Data breaches are a common threat in the payments industry, with over 87% of small businesses having reported a security breach in the last year, as found by the 2013 Information Security Breaches Survey. According to the 2013 Cost of Data Breach Study by the Ponemon Institute, third-party service providers accounted for the largest increase in data breach costs this year in the US, with other countries reporting similar findings. When a service provider breach occurs, it is extremely important for acquirers to identify every entity that is connected to it, but mapping those third-party merchant-to-service provider relationships is very difficult for acquirers.
Using Data to Make the Connections
Relationships and communication between acquirers and their merchants’ service providers can be limited, so acquirers are faced with the challenge of identifying which of their merchants are affected by a third-party service provider breach. G2 Web Services suggests using a service, such Service Provider Sentinel, which identifies merchant service providers for acquirers and maps their relationships. At the request of the acquirer, Service Provider Sentinel can also conduct a Reverse Account Data Compromise in case of a service provider breach. G2’s Reverse Account Data Compromise service identifies which merchants are connected to the specific service provider in the acquirer’s portfolio. This information is essential for acquirers to quickly stem the severity of a breach by notifying merchants as soon as possible.
Case Study
G2 recently helped two acquiring bank clients identify over 100 merchants that were affected by a suspected data breach.
Two acquiring bank clients approached G2 Web Services after being notified of a suspected breach as a result of a third-party service provider. The acquirers conducted a Service Provider Sentinel Reverse Account Data Compromise to determine how many of their merchants were impacted by the breach. By triangulating the payment service provider that supported multiple merchants, G2 was able to identify 122 merchant associations for the two acquiring banks. These results gave the acquirers the information they needed to reach out to the respective at-risk merchants and deal with the suspected breach as needed.
The way an acquirer handles a suspected data breach greatly depends on who is affected and the scope of the breach, making it imperative to identify this information as soon as a suspected breach is reported. A small breach that only affects one merchant may require far less time and resources compared to a breach that affects 100+ merchants. Knowing this information arms acquirers with the knowledge they need to handle the breach accordingly. With services like Service Provider Sentinel Reverse Account Data Compromise, G2 can identify this information and make the connections for you. Learn more about how Service Provider Sentinel Reverse Account Data Compromise can help acquirers identify and register their service providers, and quickly minimize the scope of a data breach.
