As HSBC learnt first hand in July 2009, when it was fined £3 million by the Financial Services Authority for losing customer data, high profile information security breaches can be expensive. But they can be just as disruptive for smaller organisations.
Paul Hutchinson is director of finance and facilities for the NCT Shop, the National Childbirth Trust’s sister organisation that sells maternity equipment such as breast pumps and feeding bottles. The first he heard about the security breach that upturned the way NCT Shop handles credit card details, it was on a call from Barclaycard, its banking services supplier, in November 2008.
Having noticed a commonality among recently compromised credit cards, Barclaycard informed the Trust it may have suffered a security breach. It transpired that NCT Shop’s ecommerce site was illegally exposing customers’ credit card details on the web.
The ecommerce functionality was supported by a third party supplier, which has since gone into administration. Immediately after learning of the breach NCT Shop took its ecommerce site, which handles 70% of its commercial activity, out of action. “Our first reaction was concern for customers,” says Hutchinson. But that downtime was only just the start of the disruption. “A huge juggernaut kicks into play when you suffer any kind of breach,” explains Hutchinson. “First of all, there are the fines imposed by VISA or Mastercard.
Those fines are based on any cards that may have potentially been put at risk, not those that have necessarily been compromised.”
The breach also dramatically increased the security precautions that the NCT Shop was obliged to take in order to be compliant with PCI (payment card industry) standards.
“Prior to this episode, the NCT Shop was ranked as a level four merchant so we only had to meet minimum PCI compliance requirements,” recalls Hutchinson. “As soon as you have a breach, however, you become a level one company, so you have to meet the same sort of requirements as a large retailer. So you really are hit by a double whammy.”
The security requirements for a level one merchant are substantial, to say the least.
“You have to constantly monitor your system for anything that may be an attempted breach; you have to maintain incredibly rigourous security procedures with regard to access to your premises, and logging procedures with regards to access to your systems,” explains Hutchinson. “For a small organistation that is a really significant overhead.”
This is why the NCT Shop took the decision to wash its hands of credit card payment processing. For its ecommerce site, it now employs a secure third party gateway that is recognised as PCI compliant.
“When a customer clicks ‘pay’, they are taken through to their website in encrypted pathways so that credit card information is never on our web server,” says Hutchinson.
To process orders made by phone or post, staff use portable credit card terminals of the sort seen in restaurants.
“If the person is present they can enter their card details. If they are not present we can pass a transaction using their card details. But it is not stored or in any way available to the IT system.”
But removing the requirement to be PCI compliant itself has not absolved the NCT Shop’s responsibility to ensure its customers’ credit card details are safe. And, having suffered in the past, Hutchinson now takes particular care to make sure that the company’s third party suppliers understand the need for security and safe handling.
“When one uses third party suppliers, one tends to invest one’s trust that those suppliers have the same level of focus on managing your information as you do, but that’s not necessarily the case,” he says. “Those third parties can be weak links in the chain, which is what happened to us.”
Hutchinson hopes his experience will serve as a cautionary tale.
“I would advise organisations to make sure that they have appropriate contracts in place [with their suppliers] and to institute such checks as are possible to make sure credit card details are handled securely.”