Merchants that struggle to pay for breach-related costs may find some help from their merchant acquirers.
Some acquirers use a portion of their data security compliance program fees to build funds for use in helping breached merchants, Wenlock Free, vice president of business development at SecurityMetrics Inc., tells PaymentsSource. Orem, Utah-based SecurityMetrics sells payment-security products.
Not all acquirers have this feature, but those that do use it “in the event of a data breach to help merchants who have done all they can but need a little help from their acquirers to stay in business,” Free says, noting the practice has been around since 2006 but only through “select organizations.”
A merchant may pay $8,000 or more for a forensic audit that determines how a breach occurred, Free says. Larger compromises often carry higher price tags, he says.
The concept of a breach-assistance fund is not universal nor is it rare, says David Fish, senior analyst at Mercator Advisory Group Inc., a Maynard, Mass.-based payments consulting firm.
“If there is a breach, typically it’s the merchant’s responsibility,” Fish says. “I have heard some acquirers are using revenue generated by PCI-compliance fees to cover some breach costs.”
The assistance-fund concept also does not surprise Clayton Denton, owner of Centurion Payment Solutions, a merchant-services company based in Dyer, Ind., especially because it seems the fees could support it. Denton says annual fees range from $90 to $250 and monthly fees average about $20. When he asks providers what the fees go toward, the best answer he has received so far is to help pay “infrastructure” costs.
Centurion Payment offers merchants a $50,000 indemnity policy if they can validate their compliance with Payment Card Industry Security Standards Council data requirements. The policy can help offset a merchant’s costs associated with a breach, but only if the merchant is validated as compliant, Denton says.
What do you think about this? Send us your feedback.
