FAQ: Data Compromise
What is a Cardholder Data Compromise?
Cardholder data compromise occurs when a merchant’s payment system is breached and cardholder account information is stolen. When a data compromise occurs, it is critical to contain the damage quickly to protect customer data and immediately identify the root cause of the event. Merchants must produce an accurate record of events for authorities.
How is a Cardholder Data Compromise identified?
Any suspicion of potential cardholder data compromise is reported to the payment brands (Visa® and MasterCard®) by law enforcement, issuing banks and/or you, the merchant.
How do I determine if there is a data compromise?
Security breaches can appear in different forms. Staying alert for the following suspicious activities can help identify potential risks:
- Unexpected outgoing Internet traffic
- Unexpected network traffic and IP addresses
- Unknown files, software and devices installed on your systems
- Antivirus programs malfunctioning or becoming disabled
- Unknown applications configured to launch automatically upon your system reboot
- Suspicious after-hours system activity
- Presence of .zip, .rar, .tar and other types of unidentified compressed files containing cardholder data
What steps should I take when suspicious of a data compromise?
- Contain and limit the exposure – It is very important to preserve evidence and assist with the investigation to minimize the risk exposure. You should adhere to the following:
- Do not access or alter a compromised system
- Do not turn the compromised system off, but isolate it from the network
- Preserve logs and continue to log all actions taken
- If using a wireless network, change the access point
- Monitor all traffic on systems containing cardholder data
- Provide notification – Merchants should contact their Incident Response Team (internal management and legal personnel) and provide an incident report to Chase Merchant Services within 24 hours. Chase Merchant Services will advise a merchant of next steps and provide applicable notification to the payment brands (Visa and MasterCard). An incident report must contain the following information:
- Brief description of the business and merchant identification number
- Details of the data breach, including who, what, when and where
- Type of stored cardholder data, such as account number, secure code (CVV2, CVC2, etc.) and/or full content of magnetic stripes
- Steps taken to contain the incident
- Law enforcement notifications, if applicable
- Follow your legal requirements – In addition to the contractual obligations with Chase Merchant Services, you should consult with its legal department to adhere to applicable Federal, State and Local law notification requirements.
What happens during a Cardholder Data Compromise investigation?
- Forensic investigation – Upon review of an incident report, Visa or MasterCard may request that the merchant bring in a Qualified Incident Response Assessor (QIRA) to perform a forensic investigation within a specific time frame. Conducting a forensic investigation helps determine if there is evidence or risk of a compromise, and the time period of the compromise.
- Report findings – When the investigation is complete, the QIRA will provide a forensic report to the merchant and the report will be shared with Chase Merchant Services, Visa and MasterCard. Chase Merchant Services will coordinate a review of the findings and the required follow-up actions identified in the report.
- Accounts at risk – The QIRA and Chase Merchant Services will provide Visa and MasterCard with the cardholder accounts that were processed during the at-risk time period. Visa and MasterCard will then notify the corresponding Issuers. Issuers are given a deadline to report any related fraud to the payment card brands.
- Expenses, fines and liabilities – The merchant is responsible for bringing in the QIRA, if required. Visa and MasterCard will assess separate fines for lack of compliance, which led to the breach. In some cases, there are also assessments for incremental fraud and for monitoring or re-issuing cardholder accounts.
- Compliance with the Payment Card Industry Data Security Standard – Any entity that has suffered a hack or attack is required to validate PCI compliance. The forensic investigation will not close until the merchant has provided a Report of Compliance or Self Assessment Questionnaire, in addition to Quarterly Network Scans.
Common Point of Purchase
What is a Common Point of Purchase (CPP) Investigation?
A CPP investigation is initiated when multiple fraudulent transactions are identified, and determined to have originated from a common location. The "common location" becomes the CPP.
Did the fraud take place at my location?
No. The CPP merchant location is where the cardholder data was stolen, or where a data security breach may have occurred. The stolen card data is then used for fraudulent purchases at other merchant locations.
Who reported the fraudulent activity?
CPP locations are reported to the payment brands (Visa and MasterCard) by law enforcement and issuing banks. Once reported, the appropriate payment brand examines the claim to determine if a CPP or forensic investigation is necessary.
What do I do if my business is reported as a CPP location?
If your business is reported as a CPP location, Chase Merchant Services will contact you. The payment brand involved will then provide a questionnaire for you to complete, as well as details from the report that will assist you with your own internal investigation. You will be given a deadline for submitting the questionnaire to Chase Merchant Services.
What will Chase Merchant Services do if my business is reported as a CPP location?
Chase Merchant Services submits the questionnaire to the involved payment brand. The payment brand will determine if a skimming event or potential network intrusion may have occurred.