ACCOUNT DATA COMPROMISE 2020-05-07¢  Compromise? An Account Data Compromise (ADC) is an...

Click here to load reader

download ACCOUNT DATA COMPROMISE 2020-05-07¢  Compromise? An Account Data Compromise (ADC) is an intrusion into

of 13

  • date post

    16-Jul-2020
  • Category

    Documents

  • view

    2
  • download

    0

Embed Size (px)

Transcript of ACCOUNT DATA COMPROMISE 2020-05-07¢  Compromise? An Account Data Compromise (ADC) is an...

  • ACCOUNT DATA COMPROMISE Guide for customers 2020

  • 2

    What is an Account Data Compromise?

    An Account Data Compromise (ADC) is an intrusion into

    computer system(s) or access to physical cardholder

    data where unauthorized disclosure, modification or

    destruction of cardholder data is suspected.

    It’s imperative to have an incident response plan in the event

    an ADC occurs to your systems or to the systems of a third

    party that is storing, processing or transmitting cardholder

    data on your behalf.

    Compliance with the Payment Card Industry Data Security

    Standard (PCI DSS) is required for all entities involved in the

    transmission of payment card data and can help reduce the

    occurrence of an ADC. However, to effectively manage your

    risk, you must have an incident response plan that is tailored

    to your own business environment.

  • 3

    What to do in the event of an ADC?

    eCommerce Channel If you discover, or even suspect, an ADC event, take the

    following steps:

    • Contact Worldpay from FIS immediately (see contact details

    on page 12).

    • Provide your Merchant ID number (MID) details.

    • Leave compromised systems alone; don't access or alter

    them in anyway, e.g., don't log in or change passwords.

    • Don't turn off compromised systems; do unplug any network

    cables to disconnect them from your network.

    • Back-up your systems, which helps with any investigations at

    a later stage.

    Our ADC team will follow up with any customer who has or may

    have experienced an ADC.

  • 4

    What to do in the event of an ADC?

    Mail Order Telephone Order (MOTO) Channel

    If you discover, or even suspect, an ADC event, take the following steps:

    • Contact Worldpay from FIS immediately (see contact details on page 12).

    • Provide your Merchant ID number (MID) details.

    • Leave compromised systems alone; don't access or alter them in anyway, e.g., don't log on or change passwords.

    • Don't turn off compromised systems; do unplug any network cables to disconnect them from your network.

    • Back-up your systems, which helps with any investigations at a later stage.

    Our ADC team will follow up with any customer who has or may have experienced an ADC.

  • 5

    What to do in the event of an ADC?

    PIN Entry Device (PED) If you suspect your PED has been tampered with in any way, take the

    following steps:

    • Immediately stop using the PED.

    • Contact Worldpay from FIS immediately (see contact details on p. 12).

    • Provide your Merchant ID number (MID) details.

    • Contact a PFI Investigator (Worldpay can provide contact details).

    • Take pictures of the PED environment including its location at your

    business, the PED screen, all leads and cables and any anomalies.

    • If any PED connections are unaccounted for, take a photo and then

    disconnect them from their source (e.g., a port in the wall).

    • Secure the PED, either in person or through the use of a CCTV.

    • Do not touch or turn off any devices attached to the PED such as

    skimmers, false fronts, USB sticks and cables, etc.

    • Document everything in writing and with photos, including a timeline

    of the event.

  • 6

    Once an ADC event is reported, whether by the card schemes or a customer, strict management procedures must be followed.

    Worldpay will mandate that a PCI SSC-listed Payment Card Industry Forensic Investigator (PFI) be engaged to investigate the matter.

    Card schemes manage ADC events differently. Following are guides for Visa Europe, and Mastercard:

    Visa Europe There are two types of investigations, depending on the level of the customer and the number and type of card transactions processed per annum:

    PFI LITE – For small ADC events - Level 4 eCommerce-only customers with less than 10,000 Visa eCommerce transactions at risk - A maximum of three electronic devices, e.g., website, server and database - Do not process Mail Order Telephone Order (MOTO) via a Virtual Terminal (VT)

    Note: As of June 2020, merchants that use a Magento 1 website will no longer qualify for PFI LITE.

