Now that you have done the immediate damage control and breach point isolation steps proscribed by the card associations, and have assessed the scope and severity of the breach, the cleanup begins. Keep in mind, whether or not you are in PCI compliance at the time of the breach, these and the preceding steps should still be followed. If you are not PCI compliant at the time of the breach, there may be other industry fines and sanctions to consider. Now it is time to face the music and report all estimated or verified theft or loss of cardholder information. For Visa cards, contact the appropriate Visa Risk Management group for your Visa region. See last week’s blog for a list of Visa regions and the corresponding phone number or email address for that Visa region.
Visa must be notified within 48 hours whether or not your merchant account was in PCI compliance with the most recent PCI DSS and if necessary, with the PCI PA-DSS (payment card industry payment application (i.e. software) and with the PCI PIN Security requirements at the time of the occurrence. Be prepared to provide some type of verifiable proof of PCI compliance at the time of the occurrence. After notification of the affected card associations an initial investigation should be conducted. Visa requires written documentation be provided to them within three business days of notification of the data compromise. Visa will use this information to determine the degree of perceived exposure. It will also allow Visa to help your business with containment and management of the data breach. It is important that your documentation include an accounting of the steps you have already taken to mitigate and contain the exposure caused by the occurrence.
Merchants who are PCI compliant at the time of the data breach are afforded some degree of protection against further exposure. Most processors worth their salt even have data breach insurance that kicks in and pays many of the standard fines and penalties for loss of data, and even some legal expenses. See our home page to find out how you can become PCI compliant for free. Do it before it’s too late!