Home » Costs of A Breach, News

PCI Breach Costs

29 October 2009 No Comment

Total direct cost to a merchant from a PCI event include:

  • Card replacement costs now averaging about $4 per item
  • Compliance fines now ranging from about $5,000 to $50,000
    per event for a small merchant (III, IV)
  • Cost of forensic examination averaging between $25,000 and $35,000 per event for Level III and IV merchants
  • Additional fines for actual fraudulent utilization of stolen PAN varies

Case Study:

  • A small carp present retailer was breached. The retailer had filled out a self assessment form and attested that the information was true and correct to the acquirer.
  • The merchant was found to have stored over 2,000 credit card numbers in an accounting system for “reference” and to bill clients “if they forgot there credit card number”.
  • The file was accessed and the credit card numbers were stolen when during the course of a robbery the CPU was stolen. A CPP (common point of purchase) analysis of credit cards revealed the location of the theft.

Replacement Cost                 $ 5,000

Compliance Fine                   $ 12,500

Forensic Examination            $ 25,000

Card Utilization Fines $ 74,398.47

TOTAL $116,898.47

  • The merchant also sustained significant reputational cost due to adverse publicity, legal fees, loss of business and other expenses.
  • The merchant filed for protection under bankruptcy
  • The amounts due were assessed to the ISO by the acquirer.
  • Visa fined the ISO additional fees following an examination of ISO practices as it relates to PCI adoption and plan for portfolio under VBR 07508 after the initial event.
  • ISO sustained a financial loss of $189,354.45

Study: Maine Bureau of Financial Institutions January 2009

Study design: Cost of TJX and Hannaford breach borne by Maine chartered banks and credit unions

TJX

52 Institutions

64,825 Accounts

$485,000 Recovery*

Hannaford

71 Institutions

243.599 Accounts

$4,500,000 Recovery*

*Recovery cost: investigation, communication, reissuance and net fraud


Study Design: Cost of compromise to 43 companies in 2008. Each company volunteered under the condition of anonymity.

YEAR

Cost per Breach

Cost per record

External Third Party

2008

$6.6 million

$202

44%

2007

$6.3 million

$193

40%

2006

$4.7 million

$186

29%