Search
Close this search box.
Blog » Business Tips » Incident Response Plan

Incident Response Plan

Credit Card (PCI) Security Incident Response Plan

To address credit cardholder security and ensure the greatest possible protection of cardholder data, the major credit card brands, including Visa, MasterCard, American Express, Discover and JCB, established the PCI Security Standards Council to develop, enforce, and manage the Payment Card Industry Data Security Standards (PCI DSS) that are intended to serve as guidelines for safeguarding cardholder information.

Within these guidelines, merchants are required to create and document an incident response plan. Due’s incident response plan is described below:

  1. Each department must report an incident to the Information Security Officer or to another member of Due’s PCI Response Team.
  2. The member of the team team that receives the report will advise the PCI Response Team about the incident.
  1. The PCI Response Team will investigate the incident as well as will assist with limiting any cardholder data exposure and mitigating the risks associated with that incident.
  1. The PCI Response Team will resolve the problem to the satisfaction of all parties involved, including reporting the incident and findings to the appropriate parties, such as credit card associations and credit card processors.
  1. The PCI Response Team will determine if policies and processes need to be revised and whether additional safeguards need to be implemented to avoid any similar incident in the future.

Due’s PCI Security Incident Response Team includes: [ADD NAMES, PHONE NUMBERS AND EMAIL ADDRESSES]

  • CIO
  • Communications Director Compliance Officer
  • Counsel
  • Information Security Officer Controller
  • Collections & Merchant Services Risk Manager

Due PCI Incident Response Plan V1

Last Updated: 8/31/16

The credit card companies have individually specific requirements that must be addressed in terms of  reporting suspected or confirmed breaches of cardholder data.

MasterCard Specific Steps:

  1. Within 24 hours of an account compromise event, notify the MasterCard Compromised Account Team via phone at 1-636-722-4100 .
  2. Provide a detailed written statement of fact about the account compromise (including the contributing circumstances) via secured e-mail to [email protected].
  1. Provide the MasterCard Merchant Fraud Control Department with a complete list of all known compromised account numbers.
  1. Within 72 hours of knowledge of a suspected account compromise, engage the services of a data security firm acceptable to MasterCard to assess the vulnerability of the compromised data and related systems.
  2. Provide weekly written status reports to MasterCard about any open questions and issues until the audit is complete to the satisfaction of MasterCard.
  3. Promptly deliver updated lists of potential or known compromised account numbers, additional documentation, and other information that MasterCard may require.
  1. Provide finding of all audits and investigations to the MasterCard Merchant Fraud Control department within the required timeframe.

Once MasterCard obtains the details of the account data compromise and the list of compromised account numbers, MasterCard will identify the issuers of the accounts that were suspected to have been compromised and group all known accounts as well as distribute the account number data to its respective issuers.

VISA U.S.A. Specific Steps:

In the event of a security breach, the Visa U.S.A. Operating Regulations requires that it be immediately reported. Entities must demonstrate the ability to prevent future loss or theft of account information, consistent with the requirements of the VISA U.S.A. Cardholder Information Security Program. If VISA U.S.A. determines that an organization has been deficient or negligent in terms of securely maintaining account information or reporting or investigating loss of this information, VISA U.S.A. may require immediate corrective action.

If a merchant or its agent does not comply with the security requirements or fails to rectify a security issue, VISA may impose fines or restriction as well as permanently prohibit any participation in VISA programs.

VISA has provided the following step-by-step guidelines to assist an entity in the event of a compromise. In addition to the following, VISA may require additional investigation. This includes, but is not limited to, providing access to premises and all pertinent records.

  1. Immediately contain and limit the exposure.
  2. To prevent further loss of data, conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise.
  3. To facilitate the investigation, do not access or alter compromised systems or turn the compromised machine off. Preserve logs and electronic evidence and log all actions taken. IIf using a wireless network, change Service Set Identifier (SSID) on the access, point and other machines that may be using this connection (with the exception of any systems believed to be compromised), be on alert, and monitor all VISA systems.
  4. Alert all necessary parties, including the internal information security group and Incident Response Team as well as the legal department, merchant bank, VISA Fraud Control Group at (650) 432-2978 in the U.S., and local FBI Office, U.S. Secret Service, or RCMP local detachment.
  5. If VISA payment data is compromised, provide the compromised Visa account to VISA Fraud Control Group at (650) 432-2978 within 24 hours of the incident. Account numbers must be securely sent to VISA as instructed by VISA.
  6. For a forensic investigation, the organization must start it within 24 hours of compromise. The investigation must determine cardholder information at risk, the number of accounts at risk, and the type of account information at risk like account number, expiration date, cardholder name and address, and security number on the back or front of the card. The investigation must also include determining how the compromised occurred, the source of the compromise, and the time frame of the compromise. The entire network must be reviewed to identify all compromised or affected systems, including e-commerce, corporate, test, development, and production environments as well as VPN, modem, DSL and cable modem connections, and any third-party connections. Lastly, the investigation should determine if compromise has been contained.

Discover Card Specific Steps

  1. Within 24 hours of an account compromise event, notify Discover Fraud Prevention at (800) 347-3102 and prepare a detailed statement about the compromise, including a list of all compromised account numbers.
  2. Obtain additional specific requirements from Discover Card.

American Express Specific Steps

  1. Within 24 hours of an account compromise event, notify American Express Merchant Services at (800) 528-5200 in the U.S. and prepare an account about the compromise, including what contributing factors played a role and which account numbers were compromised.
  2. Obtain additional specific requirements from American Express.

About Due’s Editorial Process

We uphold a strict editorial policy that focuses on factual accuracy, relevance, and impartiality. Our content, created by leading finance and industry experts, is reviewed by a team of seasoned editors to ensure compliance with the highest standards in reporting and publishing.

TAGS
CEO at Due
John Rampton is an entrepreneur and connector. When he was 23 years old, while attending the University of Utah, he was hurt in a construction accident. His leg was snapped in half. He was told by 13 doctors he would never walk again. Over the next 12 months, he had several surgeries, stem cell injections and learned how to walk again. During this time, he studied and mastered how to make money work for you, not against you. He has since taught thousands through books, courses and written over 5000 articles online about finance, entrepreneurship and productivity. He has been recognized as the Top Online Influencers in the World by Entrepreneur Magazine and Finance Expert by Time. He is the Founder and CEO of Due.

About Due

Due makes it easier to retire on your terms. We give you a realistic view on exactly where you’re at financially so when you retire you know how much money you’ll get each month. Get started today.

Categories

Top Trending Posts

Due Fact-Checking Standards and Processes

To ensure we’re putting out the highest content standards, we sought out the help of certified financial experts and accredited individuals to verify our advice. We also rely on them for the most up to date information and data to make sure our in-depth research has the facts right, for today… Not yesterday. Our financial expert review board allows our readers to not only trust the information they are reading but to act on it as well. Most of our authors are CFP (Certified Financial Planners) or CRPC (Chartered Retirement Planning Counselor) certified and all have college degrees. Learn more about annuities, retirement advice and take the correct steps towards financial freedom and knowing exactly where you stand today. Learn everything about our top-notch financial expert reviews below… Learn More