After a data breach, merchants are required by law to notify a host of authorities and agencies, a daunting task that presents an opportunity for ISOs and agents.

ISOs can offer their retailers the CSR Breach Reporting Toolkit, says Darrel Anderson, executive vice president of sales and client solutions for Jensen Beach, Fla.- Compliance Solutions and Resources, which prefers to be called CSR.

Typically, ISOs mark up the toolkit by 200% to 300%, Anderson says.

In market research, CSR could find no other company offering breach-notification services as a product in the payments industry, says Peggy Olson, a principal at Strategic Marketing, a Phoenix-based consultancy that worked with the vendor on the project.

In creating the product, CSR worked hard to find all the entities merchants should contact and continues to keep pace with changes in reporting responsibilities, Anderson notes.

“We spend a ton of time updating databases, and we build them inch by inch,” he says.

Those requiring notification may include the state attorney generals, the local chief of police, the county sheriff, a privacy watchdog and many others, sometimes totaling more than 100 notifications, Anderson notes.

To make matters worse, retailers operating in more than one state face the additional challenge of making notifications in a “patchwork” of slightly differing regulations, says Julie Conroy McNelley, a senior risk and fraud analyst at Boston-based Aite Group LLC.

With the toolkit, however, CSR makes the right notifications on behalf of retailers when a breach occurs, Anderson says.

“That’s where we add value–making the proper notifications,” he contends.

In the toolkit’s year or two on the market, ISOs have placed the product with tens of thousands of merchants, according to Anderson.

“It’s a rare opportunity,” he maintains. “Everybody wins and nobody suffers.”

Although the acquiring industry has concentrated on preventing breaches, mainly through the Payment Card Industry data security standards, and on cleaning up the debris left after a breach, notification has not gotten as much attention, McNelley says.

Merchants could seek assistance from consulting companies that help with notification but do not specialize in payments, Olson suggests.

Notification probably mirrors PCI compliance, with larger retailers making plans and developing procedures while smaller merchants struggle from payroll to payroll, doing little to prepare for a breach or its aftermath, McNelley says.

Consequently, attacks on card data held by small retailers are exploding in number, McNelley says. Between 2010 and 2011, the number of breaches recorded in the United States increased sevenfold, but the number of records compromised has dipped slightly, indicating criminals are going after smaller, more vulnerable retailers, McNelley says.

That means ISOs have an important function, which is helping merchants reduce the chance of a breach by promoting PCI and helping to clean up after a compromise occurs, she maintains.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry