Merchant Data Breach FAQs Person Image

Merchant Data Breach FAQs

What is the Merchant Data Breach Program, and what are its benefits?

The Merchant Data Breach Program, administered by Higginbotham & Associates, Inc., was specifically created to meet the expenses resulting from a suspected or actual breach of credit card data. Just one breach can cost a merchant tens of thousands of dollars in fines, audit expenses, and card monitoring and replacement costs.  The Merchant Data Breach Program reimburses a participating merchant for those out-of-pocket expenses. For its enrolled merchants, the Program will pay breach-related fines and penalties levied by card associations, card replacement costs and related expenses, the expense of a security assessment by a qualified security assessor and/or a forensic audit to determine the cause and extent of the security breach, and post-event service expenses. Under the terms and conditions of the Program, a merchant will be covered for up to $100,000 per Merchant Identification Number (MID), with no deductible or retention, within one year following the discovery of a data security event.

What are post-event service expenses?

Post-event service expenses are expenses incurred to assist cardholders whose identities may have been compromised by a data breach. They include credit file monitoring and identity theft education and assistance.

How do I qualify for the Merchant Data Breach Program?

If you are a Level 2, 3 or 4 merchant, as defined by the PCI Data Security Council (PCI DSC), and have not already experienced a data breach, you qualify. Level 1 merchants (more than 6 million transactions annually) are not eligible for the Merchant Data Breach Program.

As a Level 4 merchant, what are my chances of being hit by a data breach? Why should any small- to mid-sized business participate in the Data Breach Program?

Actually, small- to mid-sized businesses are at greater risk of a data breach than mega businesses. At a credit card industry summit in 2009, experts reported that small and mid-sized businesses are targeted more often by hackers because the impression is that they are less invested in security than larger businesses with more resources.

Must I already be certified PCI DSS compliant to participate in the program?

No, it’s not necessary to be certified PCI DSS (Payment Card Industry Data Security Standard) compliant to participate in the program. However, if you have already experienced a data breach, you must become PCI compliant before receiving any Merchant Data Breach Program benefits from future breaches. Of course, a merchant should always follow PCI guidelines for security controls and run network scans by an Approved Scanning Vendor (ASV) quarterly to guard against breaches.

If I’m already certified PCI DSS compliant, how does the Merchant Data Breach Program benefit me?

PCI DSS compliance alone cannot prevent a data breach or the subsequent financial losses. You benefit from the program in that it covers expenses and fines incurred from the theft of data by means not regulated by the PCI DSS.

Can I have a data breach even if I don’t store magnetic stripe data?

Certainly, because data can be breached in a variety of ways. Your computer systems and software may have outdated (or missing) security updates, or your software may still have the default settings and passwords installed. Hackers are always coming up with new ways to get around a secure system, and then there’s the threat of a rogue employee “skimming” credit card information during an otherwise legitimate transaction or stealing physical receipts or computers. Any of these scenarios – and numerous others – can result in a data breach that costs you significant fines and expenses to make right.

What should I, as a merchant, do if I discover a security breach?

Your first step should be to report the breach by completing the Merchant Data Breach Program online claim form. Submit documentation from your acquiring bank or card brand that advises of the security breach and location involved. Submit the invoice provided by the PCI DSS auditor to the Merchant Data Breach Program along with your request for reimbursements, fines, or expenses resulting from the data breach.

The information on this page is not intended to be a source of legal advice. Therefore, you should not rely on the information provided herein as legal advice for any purpose, and should always seek the legal advice of competent counsel in your jurisdiction.