Merchant Bank Account Requirements for Compromised Entities

Merchant bank account entities that have suffered a suspected or an actually confirmed data security breach must take immediate action to help prevent further exposure of sensitive data and achieve compliance with the Payment Card Industry (PCI) Data Security Standard (DSS), PCI Payment Application Data Security Standard (PA-DSS), and the PCI PIN Security Standards.

Merchant Bank Account Requirements for Compromised Entities

Here is a list of concrete actions you should take if a breach is confirmed or suspected:

1. Immediately contain and minimize the exposure. Limit data loss. Prevent the additional loss of information by conducting a complete investigation of the compromise of information. Compromised organizations need to consult with their own incident response team. To save evidence and facilitate the investigation:
   • Never access or change a compromised payment processing system (that is, don't log in at all to the compromised system and change passwords; don't log in as ROOT).
   • Do not shut the compromised system off. Instead you should isolate all compromised systems from the rest of the network (that is, unplug the network cable).
   • Store evidence and logs (that is, evidence, security events, internet, database, firewall, etc.)
   • Note all actions you take.
   • If yours is a wireless network, replace the Service Set Identifier (SSID) on the access point (WAP) and all other systems that may be on this connection (excluding any systems that are believed to be compromised).
   • Remain on alert and keep an eye on the traffic on all systems storing customer data.
2. Inform all involved parties immediately, including:
   • Your internal incident response and information security teams.
   • Your merchant bank account acquirer.
   • The appropriate law enforcement agency.
   • Your legal department to establish whether notification laws are applicable.
3. Provide all compromised account data to your processor or to the Associations within ten business days. All possibly compromised accounts must be identified and transmitted as instructed by the processing bank. The Association will then distribute the compromised card account numbers to the affected card issuers.
4. Within three business days of the confirmed or suspected compromise, send an incident report to the merchant bank account acquirer or to MasterCard and Visa.

To contain the impact of a consumer data security breach, the Associations have established an Incident Response Team to help card acceptors in forensic investigations. In the event of a confirmed compromise, the Associations will quickly send a team of forensic specialists to the site to help identify security issues and control exposure. The forensic data gathered by the team is then used as evidence to prosecute fraudsters.

Visit our website for more.