• slide1

Frequently Asked Questions

What are the benefits of the Service Protection Program (SPP)?

Merchants can incur thousands of dollars in costs when confronted with an actual or suspected data breach. These costs include audit expenses, card monitoring and replacement costs, and fines imposed by either the card associations or HIPAA/GLB regulatory bodies.

  • Fines and penalties levied by card associations as a result of the data security breach.
  • Card replacement costs and related expenses.
  • The cost of a security assessment by a qualified security assessor and/or a forensic audit conducted to determine the cause and extent of a data security breach.
  • HIPAA/GLB fines and penalties.
  • Post-event service expenses including notification letters, identity monitoring, credit restoration and victim reimbursement insurance.

Subject to the other terms and conditions of the Program, the Program will pay up to $100,000 per Merchant Identification Number (or "MID") for PCI/HIPAA/GLB fines/penalties, forensics, and post-event service consultation along with an additional $10,000 record-limit to cover post-event services such as printing/mailing of notifications, identity theft call center assistance, identity restoration services, identity monitoring and victim cost reimbursement insurance.

What are post-event service expenses?

Post-event service expenses are expenses incurred to assist cardholders whose identities may have been compromised by a data breach. Post-event services include notification letters, identity monitoring, credit restoration and victim reimbursement insurance. In order to receive reimbursement for post-event services through the SecurityMetrics program, prior approval must be received in advance.

Which merchants qualify for the Program?

Any Level 2, 3 or 4 merchant that has not already experienced a data breach is eligible. Level 1 merchants are not eligible for this Program.

Is there really any chance of a Level 4 Merchant experiencing a data breach? Why should a small or mid-size business participate in the Program?

Yes! At a credit card industry summit in 2009, experts reported that hackers are now targeting small and mid-size businesses believing that they are easier targets. The costs of a single data breach to a Level 4 merchant average $36,000.

Do I have to be certified PCI DSS compliant before I can participate in the Program?

No. However, a merchant should follow PCI guidelines for security controls and run network scans by an Approved Scan Vendor (ASV) quarterly. Also, if a merchant experiences a breach, it must become PCI compliant prior to receiving any benefits under the Program from future breaches.

I am already certified PCI DSS compliant, how does the Program benefit me?

PCI DSS compliance alone cannot prevent these losses and does not provide immunity for a data breach. In addition, the Program will cover expenses and fines resulting from the physical theft of data by means not regulated by the PCI DSS. Recent data breaches have been reported by large retailers who were fully PCI compliant.

I do not store magnetic stripe data, can I still have a data breach?

Merchants that store magnetic stripe data are not the only ones at risk. There are a number of ways that data can be breached. For example, your computer systems and software may have outdated (or missing) security updates, you may have software installed with default settings and passwords, hackers using cross-site scripting web attacks, theft of physical receipts and/or computers by employees and skimming. All of these can lead to a data breach and subject you to significant fines and expenses.

What should a merchant do upon discovery of a breach?

Contact TRI immediately at 888-494-9988x2.

To get started, you will need the last 6 digits of your merchant account number and the mailing address with zip code.

or call SecurityMetrics at 801.705.5665

Do you want to learn how TRI can help your business? Go to our Contact Form , call us:
888-494-9988 x 1 or