rules also require that data breaches must be reported within 24 hours – so businesses have no opportunity to conceal the facts.
For peace of mind, companies have two real options: keep spending on security to stay one step ahead of the bad guys or hand your card data in its entirety over to payment specialists. The second of these options is becoming increasingly appealing.
Fraud attacks are unlikely to stop any time soon. Home Depot’s data has already emerged on the black market and by one estimate it could be used to make $3bn in illegal purchases. With prizes like that, fraudsters have every incentive to continue to develop increasingly sophisticated techniques for outwitting security systems. Merchants would do well to take heed.
Tim Critchley is the CEO of Semafone.