 |
 |
What is the Data Breach Security Program for Merchants? Why do merchants need it?
|
 |
 |
|
Data Breach Security Program for Merchants is a unique insurance offering designed specifically to help your merchants meet the significant expenses resulting from a suspected or actual breach of credit card data. Depending on the severity of the breach, these expenses can include the costs for a forensic audit, replacement of compromised cards, and compliance fines—costs that can easily reach $25,000 to $50,000 for Level 4 merchants. In other words, costs that are more than enough to shut down a small business.
The Data Breach Security Program protects you, too. Remember, if your merchants can’t pay their costs and fines, you’re required to pay them.
|
|
|
|
How are we responsible? It’s the merchant that’s responsible for the expenses and fines resulting from a breach, right?
|
|
|
|
Wrong! The acquiring bank is responsible for both the costs of the forensic audit and any related fines. If possible, these costs are then generally passed through to the merchant and the ISO via contract. Even if a merchant leaves an acquirer, the acquiring bank or ISO that held the merchant agreement at the time of the breach is responsible for all costs and fines. That means that if your merchants can’t cover their costs, you’re obligated to!
|
|
|
|
Who offers this program? What insurance company underwrites the policy?
|
|
|
|
The program is offered exclusively by Royal Group Services, the payment card industry experts, and is 100% under-written by Great American Insurance Group (www.greatamericaninsurance.com). Great American is a financially strong insurance organization whose insurance companies are rated “A” by independent third-party rating agencies.
|
|
|
|
What are the coverage amounts?
|
|
|
|
The basic coverage provides either $50,000 pr $100,000 per merchant account per year and up to $500,000 for any one merchant per year.
|
|
|
|
Can I provide my merchants a policy with higher limits?
|
|
|
|
Yes. You can purchase limits up to $100,000. You can also have different limits on the same policy for each merchant level (2, 3, and 4).
|
|
|
|
Some of my merchants have multiple locations. Is each location covered under policy limits?
|
|
|
|
Yes. Royal Group Services can provide coverage on either a per merchant basis or on a per merchant account basis. You choose!
|
|
|
|
Is there any deductible?
|
|
|
|
No. There is never any deductible.
|
|
|
|
Can any merchant qualify for this insurance coverage?
|
|
|
|
Any Level 2, 3, and 4 merchant that maintains a merchant account with you is eligible for coverage as long as they have not had a previous data breach. If a Level 2, 3, or 4 merchant has had a previous breach—or suffers one while covered—the merchant can become eligible (or re-eligible) for coverage once PCI DSS compliance is verified. Level 1 merchants are not eligible for this coverage.
|
|
|
|
Does a merchant have to be PCI DSS compliant to be eligible for coverage?
|
|
|
|
No. However, we highly recommend that all merchants comply with PCI DSS. Royal Group Services will work with you to create a program designed to help drive your merchants toward compliance. However, it is important to re-member that a merchant that has been breached must become compliant before that merchant can enter (or re-enter) the program.
|
|
|
|
Won’t this program make it less likely for merchants to become PCI DSS compliant?
|
|
|
|
No. In fact, we work closely with our banking partners to make sure that the Data Breach Security Program actually enhances their PCI DSS compliance efforts by establishing bundled offerings with security vendors. As we all know, the best way to reduce your merchants’—and your—exposure to data breach is through 100% compliance.
|
|
|
|
Most of my merchants are Level 3 and 4. They aren’t really breached that often, are they?
|
|
|
|
Absolutely they are! In fact, Visa reports that Level 4 merchants have been the source of 80% of identified data com-promises since 2005. It makes sense—Level 3 and 4 merchants are more likely to have faulty or non-existent business procedures that prevent employee access to confidential data, leading to a much greater likelihood of data theft.
