SPC
03-16-2009, 10:32 PM
As a payment service provider that handles CHD on behalf of clients, we are continually reviewing our risk as card volumes continue to grow.
Whilst we will always operate our systems to a high standard that is well beyond PCI DSS mandates, we are not ignorant to the fact that a data breach remains a very real threat to our organisation and one that we cannot completely protect ourself against.
We are therefore presently discussing the possibility of further insuring against the financial liabilities that are associated with a data breach (whether futile or not). We already have professional indemnity and the various other standard policies, however these have limited applicability in a data breach scenario due to the number of exclusions that exist in standard policies.
Is anyone aware of insurance products in existance that address mitigating the costs and liabilities associated with a PCI DSS data breach situation. Unfortunately the insurance brokers we have discussed this with are not fully versed on PCI DSS (as one would expect) and therefore are only providing general advise.
When preparing the physical costs of a breach for an insurers review, we understand the direct cash liabilities that need to be be covered include:
Schemes Fine (per incident): $500,000 (if found non-compliant)
Liability from issuers: circa $25 per card re-issued
Legal defense costs: depends on size of breach
Other non-cash costs which can't be easily measured include:
Internal staff time costs
Company/Brand reputation
We are also watching the Heartland case closely to establish what liabilities a PCI DSS compliant organisation (assuming they are found to be) is still liable for if a breach occured. We are still unclear on that point as we are of the view that PCI DSS compliant != no liability.
Feedback, comments or advise on any of the above points would be appreciated.
Whilst we will always operate our systems to a high standard that is well beyond PCI DSS mandates, we are not ignorant to the fact that a data breach remains a very real threat to our organisation and one that we cannot completely protect ourself against.
We are therefore presently discussing the possibility of further insuring against the financial liabilities that are associated with a data breach (whether futile or not). We already have professional indemnity and the various other standard policies, however these have limited applicability in a data breach scenario due to the number of exclusions that exist in standard policies.
Is anyone aware of insurance products in existance that address mitigating the costs and liabilities associated with a PCI DSS data breach situation. Unfortunately the insurance brokers we have discussed this with are not fully versed on PCI DSS (as one would expect) and therefore are only providing general advise.
When preparing the physical costs of a breach for an insurers review, we understand the direct cash liabilities that need to be be covered include:
Schemes Fine (per incident): $500,000 (if found non-compliant)
Liability from issuers: circa $25 per card re-issued
Legal defense costs: depends on size of breach
Other non-cash costs which can't be easily measured include:
Internal staff time costs
Company/Brand reputation
We are also watching the Heartland case closely to establish what liabilities a PCI DSS compliant organisation (assuming they are found to be) is still liable for if a breach occured. We are still unclear on that point as we are of the view that PCI DSS compliant != no liability.
Feedback, comments or advise on any of the above points would be appreciated.