What Happens After the Breach — Especially for SMBs

SMBs are the least likely to survive the costs associated with a breach that involves data that fall under the Payment Card Industry umbrella. There are several types of cost including those associated with reputation damage, the time and efforts required to repair the breach and return to normal operations, the time and expense of collecting forensic data, the time and expense of coordinating with law enforcement and the PCI stakeholders, potential fines, potential litigation, and subsequent increased spending on PCI compliance.

The best way to reduce these liabilities is to outsource as much as possible of the PCI operations as possible, and have a strong practical defense that does not result in a breach.

Detecting a breach and rapidly closing it sounds like a very desirable goal, but an analysis of well publicized breaches indicates that most breaches exist for an extended period of time, and too often, the company experiencing the breach is informed of the problem by a third party. The third parties doing the informing include, law enforcement, customers, the cyber criminals, and fraud detection departments at the merchant banks. Although the later seems to take its time about informing companies about apparent breaches.

Most of publicity surrounding PCI DSS 3.2 and the move to chip & pin technology by card issuing companies is aimed at fraud prevention. There are more specifics about penetration testing, and the improved security offered by chip & pin. Unfortunately, there are already articles discussing how chip & pin can be done wrong. There are cases where fraudulent data has been transmitted, but marked as using  the chip & pin technology when the data is being transmitted.

SMBs and everyone else in the industry should assume that the rate of breaches will not be dropping in the foreseeable future. SMBs should be testing their incident response plans. These tests really should include a well managed scenario that requires end-to-end testing of the plans. For example, if a breach occurs, what is criteria for hiring a third party to gather  forensic data? Who is responsible for approving the purchase of the service, and were quotations from any firms obtained? Testing should also include some discussions with outside counsel. What legal services will be needed? What are some of the initial cost estimates. In other words, a good test of the incident response plan should go into enough detail to generate an estimated cost of the incident.