Data security is a journey, not a destination

National Payment Processing Expert John Mayleben offers tips


Data security isn’t a one-and-done proposition. Taking precautions required for data security should be viewed more as a journey than a destination.

“It doesn’t ever end because, on any given day, the bad guys figure out a new way to steal from us,” says John Mayleben, a Michigan Retailers Association (MRA) consultant and national expert on payment processing.

The COVID-19 pandemic crisis provided more opportunities for bad actors to steal data as businesses have scaled back their physical footprint. Or closed their doors completely in the face of reduced traffic to their brick-and-mortar locations.


So what can merchants do?

Begin by completing a Self-Assessment Questionnaire, or SAQ. In the credit card world, data security policies require every merchant, regardless of how big or how small, to complete an SAQ. The process involves answering questions and completing an attestation of compliance that they are Payment Card Industry (PCI) compliant at that moment in time.

Merchants must do this once a year or anytime they change their systems, whether that’s a processor, credit card terminals, or any of their payment processes.

“You have to fill this out once a year to be compliant. If you ever have a data breach, you have to show that you’ve done this within the last year,” Mayleben said.

A data breach is conceivably a life-ending event for a business because of the potential fines and related expenses, according to Mayleben.



A response needs to be two-fold. The first step is what Mayleben describes as stopping the bleeding. This usually involves replacing the terminal, addressing the area that is allowing the bad guys access, and adopting a new, more secure procedure for processing transactions.

The second part is the cleanup. This requires identifying when the first and last breaches occurred. You must alert cardholders during the time when transactions were exposed.

Typically, the merchant is on the hook for the cost of card replacement. The price per card is roughly $25.  This sum adds up quickly. Why? Because authorities assume that all transactions during that time period were exposed to the bad guys were in your system. As a result, you need to issue replacement cards.

Fines from Visa and MasterCard related to a data breach are more significant for merchants that aren’t PCI compliant or don’t have an attestation of compliance.



Fortunately, an insurance policy may cover a portion or all of that cost. As part of its credit card transaction program, MRA automatically includes $100,000 worth of data breach coverage for every merchant number (MID) on its system. Still, if the breaches are big enough, that coverage might not be enough. That’s why some businesses are layering coverage with outside cyber insurance policies.

While insurance policies are important to have, the best way to avoid a data breach is to make sure you have policies and procedures in place that reduce your exposure by removing sensitive authentication data and limiting data retention.

How complicated is filling out the SAQ? It depends on the transaction processing solution you use. The less data gathered, the lower the risk, so the easier the compliance process.

“The first conversation I always had with merchants was when they talked about PCI compliance,” said Mayleben. “Before we talk about what kind of hardware and soft virus software you have, let’s go through your procedures. Let’s review how you do transactions. See if we can limit the scope. If we can limit the scope, we’re done talking. You should always ask yourself, do I really need to have this data in my control?”