Cyber crime is a broad term encompassing any crime committed by way of a computer or the internet. We acknowledge that cyber crime is an extremely complex subject; however, we aim to provide readers with an introduction to cyber security risk and to emerging best practice. Cyber crime is a constantly evolving threat. Recent analysis shows that cyber crime cost the UK more than £1.5 billion in 2015.¹ Reading about high profile cyber breaches in the news is becoming the norm. Recent examples of victims of high-profile attacks include Ashley Madison and TalkTalk. The effects of these breaches are clear – a loss of customer data or disruption to service coupled with reputational damage. Often the reputational effects are the most damaging: months after the attack on TalkTalk, its stock market value was still almost £1 billion less than on the day the attack was announced.²

There are manifest types of cyber-threats of which businesses should be wary. Some businesses are more at risk than others from certain types of threat.

The vast majority of cyber incidents fall into the category of fraudulent attacks. These include identity theft, attempts at extortion, and other crimes which specifically target individuals or employees.⁶ Fraudulent attacks often take the form of phishing emails containing ransomware which are sent to employees. A high-ranking employee or executive could receive an email saying that a significant amount of sensitive data has been stolen and will be released publicly on a certain date unless a large sum is paid. The deadline will rarely allow sufficient time for the investigation of such an incident.⁷ Cyber-attackers in these cases are most often motivated by money.

As we all know, criminals will frequently target locations where they can obtain the most money quickly. Cyber-criminals are no different and arguably, theft of payment card data was the forerunner to what we know as cyber crime today. Criminal gangs are able to launch cyber attacks on businesses which accept or process card payments; for example, by hacking into till systems and leaving software capable of sitting undetected in a system whilst copying card details before that data is extracted to the criminal. Such data is then sold through web-sites to others who are capable of creating plastic cards which are then used to make expensive purchases in countries where PIN numbers are not required.

Visa, MasterCard and other card schemes impose upon their merchant acquirer (payment processor) the obligation of ensuring payment card data security of merchants (entities accepting payment cards). The card schemes also administer, as part of their membership rules, methods of fining members who do not comply with data security obligations, and ensuring card issuers are compensated for losses arising from card data breaches.

Irrespective of whether a data compromise has occurred, the card schemes require members to ensure that they and merchants and third parties handling data on their behalf comply with the Payment Card Industry Data Security Standards (“PCIDSS”). This is a set of standardised obligations (often updated) regarding data security that a number of card schemes (Visa and MasterCard included) agree to enforce. Examples of obligations are: (i) installing appropriate firewalls; (ii) ensuring public access to systems is controlled; (iii) changing vendor passwords on software etc. This information can be accessed at www.pcidss.co.uk.

As acquirers will pass liabilities arising from payment card data breaches to merchants, it is important to understand what these losses may be. These will equate to:

Losses can run into millions of pounds and the consequences of an incident do not stop there. Given the significant impact card data loss might have on your business, it is imperative that steps are taken to comply with PCIDSS to ensure the security of systems and those with whom you contract to receive services. If in doubt engage with the rules and your payment processor, who will be able to guide you as needed.

A retailer can easily find their merchant services agreement terminated due to breach of contract. The Card Schemes operate systems which can make obtaining another facility difficult when you have been terminated for breach of contract and accordingly, suffering a payment card data breach can spell the end of a business.

Disruptive cyber attacks are intended to severely disrupt a business’ operations. These can be instigated by certain agencies, governments, or even sophisticated terrorist groups, using the attacks as a way to make their presence felt.⁸ For example, the North Korean government’s disruptive cyber attack on Sony Pictures in relation to the film The Dictator intended to express its distaste for the depiction of Kim Jong-Un. Such attacks are also undertaken by political groups; for example, part of the Anonymous ‘hacktivist’ network took down the London Stock Exchange’s website for more than two hours as part of its campaign against the world’s banks and financial institutions.⁹ Disruptive attacks may also be undertaken for commercial gain.