In 2022, over a third of all UK businesses identified a cyberattack, including phishing attacks, denial of service, and ransomware.
Security is getting tighter, and consumers and businesses are more aware, but cyberattacks and resulting data breaches are an ever-present threat in this digital world.
As an e-commerce business, you must follow all the necessary steps to minimise the threat of cyberattacks, including adhering to the latest security & compliance regulations. But sometimes even the tightest security can be breached, so learning how to respond to these attacks and minimise the damage they cause is just as important.
In the following guide, we’ll show you how to respond to a data breach, covering questions such as:
- How do I limit data exposure?
- How do credit card processors deal with fraud?
- What is an incident response plan?
- What is considered to be cardholder data?
- How should cardholder data be handled?
Implement an incident response plan
PCI Data Security Standard (PCI DSS) contains a set of standards that must be followed by all companies that accept or process payments.
According to requirement 12.10 of this code, all businesses must:
“Implement an incident response plan. Be prepared to respond immediately to a system breach.
The plan must be read and understood by the responsible parties and it should also be tested to ensure it works as intended.
An incident response plan is simply a plan that outlines how an organisation will respond to a data breach. It typically includes the following steps:
- Preparation: Prevention is the best cure, as the saying goes. That also applies to data breaches, so your first step is to improve staff awareness/training, audit systems, and look at other ways of mitigating risk.
- Identification: The next step is to plan for what happens when a data breach has been discovered. What will you do to identify the cause and extent of the breach? What will those initial steps entail?
- Containment: How will you contain the data breach? For instance, systems may need to be taken offline, hackers can be removed from the system, and files can be deleted.
- Eradication: It’s time to eliminate the risk. If the data breach occurred as a result of ransomware, plan for its removal; if an employee’s account was compromised, freeze it and deal with the issue.
- Recovery: Now that the issue has been dealt with, it’s time to get the systems back online and recover everything that can be recovered.
- Lessons Learned: After the data breach is over, the final step is to look back, analyse the process, and see what lessons have been learned and whether any improvements can be made.
Limit data exposure
E-commerce businesses are a rich source of data for hackers and they’ll do everything they can to get their hands on that data.
Organisations must therefore secure it and mitigate loss in the event of a data breach.
Think about:
- How is your data stored?
- How is it secured?
- How is it communicated?
- Do you use any access controls?
- Are there any weak points?
If someone gains unauthorised access to your systems, will they instantly have access to all of your data or are there additional layers of security?
Think of a data breach in the context of someone breaking into your home. If they break through the front door and encounter a series of locked doors and alarms, the damage will be minimal. If they break through and instantly encounter a bowl full of keys—car keys, garage keys, safe keys—they’ll take everything.
You should be able to isolate systems to prevent a breach from spreading, and that isolation must extend beyond a simple system shutdown.
Finally, when you’re fighting a data breach, make sure you’re not deleting any evidence, as you’ll need that to identify the source of the hack.
Understand notification requirements
A data breach is a major embarrassment for an organisation. It’s a logistical nightmare and a financial headache, and the icing on this disaster cake is that exposed customers/clients must be notified.
But there’s no getting away from this. Anyone whose data has been exposed should be notified immediately, giving them a chance to cancel credit cards, notify bank providers, and be on the lookout for phishing attacks.
Payment providers, banks, and other involved entities must also be notified.
Create a list of all parties to notify following a breach. Make sure you have updated contact details for all of them, including your customers.
How Pixxles can minimise card data breaches
At Pixxles, we understand the risks that modern organisations face and are fully prepared to deal with them. We use advanced encryption technology to protect all transactions and ensure that card data and user data are safe and secure at all times.
We provide credit card processing solutions for businesses of all sizes and can process payments in dozens of currencies and for countless purposes.
We’ll keep your e-commerce business running like clockwork and will ensure that security needs are met, letting you focus your efforts on day-to-day operations.
To learn more about the work that we do, check out this guide: Why Pixxles.
If you’re ready to sign up and experience fast, seamless, and secure payment processing, apply today.
Cardholder data breach FAQs
How do credit card processors deal with fraud?
Card processing services use authentication and authorisation checks to minimise the risk of fraud. These include a system known as 3D Secure, which tasks customers with completing an additional verification step to prove they are the cardholder.
These services also request details such as the CVV number, which is displayed on the card itself.
How should cardholder data be handled?
Cardholder data should only be stored if there is a valid legal, regulatory, or commercial need to do so, and it must always be stored in an unreadable/encrypted form. The data should also be encrypted when it is transmitted, thus ensuring it cannot be misused if it is intercepted.
How common are data breaches?
Data breaches are very common and they can occur in businesses of all sizes. We tend to only hear about the big breaches, the headline-making hacks that result in tens of millions of user profiles being stolen. But there are many smaller hacks being reported every single day.
As an organisation involved with the processing of payments, you can’t guarantee 100% that you won’t be a victim of these attacks. But if you use secure systems and processes, inform/train your staff, and keep detailed response plans, you can greatly reduce the risk of a data breach and ensure you’re prepared if one does occur.
What counts as cardholder data?
Cardholder data is any kind of personally identifiable information associated with an individual who has a debit or credit card. It includes the full name of a cardholder, as displayed on the card.
What is not considered to be cardholder data?
Truncated card details are not considered cardholder data. Truncation refers to the process of shortening or masking, so a user’s full name and number are classed as cardholder data, but if only the last few digits are shown, it is not cardholder data.