Mark Dunn
January 26, 2023
min read

This is all-out war.  Our merchants face an onslaught from internet-based bad actors who can destroy their businesses.  The stakes are incredibly high.  Hackers have moved downscale from larger targets and are attacking small to medium-sized businesses to steal personal information.  Then the bad guys use this personal information to perpetrate identity fraud.  Most small businesses are in this fight unarmed and uninformed.  What are we doing to help defend them against the daily attacks from internet thieves?

As prelude to a report on the current state of identity risks, Eva C. Velasquez, President, and CEO of the Identity Theft Conference Center wrote, “ We may very well look back at 2021 as the milestone year when we officially moved from the era of identity theft to an era of identity fraud.  That is to say, the time when cybercriminals shifted from mass data accumulation (identity theft) to mass data misuse (identity fraud).  Fueling most identity fraud-related crimes was consumer information stolen from businesses in data breaches.” (our bold letters)

It seems to me that if we really cared about our clients, we would get into this fight at the side of our clients.  We would be providing them with some means of protecting themselves against hacking, identity theft and fraud, email phishing, and other attempts to steal their personal information.  Or at a minimum, we would help them put the policies and procedures in place to prove that they did everything commercially viable to protect their valuable data and personal information.  Doing the minimum for them could save their business.

All PayFac and ISO owners are enforcing PCI DSS measures to keep payments safe.  That’s great for payments.  But payments data is only one of the types of valuable data that could be intercepted, disrupted, or stolen.  What about the rest of the personal information and data they are gathering?

Picture a small business as a walled medieval castle.  Personal information and user data are the crown jewels in the vault room.  Whereas most medieval castles had only one gate, small businesses have four or five gates in the castle wall: multiple ports, email, client log-ins, payments, etc.  Payments are only one of the gates into the citadel.  

The bad guys are constantly probing for that one unprotected gate.  All it takes is one gap where they can squeeze inside and wreak havoc.

Most experts say it’s only a matter of time until one of the hundreds of daily attacks finds a weakness and exploits it.  Then the nightmare begins for the small business owner.  If she is unprepared, she may lose her business to massive costs to fix the problems.

The unprepared small business owner learns he has to report the breach in every state where the business has customers or users whose data they have collected.  The laws are different in each state.  There is currently no uniform Federal standard.

Some states publish lists of all companies that have reported breaches for customers or users from their state.  This has come to be known as “name and shame” for the stain it puts on the company’s reputation.

What could payments companies be doing?

Sell them breach insurance.

There are mixed reviews on breach insurance.  A broad array of coverages are available for breach insurance – some good, some not so good.  But what good is $50,000 of breach insurance coverage if it will cost you $250,000 to address all the actions required to unwind a problem you might have avoided in the first place?  Risk mitigation should come first.

Do nothing.  Not my problem.

If we’re not concerned about a problem that could put our clients out of business and cut off our residual dollars, what are we concerned with?

I would respond that if we’re not concerned about this and proposing a solution to the problem, we’re missing a great opportunity.  

You don’t understand – merchants won’t pay for it.

They won’t pay for something that is mandated by the Federal and state governments?  They won’t pay to be able to prove they acted responsibly to protect personal information?   They paid for PCI DSS because they weren’t given a choice.  This solution is ready for the payments processor or ISO who will require it because compliance with personal information requirements is not optional.

Risk Mitigation

Here’s an example of a solution that works for the merchant and the payments company.  Consider the personal information privacy bundle offered by a company called CSR.  It’s called uRISQ and covers three major areas the merchant needs:

  1. Monthly scanning of the merchant’s website for vulnerabilities, such as open ports
  2. Guidance and templates for the merchant’s data privacy policy, a requirement by state and Federal law
  3. Support and help in case of a breach.  The breach reporting requirements are substantial.

The bottom line here is that the merchant doesn’t have to be perfect in every way in dealing with personal information.  The merchant does have to be able to prove they did what they could – what was commercially viable – to prevent the loss or theft of personal information.

The monthly cost to the merchant is reasonable (equal or less than their current monthly PCI fee) and the payments company makes a good profit.

If you’d like more information about uRISQ™, click this link:

If you’d like to learn more about how uRISQ™ could work for your payments business, email

Posts you may like