“It appears your data was compromised.” Six words you never want to hear whispered — or more likely shouted — in your ear.

Yet as purveyors of products and/or services, ecommerce merchants must beware. Robert Hackett wrote in Fortune, “Data breaches are more than a headache for businesses — they’re costly too.”

The same is true for all companies and government entities that haven’t enabled the best payment processing security measures.

A study by IBM’s security division, cited in Fortune, found the average cost of a breach rose to $4 million per incident by mid-2016. That’s up 29% since 2013. If that doesn’t catch your attention, how about the average cost of $172 per record for ecommerce businesses?

Would you as a merchant like to pay direct costs like legal and regulatory fees, or be compelled to offer free credit monitoring subscriptions to victims? Or suffer loss of customers and brand damage because of negative media coverage and complaints victims choose to air on social media?

A fair guess is you wouldn’t like that at all. Nor do your customers want to receive letters from their issuing banks saying their credit card information was stolen when your customer database was breached.

Your business and customers deserve protection from hackers and other bad actors. Compliance and end-to-end security measures provide the best payment processing security for ecommerce stores.

Let’s review what’s been learned from mega retail data breaches, and how you can protect your business. After all, you don’t want to create the next big negative headline.

Lessons Learned From Front-Page Mega Retail Data Breaches

What do these companies have in common? Target Stores, Yahoo, the FriendFinder network, Ashley Madison, LinkedIn, Heartland Payment Systems, and Sony Online Entertainment. You guessed it — they’ve all suffered the front-page misery of a large data breach.

Even without any “mega” breaches reported in 2016, reports of data being stolen increased year-on-year. In 2016, the number of data breach disclosures topped the prior year by 40% and represented the highest number of data breach incidents reported in any given year.

The 1,093 reported security incidents involved loss of sensitive data — every cardholder’s nightmare. Why should online merchants care?

Because whether those records contain personally identifiable, payment, or health information about an individual, if it’s in your database you are held responsible if it’s stolen.

Along with enabling the best payment processing security, experts recommend the following proactive steps to help thwart the bad guys:

  • Have an incident response team in place. Know what steps you plan to take, and what professional assistance to request. Fast action can lessen the damage to your business.
  • Use encryption to protect the cardholder data you collect, following industry expert recommendations.
  • Employee training to prevent inadvertent sharing of information.
  • Threat sharing among retail merchant groups. Learn from your fellow ecommerce merchants.
  • Appoint a chief information security officer. If it needs to be you, so be it. Or put a technically-minded staff member on point.

Lest you think that data breaches happen only to U.S. merchants, it’s clear the bad guys find ways to inconvenience customers and harm merchants in other countries too. While regulators tighten merchant requirements to keep consumers informed if trouble develops.

Regulatory Compliance: Good For Business

Because the electronic payments industry deals in sensitive financial and personal information, it’s right and proper that regulations abound. Credit card processing demands to be taken seriously by the major card brands — and certainly by your customers.

They want to know you have the best payment processing security in effect on your ecommerce website. The first compliance effort every merchant should address is Payment Card Industry Data Security Standards (PCI DSS) compliance.

No law requires that you comply, but the five major payment card brands certainly do. In fact, maintaining PCI-DSS compliance is a contractual obligation between merchants and the credit card brands.

This set of standards is written for all merchants who process, store, or transmit debit, credit, or prepaid card information. To protect both merchants and cardholders, it lays out the steps required to maintain a secure transaction environment. Don’t neglect PCI-DSS compliance.

A regulation that ecommerce merchants subject to US tax jurisdiction must honor is W9 Validation.

Under Section 6050W of the Housing and Economic Recovery Act of 2008, all payment settlement entities — including merchant services providers and financial institutions — must report their merchants’ annual gross payment card transactions to the IRS on Form 1099-K.

The IRS uses this data to verify information received from other sources. Merchants who fail to provide their taxpayer ID number to their processor could be hit with backup withholding equal to 28% of their gross payment card transactions. So again, don’t overlook it.

In short, such compliance along with end-to-end security measures are the cornerstones of the best payment processing security you can offer to your ecommerce customers. Don’t let them down.


Data breaches have become far too frequent to engender any response but strong vigilance from ecommerce merchants.

“Businesses of every size and stripe are under assault practically every minute of every day,” says Adam Levin, chairman and founder of CyberScout. “… And make no mistake, foreign and domestic attackers are well armed, fully weaponized and in war mode.”

One sure-fire way to ensure your ecommerce business is protected by the best payment processing security is to work with the right payments processor. Choose a partner with strong payments industry expertise, and a stellar reputation that will help you get it right.

Because safer payments make everyone more successful.