Ten Steps to Save Your Merchants from Data Breaches

Don Steinberger on 05/9/2019

The first question you should ask in order to determine whether their business is at risk of a data breach is whether the company maintains sensitive data related to customer credit or debit card information. Additionally, merchants should consider whether they maintain financial information, company records, operational reports, budgets, or other data related to business associates or suppliers.

According to Accenture, “The most expensive component of a cyber-attack is information loss, which represents 43 percent of costs.” It is not uncommon for businesses to maintain at least some sensitive data. If your merchants are not taking these steps to protect such information, they could be at risk.


The first and most important step is to plan for a breach before it occurs. When a breach takes place, businesses typically need to ensure they make the most of the time available to them to comply with notice obligations, complete the necessary forensic analysis, and mitigate the exposure that has taken place. By ensuring that they have a formal and familiar incident response plan in place, the company can help to significantly reduce the costs related to a data breach. Given the high costs and tight timeline related to a data breach, such a response plan should include a list of responsibilities that identifies the individuals responsible for each specific task. In addition, the plan should include the necessary training required.

Eliminating Blind Spots

In some of the most widely publicized data breaches, hackers were able to gain access to systems using system vulnerabilities and stolen credentials. While there is no getting around the fact that your business relies on the support of your business partners and vendors, conducting due diligence can help to reduce the risk related to a potential breach resulting from the inferior security of a third party.

Know Your Points of Contact

Retailer breaches often result from criminal or malicious attacks on the retailer’s system. As a result, when such a breach occurs, law enforcement will naturally be involved. Taking the time to identify points of contact within both state and federal law enforcement in advance can help expedite the investigation process in the event that your merchant should become the victim of a data breach.

Liability Coverage

Costs related to breaches, especially from a large breach, can often exceed the amount of insurance coverage that a business has. For this reason, it is vital that the merchant reviews and understands their coverage as it relates to their network security. Find out specifically whether your coverage is adequate and whether there are any limitations, including notice requirements. You may also need to consider whether your business should purchase additional cyber liability insurance.

Vetting Third Parties

Most businesses do perform due diligence prior to transmitting sensitive data to business partners and vendors. Yet, at the same time, it is important to consider whether they are doing enough to vet those partners. Given the amount of risk associated with a data breach, taking a few extra steps to vet the partners with whom merchants do business can be well worth the effort. This will be increasingly important as more companies opt to use cloud payment services.

Instituting a Dedicated Response Team

Putting a dedicated response team in place can help give businesses peace of mind in the event that the worst should happen. Ideally, such a team should be cross-functional in nature and include personnel from a variety of departments.

Engage Outside Vendors

The reality is that merchants may not be able to protect their business from a data breach on their own and may need outside help. It is expected that breaches will be handled within a timely manner. By establishing partnerships with external vendors, merchants can gain the specific experience they need to help prevent attacks and expedite the investigation and notification process if a breach does occur.

Understanding Legal Requirements

Staying on top of what federal and state agencies require of a company in the event of a breach is critical. At a minimum, your merchants should have a process in place that will help them identify and monitor state and federal requirements, including disclosures. If merchants do not already have such a process in place, keep in mind that they could be subject to fines if they do not follow certain legal requirements. By making certain that your merchants know how to comply before a breach can ensure their business is prepared.

Tokenization and Encryption

The layering of tokenization and encryption along with POS and EMV-compatible systems make it possible for merchants to reduce security weaknesses while also addressing relevant authorization vulnerabilities. Keep in mind that there are two areas in the transaction process in which data could be vulnerable to a data breach: the preauthorization and post-authorization points. Tokenization and encryption help protect cardholder data once consumer and payment data are validated. Additionally, tokenized and encrypted data are of absolutely no value to a hacker, as they are simply meaningless strings of characters that cannot be used.

Data breach preparedness can be complex. If your merchants are not prepared, the result of a data breach could be catastrophic. Small Business Trends states, “43 percent of cyber-attacks are aimed at small businesses.” Advise your merchants now to prepare for a data breach and understanding best practice solutions can help them reduce the risk of such a breach and ensure they are prepared in the event that one does occur.

Connect with Us

With business activities in 50 markets and 150+ currencies around the world, EVO is among the largest fully integrated merchant acquirers and payment processors in the world.

Print Friendly, PDF & Email