Assessments for Noncompliance in Account Data Compromise Events

If an account compromise was a result of a violation of MasterCard Standards regarding disclosure and securing of cardholder account and transaction data, the member bank may be subject to noncompliance assessments. MasterCard may assess up to $100,000 for each violation, with a maximum aggregate assessment of $500,000 for additional or continuing violations during any consecutive 12-month period.

If the member bank fails to comply with the procedures required in data compromise events, MasterCard may impose an additional assessment of up to $25,000 each day until the it achieves compliance. Continued, extended, or repeated noncompliance may lead to the suspension or termination of the member bank's participation in the MasterCard payment system.

In addition to the assessments listed above, MasterCard may assess all investigation and other related costs against the acquiring bank. With regard to accounts identified as potentially compromised, MasterCard may require the acquirer to reimburse affected card issuers.

• Potential exemption from noncompliance assessments. MasterCard may exempt an acquiring bank from noncompliance assessments and investigative costs, and other related costs; and MasterCard may grant up to a 100% reduction from the card issuer reimbursement costs. MasterCard will base any exemption that may be afforded on the the circumstances, including compliance with the Payment Card Industry Data Security Standard. The factors that MasterCard will consider are the following:
  
  • Verification that the merchant or TPP associated with the account data compromise event was registered in accordance with MasterCard's Registration Program.
    
  • Proof of compliance with the Payment Card Industry Data Security Standard by the merchant or TPP associated with the account data compromise event.
    
  • Demonstration by the acquiring bank that the entity associated with the account data compromise event was compliant with the Payment Card Industry Data Security Standard and applicable MasterCard SDP Program requirements at the time of the applicable account data compromise event.
    
  • Notification to and cooperation with MasterCard and, as appropriate, law enforcement authorities.
    
  • Verification that the forensics examination was initiated within 72 hours of the account data compromise event and completed as soon as practical.
    
  • Timely receipt by MasterCard of the forensics examination findings.
    
  • Evidence that the account data compromise event was not foreseeable or preventable by commercially reasonable means and that, on a continuing basis, security practices were applied.
  
  MasterCard generally will not grant a full or partial exemption for an internal compromise, which is a compromise facilitated by persons authorized to have access to the system or process compromised.