What’s more, recent studies by leading security vendors have shown that Level 4 merchants have the highest risk of having data stored on their POS software without their knowledge. Jennifer Fischer, Visa’s senior business leader, payment system security compliance, confirms, “Visa continues to see small merchants most frequently targeted by hackers.”
|
|
|
|
What about merchants that don’t store magnetic strip data? Can they be breached?
|
|
|
|
Yes! While it’s true that merchants storing magnetic strip data are particularly vulnerable, any merchant can be breached. Risks all merchants face include missing or outdated security patches, use of vendor-supplied default settings and passwords, SQL injections by hackers, unnecessary and vulnerable services on their servers, poor business practices that allow physical access to cardholder data, physical losses resulting from employee dishonesty or third-party theft, and simple employee negligence or error. In fact, human error is the largest single cause of data breach!
|
|
|
|
My merchants are all PCI DSS compliant, They can’t be breached, can they?
|
|
|
|
Yes, they can! Although it makes a breach less likely, PCI DSS compliance is not a guarantee that a breach won’t occur. Any system that relies on people-run processes is vulnerable to breach, whether through deliberate employee wrong-doing or an unintentional—but inevitable—human error. That’s why sections 7 and 9 of PCI DSS focus on business systems and processes, not technology systems and processes.
What’s more, PCI DSS compliance is only a periodic measurement at a point in time. Between measurements, a breach can occur at any time: for example, when networking equipment or a keylogger is installed or when a new employee is hired without a background check.
|
|
|
|
Compliance activities are expensive and, frankly, negatively affect my bottom line. Is there any way we can recover some or all of our compliance costs through the Data Breach Security Program?
|
|
|
|
Yes. Most acquiring banks and/or ISOs that participate in this program add a small administrative fee that can be used to offset the costs of compliance efforts.
|
|
|
|
How long does it take to get the program underway?
|
|
|
|
In most cases, we can have the entire program up and running in as little as 30 days.
|
|
|
|
Is the program easy to administer?
|
|
|
|
Yes. This simple, opt-out program requires minimal changes to your current processes. To begin the coverage, Royal Group Services needs only a monthly list of merchant IDs for enrolled merchants. We take care of the rest—we answer all merchant questions, manage all claims, provide all marketing materials, and provide copies of coverage and evidence of insurance forms from a custom Web portal built just for you.
|
|
|
|
How does a merchant submit a claim?
|
|
|
|
A merchant only has to complete three easy steps to submit a claim: (1) fill out an online claim form by following the easy-to-use link in the merchant portal, (2) upload or fax the notice from the acquiring bank that stipulates there has been a suspected or actual breach at the merchant’s location and choose an authorized, qualified security assessor, and (3) when the forensic audit is complete, upload or fax a copy of the assessor’s invoice. That’s it!
If a merchant has a claim for card replacement costs and related expenses and/or assessments and fines, they simply upload or fax a copy of the demand for payment.
|
|
|
|
How soon do merchants receive their reimbursements?
|
|
|
|
Within 30 days of submitting a claim, assuming all documents are in order.
|
|
|
|
What if a merchant doesn’t want to participate in the Data Breach Security Program? What if a merchant wants to rejoin the program?
|
|
|
|
A merchant that wishes to stop participating in the program must notify the acquiring bank/ISO/MSP to discontinue the coverage. Since billing and coverage for the program are processed on a monthly basis, all you have to do is remove that merchant’s ID number from the active accounts list you submit to Royal Group Services for that month’s billing. If a merchant wants to rejoin the program, you simply include that merchant’s ID number on the next month’s billing list.
|
|
|
|
Don’t I have to be licensed to provide the program?
|
|
|
|
No. You are not selling, soliciting, or marketing insurance—you are purchasing insurance. You have shared liability with your merchants and you are collectively purchasing protection against that shared risk.
|
|
|
|
Since the program is a portfolio product, won’t that increase my merchant attrition rates?
|
|
|
|
No. In fact, our clients have seen little to no increase in their merchant attrition rates. Unlike other fees applied by your competitors, this program allows you to provide significant value to your merchants at very little cost. In fact, for those clients who offer merchants an opportunity to opt out of the program, the average portfolio opt-out rate is less than 22%.
|
|
|
|
How do we get started with the Data Breach Security Program?
|
|
|
|
It’s easy! Just contact your Royal Group Services representative at 1-888-747-8220 or use the form on the contact page to get started, or if you have any additional questions about the program. We look forward to hearing from you!
|
