More than a million merchant locations, or about 10% of the nation’s total, now have some form of breach protection through their acquirers, according to the best guess by Robert Halsey, president of Royal Group Services Ltd. LLC, a Troy, Mich.-based insurance brokerage specializing in the payments industry. That figure has grown from perhaps 30,000 in early 2008, Halsey estimates.

Interest in breach protection has been growing more quickly in the last 12 months than in previous years, says Heather Foster, vice president of marketing for ControlScan Inc., an Alpharetta, Ga.-based provider of security services. Like many security-services and Payment Card Industry data security standards compliance providers, ControlScan offers ISOs breach protection.

As interest in protection has grown, the number of ISOs offering it has increased, too. By now, perhaps 20% to 30% of ISOs are offering breach protection or breach insurance, says Adil Moussa, an analyst with Boston-based Aite Group LLC.

Many trace the recent growth spurt in breach protection to increasing awareness of both protection offerings and the financial repercussions of a breach.

A lot of ISOs also held off on breach protection until recently, much like Old West gunfighters in a standoff waiting for somebody else to pull the trigger first, notes Tom Mulligan, a vice president at CL Frates & Co., an Oklahoma City-based insurance broker that offers breach protection.

Breach protection comes in two varieties. Either a security vendor holds an insurance policy and offers the protection to merchants through their ISOs, or an ISO buys a policy directly from the insurance broker.

Larger ISOs may get their best deal by buying a policy themselves and thus eliminating the “middle man,” says Halsey.

Smaller ISOs may get a better price through a security provider that pools smaller ISOs and therefore spreads the risk, he notes.

“If they have 10,000 merchants of more, they may want their own policy,” Halsey says of ISOs. “If you have 1,500 merchants, you get better pricing through the security company.”

Smaller ISOs also may want to view the decision to pick up protection through a security provider as a case of outsourcing a business process, says Steve Robb, ControlScan senior vice president, products and services.

Whoever holds the policy, certain numbers come up repeatedly in discussion of breach protection. One of those figures, $50,000, seems like the magic number in breach protection.

That’s enough to cover the $40,000 or so in fines, fees, notifications and recompense that often arise from a data breach.

Another recurring number, $25,000, comes up because that amount would cover data breaches at retailers with a small number of transactions.

Coverage of up to $100,000 also appeals to some ISOs that provide services for larger merchants.

The $50,000 coverage seems adequate for about 90% of the merchants at First Capital Payments, a Rochester, N.Y.-based ISO, says Hiram Hernandez Sr., company president.

Hernandez is negotiating, however, for more protection for some of his merchants, citing the case of one that posts $800,000 in transactions per month and thus warrants more coverage.

ISOs will find that they can’t get breach insurance or breach protection unless they commit a significant portion of their merchant portfolios to the plan, insurers agree.

No insurance carrier will take on the risk of providing breach protection unless the number of merchants insured brings in enough in premiums to cover the payouts likely to occur if a breach takes place, sources say.

“The numbers have to work out for the insurance company,” notes Robb.

Just the same, breach protection brings opportunity for acquirers.

Reselling protection to merchants can become a profit center, notes Hernandez, adding that some ISOs might pay $1.50 per month to an insurance broker or security vendor and mark up the product to $7.95 a month.

Although some sources mention lower figures, ISOs generally pay $2.50 to $3.50 per month, says Brandon Bronson, sales manager for Centennial, Colo.-based PCI Compliance Inc.

Merchants typically pay $6.95 to $9.95 a month, says Halsey.

ISOs set the prices at whatever amount they choose, Mulligan notes.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry