ACCOUNT DATA COMPROMISEGuide for customers 2020

2

What is an Account Data Compromise?

An Account Data Compromise (ADC) is an intrusion into

computer system(s) or access to physical cardholder

data where unauthorized disclosure, modification or

destruction of cardholder data is suspected.

It’s imperative to have an incident response plan in the event

an ADC occurs to your systems or to the systems of a third

party that is storing, processing or transmitting cardholder

data on your behalf.

Compliance with the Payment Card Industry Data Security

Standard (PCI DSS) is required for all entities involved in the

transmission of payment card data and can help reduce the

occurrence of an ADC. However, to effectively manage your

risk, you must have an incident response plan that is tailored

to your own business environment.

3

What to do in the event of an ADC?

eCommerce Channel If you discover, or even suspect, an ADC event, take the

following steps:

• Contact Worldpay from FIS immediately (see contact details

on page 12).

• Provide your Merchant ID number (MID) details.

• Leave compromised systems alone; don't access or alter

them in anyway, e.g., don't log in or change passwords.

• Don't turn off compromised systems; do unplug any network

cables to disconnect them from your network.

• Back-up your systems, which helps with any investigations at

a later stage.

Our ADC team will follow up with any customer who has or may

have experienced an ADC.

4

What to do in the event of an ADC?

Mail Order Telephone Order (MOTO) Channel

If you discover, or even suspect, an ADC event, take the following steps:

• Contact Worldpay from FIS immediately (see contact details on page 12).

• Provide your Merchant ID number (MID) details.

• Leave compromised systems alone; don't access or alter them in anyway, e.g., don't log on or change passwords.

• Don't turn off compromised systems; do unplug any network cables to disconnect them from your network.

• Back-up your systems, which helps with any investigations at a later stage.

Our ADC team will follow up with any customer who has or may have experienced an ADC.

5

What to do in the event of an ADC?

PIN Entry Device (PED)If you suspect your PED has been tampered with in any way, take the

following steps:

• Immediately stop using the PED.

• Contact Worldpay from FIS immediately (see contact details on p. 12).

• Provide your Merchant ID number (MID) details.

• Contact a PFI Investigator (Worldpay can provide contact details).

• Take pictures of the PED environment including its location at your

business, the PED screen, all leads and cables and any anomalies.

• If any PED connections are unaccounted for, take a photo and then

disconnect them from their source (e.g., a port in the wall).

• Secure the PED, either in person or through the use of a CCTV.

• Do not touch or turn off any devices attached to the PED such as

skimmers, false fronts, USB sticks and cables, etc.

• Document everything in writing and with photos, including a timeline

of the event.

6

Once an ADC event is reported, whether by the card schemes or a customer, strict management procedures must be followed.

Worldpay will mandate that a PCI SSC-listed Payment Card Industry Forensic Investigator (PFI) be engaged to investigate the matter.

Card schemes manage ADC events differently. Following are guides for Visa Europe, and Mastercard:

Visa EuropeThere are two types of investigations, depending on the level of the customer and the number and type of card transactions processed per annum:

PFI LITE – For small ADC events- Level 4 eCommerce-only customers with less than 10,000 Visa eCommerce transactions at risk- A maximum of three electronic devices, e.g., website, server and database- Do not process Mail Order Telephone Order (MOTO) via a Virtual Terminal (VT)

Note: As of June 2020, merchants that use a Magento 1 website will no longer qualify for PFI LITE.

FULL PFI – For large ADC events- Level 1-Level 3 customers or Level 4 non-eCommerce customers or Level 4 customers processing more than 10,000 Visa cards

at risk - Level 4 customers processing MOTO, including transactions via a VT - Level 4 customers using a Magento 1 website after June 2020- Previously breached customers - Customers that previously failed a PFI Lite investigation

ADC PCI SSC Forensic Investigation (PFI) criteria

7

VISA Europe ADC penalties

Penalties

€3,000 will be charged for each ADC event, regardless of the compliance level. Please note that Visa Europe can apply this cost

to all acquirers that process payments on behalf of the customer that experienced the ADC event.

PFI Lite – Customers with less than 10,000 Visa eCommerce transactions at risk

per annum and do not use a Magento 1 website

Penalties:

€3,000 case fee

No further penalties will be applied as long as the PFI Lite process is adhered to

Full PFI investigations – Level 1-3 customers or Level 4 non-eCommerce customers or Level 4 customers processing more

than 10,000 eCommerce Visa cards at risk or that use a Magento 1 website after June 2020. This includes MOTO customers,

face-to-face customers, and those who have previously failed a PFI Lite investigation.

