• (800) 846-4472
retail technology

The Cost of Data Breaches for Small Businesses

Ray Moorman

When it comes to identity theft, many small-business owners leave the door wide open with a welcome mat inviting cyberattackers in. That may sound like hyperbole, but it's not far from the truth. Payment data thieves often target small businesses, expecting their security measures will have plenty of holes. Oftentimes, their assumptions are correct. Trustwave research reports that small merchants make up 90 percent of the data breaches that impact businesses (1). In addition, the top three industries that suffer from these attacks include retail, food and beverage and hospitality.

Most of the time, small businesses aren't even aware that payment data has been stolen until another party informs them. A credit institution will discover a sudden rise in fraud, trace it back to a single source and contact either the merchant or a law enforcement agency (1). This is a serious problem for both merchants and consumers alike, especially since businesses that are most frequently targeted are also least able to afford the consequences, and these costs can be significant. Even a suspected data breach will trigger a series of events that can damage or even ruin a brand.

Tangible damages
If your business suffers from a data breach, the costs can be enormous, depending on the legal and regulatory requirements you need to comply with. Expenses may include:

Forensic examination of your payment system
Regulations require that even a suspected data breach warrants an in-depth forensic analysis to determine if the breach actually happened, and if so, how bad the damage was. An investigator from outside the company will have to do the analysis, often requiring you to take your point-of-sale system offline to preserve evidence. These costs can range from $20,000 to $50,000.(1)

Communication with customers
Many states require companies to notify customers when their personal information may have been compromised. Depending on how many customers you have and where they live, these notifications can add up to thousands of dollars in costs, including written letter notifications you need to send multiple times to ensure you have made an adequate effort to contact these individuals.*

Credit counseling services
In some cases, you may have to provide credit monitoring or counseling services to affected customers for up to 12 months after the breach occurs.

Payment card industry fees
These can make up some of the largest costs for merchants. If the forensic analysis proves that your business was not in compliance with PCI regulations when the breach happened, the payment card associations, and even your bank, could charge you with fines as great as $50,000 or more, including any fraudulent charges that result from the stolen data (2).

Business liability
Despite the widespread belief among merchants that they are not liable for the fraudulent use of payment cards, you could be found liable in a lawsuit.

Card replacement fees
You may have to pay the cost of reissuing credit and debit cards to customers whose personal data was compromised.

Improving POS system
Depending on what the culprit of the breach is, you may have to upgrade or replace your POS system to prevent future breaches. These investments may include servers, software and hardware.

PCI assessment after fixes are made
Once the security problems have been addressed, you will need a PCI assessment from an outside Qualified Security Assessor before you can accept payment cards again.

Intangible damages
The direct costs of a security breach can add up to enormous sums of money for a small merchant, but the damage does not stop there. The event can result in customers losing trust in your business, resulting in a public relations nightmare.

Loss of consumer confidence
When customers shop or eat at your establishment, they are trusting that you will keep their personal information safe and secure. A Ponemon Institute study found that more than one-quarter of affected customers terminate their relationship with the responsible business after just one breach. (3) You should also avoid portraying your company as a victim of the breach. Customers are the true victims in a data breach, and are unlikely to extend you much sympathy.

Negative publicity
Data breaches often impact a lot of people, and often make the news. Even small merchants whose customers number are in the hundreds can expect some negative publicity about the event, and news segments, particularly articles archived on the Internet, will be easily found for years. The best thing to do is be honest and proactive when dealing with the press. Once data has been compromised, it cannot be taken back. What matters after the fact is how you will prevent future fraud.

Loss of business with payment card companies
Card Issuers such as MasterCard, American Express and Visa can refuse to do future business with you after a breach. When customers lose the convenience of using cards for payment, they're likely to become frustrated and take their business elsewhere.

The costs to your reputation and bottom line are formidable enough, but what about the time and energy it will take to get your business back on track? Like most problems, the best way to help prevent customer data from being compromised is by taking preventative measures beforehand. Check with your payments provider and make sure that your data security program stays up to date. Preventative maintenance will not only save you money and time; it may save your business.

  1. PCI Security Standards, https://www.pcisecuritystandards.org/
  2. Business News Daily, http://www.businessnewsdaily.com/6156-small-business-data-breach-protection.html
  3. Ponemon Institute, http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis


* The foregoing is provided for information purposes only, and is not legal advice.  You should review your compliance obligations with your own legal or other advisors.


Get An eBook All-Access-Pass

  • eBook About POS
  • Grow Your Business Guide
  • Improve Your Business
  • 5 Steps Secure Your Business

Subscribe to our blog and get an all access pass to our past, present, and future eBooks for FREE.

At Your Fingertips

Download the POS Buyer’s Guide

It's a big job to buy the perfect POS System. This is a robust guide to get you equipped to ask all the right questions to potential providers.

Find a Local POS Provider

With this FREE service we can point you in the direction to providers who can meet your needs, and potentially exceed your expectations.

Take The Next Step

Get Vantiv Integrated Payments and discover how we continually earn the industry’s top spot in payment processing and excellent customer service.

Thank you for your interest in
Vantiv Integrated Payments.
We just need a little info to get started.