    FULL PFI – For large ADC events - Level 1-Level 3 customers or Level 4 non-eCommerce customers or Level 4 customers processing more than 10,000 Visa cards

    at risk - Level 4 customers processing MOTO, including transactions via a VT - Level 4 customers using a Magento 1 website after June 2020 - Previously breached customers - Customers that previously failed a PFI Lite investigation

    ADC PCI SSC Forensic Investigation (PFI) criteria

  • 7

    VISA Europe ADC penalties

    Penalties

    €3,000 will be charged for each ADC event, regardless of the compliance level. Please note that Visa Europe can apply this cost

    to all acquirers that process payments on behalf of the customer that experienced the ADC event.

    PFI Lite – Customers with less than 10,000 Visa eCommerce transactions at risk

    per annum and do not use a Magento 1 website

    Penalties:

    €3,000 case fee

    No further penalties will be applied as long as the PFI Lite process is adhered to

    Full PFI investigations – Level 1-3 customers or Level 4 non-eCommerce customers or Level 4 customers processing more

    than 10,000 eCommerce Visa cards at risk or that use a Magento 1 website after June 2020. This includes MOTO customers,

    face-to-face customers, and those who have previously failed a PFI Lite investigation.

    Penalties:

    €3,000 case fee

    €3 per card deemed at risk (PAN data only)

    €18 per card deemed at risk (PAN with CVV2 details or PAN with Track 1 and Track 2 magnetic stripe data)

    Note: Any penalty figures stated here are subject to change and will be levied on a case-by-case basis.

  • 8

    How Worldpay can maximise reductions on penalties from Visa

    Note: As of June 2020, merchants that use a Magento 1 website

    will be considered non-compliant.

    A verified by Visa (VbV) customer that incurs an ADC event and is subject to a financial penalty based on the number of accounts at risk, will have the penalty reduced up to a maximum of 50%

    • Customer A who processes 35% authenticated VbV transactions would receive exactly a 35% reduction

    • Customer B who processes 65% authenticated VbV transactions would receive a capped reduction of 50%

    Reductions of between 25% and 100% in favour of customers will be applied based on self-notification of a breach and PCI-DSS compliance of the entity. To maximise reductions it is imperative that should you discover or merely suspect a data breach that you contact Worldpay immediately. Contact details are provided below. All reductions are at the discretion of Visa Europe, these reductions if applied are on a case by case basis.

    Notification in half –

    yearly report

    Acquirer informed Visa, and

    acquirer qualifies for the

    following non-compliance

    assessment reduction

    Visa informed acquirer, and

    acquirer qualifies for the

    following non-compliance

    assessments reduction

    Customer found compliant

    Acquirer reports customer

    as compliant 100% 100%

    Acquirer reports customer

    as non-compliant 100% 100%

    Acquirer fails to declare or

    incorrectly reports the

    customer’s compliancy

    100% 75%

    Customer found non-compliant

    Acquirer reports customer

    as compliant 75% 50%

    Acquirer reports customer

    as non-compliant 50% 25%

    Acquirer fails to declare or

    incorrectly reports the

    customer’s compliancy

    25% No reduction

  • 9

    Mastercard potential ADC penalties

    Mastercard penalties for ADC events are known as Operational

    Reimbursement (OR) and Fraud Reimbursement (FR).

    For an ADC event impacting a minimum 30,000 Mastercard accounts,

    Mastercard may levy OR or both OR and FR. The Mastercard ADC

    reimbursement program is optional for issuers. Only issuers that opt into the

    Mastercard ADC reimbursement program will be eligible for reimbursement

    for OR or both OR and FR for an ADC event each calendar year.

    In the event that the compromised entity is an eCommerce customer where

    only PAN, expiration date and/or the CVC/CVV code have been

    compromised, only OR will be levied.

    It is not possible to provide exact details of Mastercard penalties that may

    be levied against Worldpay customers because Mastercard reviews OR

    and FR on a case-by-case basis, and calculations are based on which

    issuers’ cards have been impacted and deemed at risk by a PFI

    investigation.

    When Mastercard provides a calculation, Worldpay will inform the customer.

  • 10

    ADC Event: example of penalties

    Visa Europe

    Pan & CVV 4,000

    x€18 (€72,000) £61,512

    Compliance

    reductions 25% -(€18,000) -(£15,378

    (€54,000) £46,134

    VBV Reduction -(€27,000) £23,067

    (€27,000) £23,067

    ADC Case Fee (€3,000) £2,563

    Sub Total (€30,000) £25,630

    Mastercard ($0) £0