Take Immediate Action If Compromised
Merchants and service providers that have experienced a suspected or confirmed security breach must take immediate action to help prevent additional damage and adhere to Visa CISP requirements.
If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $250,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.
Visa® has established certain guidelines to follow if your data is compromised. These will vary by card issuer, but should give you a good idea of what you need to do right away in the event of suspected or confirmed loss or theft.
Step-by-Step Guide for Compromised Companies
- Immediately contain and limit the exposure. Prevent further loss of data by conducting a thorough investigation of the suspected or confirmed compromise of information. To preserve evidence and facilitate the investigation: Do not access or alter compromised systems (i.e., don’t log on to the machine under any circumstances, do not change passwords, do not log in as ROOT). Do not turn the compromised machine off. Instead, isolate compromised systems from the network (i.e., unplug cable). Preserve logs and electronic evidence. Log all actions taken. If using a wireless network, change SSID on the AP and other machines that may be using this connection with the exception of any systems believed to be compromised. Be on “high” alert and monitor all systems with cardholder data.
- Alert all necessary parties immediately. Be sure to contact: 1. Your internal information security group and incident response team. 2. Your merchant bank. 3. If you do not know the exact name and/or contact information for your merchant bank, notify Visa Fraud Investigations and Incident Management group immediately at (650) 432-2978. 4. All relevant financial parties, including credit card companies. 5. Your local office of the United States Secret Service.
- Provide all compromised Visa, Interlink, and Plus accounts to your merchant bank within 10 business days. All potentially compromised accounts must be provided and transmitted as instructed by your merchant bank and Visa Fraud Investigations and Incident Management group. Visa will distribute the compromised Visa account numbers to Issuers and ensure the confidentiality of entity and non-public information.
Within 3 business days of the reported compromise, provide an Incident Report document to your merchant bank. (See Appendix A for the report template.) Note: Visa, in consultation with your merchant bank, will determine whether or not an independent forensic investigation will be initiated on the compromised entity.