Cybersecurity, Breach and Prevention Tips and VISA VAMP Program

Breaches happen and all too often we only here about the big companies. As a small business you are equally vulnerable. Some companies may be able to withstand the firestorm and financial impact one breach could cause. As a small company you may be handling personal and private information. This information is not limited to HIPPA and precautions must be taken to prevent 

In 2024, numerous companies across various sectors experienced significant data breaches. Notable incidents include:

Snowflake Inc. Customers: Hackers affiliated with the group Scattered Spider breached over 100 customers of Snowflake, Inc., affecting organizations such as AT&T, Ticketmaster, Santander Bank, LendingTree, and Neiman Marcus. The compromised data varied and included personally identifiable information, banking records, digital event tickets, and customer call records.

National Public Data: This background check company suffered a breach exposing sensitive information of approximately 2.9 billion records, including full names, addresses, Social Security numbers, dates of birth, and phone numbers. The breach led to multiple lawsuits and the company’s eventual bankruptcy.

DISA Global Solutions: A provider of employee screening services, DISA reported that data on more than 3.3 million individuals was exposed. The breach was discovered over two months after the initial intrusion.

Holt Group: A machinery and construction corporation based in San Antonio; Holt Group experienced a data breach affecting 12,455 individuals. Compromised data included names, addresses, governmental IDs, and financial information.
San Antonio Express-News+1
San Antonio Express-News+1

Illinois Department of Human Services (IDHS): Over 1 million individuals had their personal information accessed due to a phishing campaign targeting IDHS employee accounts. Approximately 4,700 Social Security numbers were exposed.
Jacksonville Journal-Courier

Total Tools: An Australian hardware chain, Total Tools faced a data breach affecting around 38,000 customers. Exposed information included names, email addresses, credit card data, login details, mobile numbers, and shipping addresses.
The Australian

Fidelity Investments: A data breach exposed details of thousands of customers. Although the data wasn’t misused, Fidelity offered free identity monitoring services to affected individuals.
Yahoo Finance

Atlassian: The Australian software company experienced a data leak caused by stolen employee credentials, affecting 13,000 employee records and office floorplans.
Wikipedia

23andMe: The biotech company suffered a breach where customer accounts were accessed through a credential-stuffing attack, exposing genetic data, names, email addresses, and other personal information.
Tech.co

T-Mobile: The telecommunications giant faced another data breach affecting around 800 customers, with contact information, ID cards, and Social Security numbers accessed.
Tech.co

These incidents underscore the persistent challenges organizations face in safeguarding sensitive data against evolving cyber threats.     As a small business what are the most common reasons that happen to larger companies should I consider for my business?

As a small business your number 1 threat start with your network, how you process payments, store client information and data and understanding what safeguards to take.    In the end, it starts with PCI DSS compliance.   

Companies often fail to maintain PCI DSS (Payment Card Industry Data Security Standard) compliance for a variety of reasons, many of which stem from gaps in security practices, oversight, or resource allocation.

As of the most recent data, it’s estimated that over 50% of businesses are not fully PCI DSS compliant — and the compliance rate has actually been declining in recent years.

• Only around 27% to 36% of organizations maintain full compliance year over year. A large portion of businesses fall out of compliance after initial certification due.
• Not maintaining required controls.
• Failing to keep up with ongoing changes to the standard (like PCI DSS 4.0).
• Resource limitations, especially in small to medium-sized businesses.

• Complexity of PCI DSS (especially newer versions like 4.0).
• Lack of internal expertise or IT support.
• Misconception that “compliance = one-time event”.
• Budget constraints or prioritizing other security initiatives.
• Overreliance on third-party vendors without validating their compliance.

 

What are the most common reasons that a breach can occur?

• Cardholder data is stored or transmitted without strong encryption.
• Encryption keys aren’t stored securely or rotated regularly.

• Unpatched software or outdated systems (e.g., operating systems, firewalls).
• Lack of vulnerability scanning or penetration testing.

• Too many users have unnecessary access to cardholder data.
• Use of shared or default passwords.
• No enforcement of multi-factor authentication (MFA) for sensitive access.

• Missing or outdated security policies.
• Lack of formal processes for handling and reporting incidents.

• Employees are unaware of PCI requirements or social engineering threats.
• No ongoing security awareness programs.

• Storing full card numbers, CVV codes, or magnetic stripe data against PCI rules.
• Retaining data longer than needed.

• Incomplete or missing audit logs.
• Failure to monitor access to systems and data, making it harder to detect breaches.

• Not completing annual PCI self-assessments or failing external audits.
• Businesses often mistakenly believe one-time compliance is enough.

• Using service providers that aren’t PCI compliant themselves.
• Lack of due diligence and agreements ensuring third-party compliance.

• Cardholder data environments aren’t properly segmented from the rest of the network, increasing risk exposure.

 

Card Brands are standing up and taking notice and soon, ACTION. Visa is the first to make news regarding taking PCI Compliance, the asstestation (certification) and SCAN (scanning your network to ensure the business is using a private secure network and proper data protection and safety protocols to reduce the risk of fraud.  

 

The Visa VAMP stands for Visa Account Management Program. It’s a monitoring and enforcement program managed by Visa to oversee and regulate entities (mostly merchants and service providers) that handle cardholder data, especially in situations where:

• There’s evidence of non-compliance with PCI DSS, or
• There’s been a data breach or signs of suspicious activity involving Visa card data.

1.    Monitor risky merchants or service providers handling Visa card data.

2.    Enforce compliance with the PCI DSS (Payment Card Industry Data Security Standard).

3.    Drive remediation efforts after data breaches.

4.    Ensure ongoing risk reduction and stronger controls across the payment ecosystem.

📋 What Happens If You’re Enrolled in VAMP?

Being placed in VAMP isn’t a good thing—it means Visa has identified significant risk. If you’re part of the program, you may be required to:

• Complete a forensic investigation (if breached).
• Engage with a Qualified Security Assessor (QSA) to validate PCI compliance.
• Submit remediation plans or undergo additional audits.
• Face fines or increased scrutiny.
• Be at risk of losing the ability to process Visa transactions if you don’t comply.

 

• History of data breaches.
• Repeated PCI non-compliance.
• Use of insecure third-party processors.
• Exposure of cardholder data through misconfigured systems or malware.

 

Just having a private and public network is not enough.  If your merchant statement has a fee labeled PCI Non-Compliance fee (likely $19.95 – $149.99 a month depending upon processor), you are at RISK for increased scrutiny and future fines and fees. If you are getting notices or emails that ask you to complete your PCI assessment, do not ignore it, this will lead to fees that are completely avoidable. If you are unsure you ever completed an online questionnaire, either directly or through a certified third-party assessment company, you may be at risk. In the future, if you’re dealing with VAMP or suspect you’re at risk of being flagged.

If you are unsure whether this article impacts you or want to ensure your network is secure, give Tried & True Consulting a call.  The consultation will be free, the output of our conversation will lead to taking the correct steps, or reinforce you are doing the right thing. In the end, Tried & True serves all clients in 99.9% of the industries out there and would love to help keep you and your client’s information sleep safe, retain the revenue you earn, and potentially even grow your top and bottom line!   

Tried & True Consulting. Visit https://www.triedandtrueconsulting.com or call 407-741-0077.