Taking immediate action
Merchants and service providers that have experienced a suspected or confirmed security breach must take immediate action to help prevent additional damage and adhere to Visa CISP requirements.
Loss or theft of account information
Members, service providers or merchants must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data.
If a member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data.
If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.
Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.
Steps for compromised entities
Immediately contain and limit the exposure. Prevent further loss of data by conducting a thorough investigation of the suspected or confirmed compromise of information. To preserve evidence and facilitate the investigation:
- Do not access or alter compromised systems (i.e., don't log on at all to the machine and change passwords, do not log in as ROOT).
- Do not turn the compromised machine off. Instead, isolate compromised systems from the network (i.e., unplug cable).
- Preserve logs and electronic evidence.
- Log all actions taken.
- If using a wireless network, change SSID on the AP and other machines that may be using this connection with the exception of any systems believed to be compromised.
- Be on "high" alert and monitor all systems with cardholder data.
Alert all necessary parties immediately. Be sure to contact:
- Your internal information security group and incident response team.
- Your merchant bank.
- If you do not know the exact name and/or contact information for your merchant bank, notify Visa Fraud Investigations and Incident Management group immediately at (650) 432-2978.
- Your local office of the United States Secret Service.
Provide all compromised Visa, Interlink, and Plus accounts to your merchant bank within 10 business days. All potentially compromised accounts must be provided and transmitted as instructed by your merchant bank and Visa Fraud Investigations and Incident Management group. Visa will distribute the compromised Visa account numbers to Issuers and ensure the confidentiality of entity and non-public information.
- Within 3 business days of the reported compromise, provide an Incident Report document to your merchant bank. (See Appendix A for the report template.)
Note: Visa, in consultation with your merchant bank, will determine whether or not an independent forensic investigation will be initiated on the compromised entity.
Visa incident response team
In the event of a suspected compromise, the Visa Incident Response Team (which includes the Visa Fraud Control Team and a CISP Team) will immediately begin working with the entity and responsible member.
|Visa Fraud Investigations:||The CISP Team:|
Download the What to Do If Compromised (PDF, 342k).
Download the Responding to a Data Breach, Communications Guidelines for Merchants (PDF, 352k).
For more information
To learn more about Visa’s compliance programs, contact Visa via email at AskVisaUSA@Visa.com.