• Card replacement costs now averaging about $4 per item
• Compliance fines now ranging from about $5,000 to $50,000
  per event for a small merchant (III, IV)
• Cost of forensic examination averaging between $25,000 and $35,000 per event for Level III and IV merchants
• Additional fines for actual fraudulent utilization of stolen PAN varies

Case Study:

• A small carp present retailer was breached. The retailer had filled out a self assessment form and attested that the information was true and correct to the acquirer.
• The merchant was found to have stored over 2,000 credit card numbers in an accounting system for “reference” and to bill clients “if they forgot there credit card number”.
• The file was accessed and the credit card numbers were stolen when during the course of a robbery the CPU was stolen. A CPP (common point of purchase) analysis of credit cards revealed the location of the theft.

Replacement Cost                 $ 5,000

Compliance Fine                   $ 12,500

Forensic Examination            $ 25,000

Card Utilization Fines $ 74,398.47

TOTAL $116,898.47

• The merchant also sustained significant reputational cost due to adverse publicity, legal fees, loss of business and other expenses.
• The merchant filed for protection under bankruptcy
• The amounts due were assessed to the ISO by the acquirer.
• Visa fined the ISO additional fees following an examination of ISO practices as it relates to PCI adoption and plan for portfolio under VBR 07508 after the initial event.
• ISO sustained a financial loss of $189,354.45

Study: Maine Bureau of Financial Institutions January 2009

Study design: Cost of TJX and Hannaford breach borne by Maine chartered banks and credit unions

TJX

52 Institutions

64,825 Accounts

$485,000 Recovery*

Hannaford

71 Institutions

243.599 Accounts

$4,500,000 Recovery*

*Recovery cost: investigation, communication, reissuance and net fraud

Study Design: Cost of compromise to 43 companies in 2008. Each company volunteered under the condition of anonymity.