What can happen when credit card data is stolen?

As an internet merchant accepting credit cards you are responsible for your customers card information, but what can happen if it all goes wrong?

The best protection against law suits and bad publicity is to ensure you are PCI DSS compliant. Red5 has a number of products available to help you monitor your site and ensure you are using the most up to date technology to protect your customers data.  We help you cover your site security through best of breed security scanning, and SSL encryption certificates.

If you are not PCI DSS compliant then the chances of your site leaking customer data are higher than you may think. That risk is ever changing with the advent of new technology and hackers creating new ways to get hold of that data as it flows over the internet, or by actively attacking a website to read from a database or file.

So what should you do if your site does leak credit card information?

Start working to close down the source. Check your staff, and contractors, have everyone change passwords, even if they don't have access to sensitive data.

If you get even a whiff of danger in this area, contact your bank immediately. They have the smarts to help you find the issue and fix it as quickly as possible. They will help because your bank or financial institution shoulders any financial loss that happens when credit card fraud occurs. For this reason, they spend billions of dollars and millions of man hours fighting the fraud and trying to prevent it.

You should also contact your web developer and hosting company and ask them to help you analyse any log files on your site for potential leaks of information. Also consider closing down your site temporarily to see if that is the cause. It seems extreme but 24 hours of lost sales could be far less than a potential law suit from a bank or credit card company.

Get on to your PCI Approved Scanning Vendor and arrange a scan as soon as possible. This may identify the area of your website that is vulnerable to attack. If you don't have a scanning tool already contact Red5 to discuss your options.

Consider contacting your customers, once you have confirmed the issue. A carefully managed communication will allow your customers to be informed and decide if they should contact their issuer and cancel their cards or not. Ultimately they trusted you enough to purchase your product and use your services, so having their details shared with or without your knowledge does not reciprocate that trust. It could lead to bad publicity for your company and impact your ability to make sales in the future, so think hard on how you manage this relationship.

Who is responsible, and who foots the bill for credit card fraud?

Finally, when credit card fraud incidents occur the issuing banks are the ones that shoulder the financial burden. These institutions will be very interested in your business once this occurs. They have guidelines about the scale of fraud events that determine what action they take to prevent further losses. Mostly this comes down to helping the site owner fix the problem and educate you on ongoing best practice. Once this has been completed the issuers will assess the losses and potential for recurrence and decide if they will need to recoup the cost of that fraud.