Penalties:

€3,000 case fee

€3 per card deemed at risk (PAN data only)

€18 per card deemed at risk (PAN with CVV2 details or PAN with Track 1 and Track 2 magnetic stripe data)

Note: Any penalty figures stated here are subject to change and will be levied on a case-by-case basis.

8

How Worldpay can maximise reductions on penalties from Visa

Note: As of June 2020, merchants that use a Magento 1 website

will be considered non-compliant.

A verified by Visa (VbV) customer that incurs an ADC event and is subject to a financial penalty based on the number of accounts at risk, will have the penalty reduced up to a maximum of 50%

• Customer A who processes 35% authenticated VbV transactions would receive exactly a 35% reduction

• Customer B who processes 65% authenticated VbV transactions would receive a capped reduction of 50%

Reductions of between 25% and 100% in favour of customers will be applied based on self-notification of a breach and PCI-DSS compliance of the entity. To maximise reductions it is imperative that should you discover or merely suspect a data breach that you contact Worldpay immediately. Contact details are provided below. All reductions are at the discretion of Visa Europe, these reductions if applied are on a case by case basis.

Notification in half –

yearly report

Acquirer informed Visa, and

acquirer qualifies for the

following non-compliance

assessment reduction

Visa informed acquirer, and

acquirer qualifies for the

following non-compliance

assessments reduction

Customer found compliant

Acquirer reports customer

as compliant100% 100%

Acquirer reports customer

as non-compliant 100% 100%

Acquirer fails to declare or

incorrectly reports the

customer’s compliancy

100% 75%

Customer found non-compliant

Acquirer reports customer

as compliant75% 50%

Acquirer reports customer

as non-compliant 50% 25%

Acquirer fails to declare or

incorrectly reports the

customer’s compliancy

25% No reduction

9

Mastercard potential ADC penalties

Mastercard penalties for ADC events are known as Operational

Reimbursement (OR) and Fraud Reimbursement (FR).

For an ADC event impacting a minimum 30,000 Mastercard accounts,

Mastercard may levy OR or both OR and FR. The Mastercard ADC

reimbursement program is optional for issuers. Only issuers that opt into the

Mastercard ADC reimbursement program will be eligible for reimbursement

for OR or both OR and FR for an ADC event each calendar year.

In the event that the compromised entity is an eCommerce customer where

only PAN, expiration date and/or the CVC/CVV code have been

compromised, only OR will be levied.

It is not possible to provide exact details of Mastercard penalties that may

be levied against Worldpay customers because Mastercard reviews OR

and FR on a case-by-case basis, and calculations are based on which

issuers’ cards have been impacted and deemed at risk by a PFI

investigation.

When Mastercard provides a calculation, Worldpay will inform the customer.

10

ADC Event: example of penalties

Visa Europe

Pan & CVV 4,000

x€18 (€72,000) £61,512

Compliance

reductions 25%-(€18,000) -(£15,378

(€54,000) £46,134

VBV Reduction -(€27,000) £23,067

(€27,000) £23,067

ADC Case Fee (€3,000) £2,563

Sub Total (€30,000) £25,630

Mastercard ($0) £0

Grand Total £25,630*

In this example an ADC event occurred

involving a non compliant customer

where 4,000 Visa cards were deemed at

risk and less than 30,000 Mastercard

cards were deemed at risk. For the

purposes of this example PAN & CVV

were located.

11

The potential further costs

A rough guide to the associated costs of a suspected ADC event

• Cost of migration to an outsourced solution

- unknown/hidden costs

• Cost of website re-development

- unknown/hidden costs

• Cost of compressing existing compliance program

into 90 days

- unknown/hidden costs

• Cost of reputational risk

- unknown

• QSA engagement for full report on compliance

(level 1 certification)

- approx. £9,000 excl. VAT & Expenses

Total £9,000* + hidden costs

Penalties on previous slide £25,630 + £9,000 =

£34,630 + Unknown costs

• We support every element of this process for

your benefit

• We help you in engaging third parties and provide

impartial advice and guidance on remediation

with the goal of ensuring this process costs you

no more than is absolutely required

• You benefit in being affiliated to one of the world’s

largest acquirers, this helps us to help you

* Dependent on exchange rate and complexity of company systems

12

Contact our Payment Data

Security Team

+44 (0) 203 664 5682

BreachInvestigations@fisglobal.com

www.fisglobal.com

Worldpay, The Walbrook Building, 25

Walbrook, London, EC4N 8AF

©2020 FIS and/or its subsidiaries. All Rights Reserved. FIS confidential and proprietary information.