ACCOUNT DATA COMPROMISE · 2020-05-07 · Compromise? An Account Data Compromise (ADC) is an...
Transcript of ACCOUNT DATA COMPROMISE · 2020-05-07 · Compromise? An Account Data Compromise (ADC) is an...
ACCOUNT DATA COMPROMISEGuide for customers 2020
2
What is an Account Data Compromise?
An Account Data Compromise (ADC) is an intrusion into
computer system(s) or access to physical cardholder
data where unauthorized disclosure, modification or
destruction of cardholder data is suspected.
It’s imperative to have an incident response plan in the event
an ADC occurs to your systems or to the systems of a third
party that is storing, processing or transmitting cardholder
data on your behalf.
Compliance with the Payment Card Industry Data Security
Standard (PCI DSS) is required for all entities involved in the
transmission of payment card data and can help reduce the
occurrence of an ADC. However, to effectively manage your
risk, you must have an incident response plan that is tailored
to your own business environment.
3
What to do in the event of an ADC?
eCommerce Channel If you discover, or even suspect, an ADC event, take the
following steps:
• Contact Worldpay from FIS immediately (see contact details
on page 12).
• Provide your Merchant ID number (MID) details.
• Leave compromised systems alone; don't access or alter
them in anyway, e.g., don't log in or change passwords.
• Don't turn off compromised systems; do unplug any network
cables to disconnect them from your network.
• Back-up your systems, which helps with any investigations at
a later stage.
Our ADC team will follow up with any customer who has or may
have experienced an ADC.
4
What to do in the event of an ADC?
Mail Order Telephone Order (MOTO) Channel
If you discover, or even suspect, an ADC event, take the following steps:
• Contact Worldpay from FIS immediately (see contact details on page 12).
• Provide your Merchant ID number (MID) details.
• Leave compromised systems alone; don't access or alter them in anyway, e.g., don't log on or change passwords.
• Don't turn off compromised systems; do unplug any network cables to disconnect them from your network.
• Back-up your systems, which helps with any investigations at a later stage.
Our ADC team will follow up with any customer who has or may have experienced an ADC.
5
What to do in the event of an ADC?
PIN Entry Device (PED)If you suspect your PED has been tampered with in any way, take the
following steps:
• Immediately stop using the PED.
• Contact Worldpay from FIS immediately (see contact details on p. 12).
• Provide your Merchant ID number (MID) details.
• Contact a PFI Investigator (Worldpay can provide contact details).
• Take pictures of the PED environment including its location at your
business, the PED screen, all leads and cables and any anomalies.
• If any PED connections are unaccounted for, take a photo and then
disconnect them from their source (e.g., a port in the wall).
• Secure the PED, either in person or through the use of a CCTV.
• Do not touch or turn off any devices attached to the PED such as
skimmers, false fronts, USB sticks and cables, etc.
• Document everything in writing and with photos, including a timeline
of the event.
6
Once an ADC event is reported, whether by the card schemes or a customer, strict management procedures must be followed.
Worldpay will mandate that a PCI SSC-listed Payment Card Industry Forensic Investigator (PFI) be engaged to investigate the matter.
Card schemes manage ADC events differently. Following are guides for Visa Europe, and Mastercard:
Visa EuropeThere are two types of investigations, depending on the level of the customer and the number and type of card transactions processed per annum:
PFI LITE – For small ADC events- Level 4 eCommerce-only customers with less than 10,000 Visa eCommerce transactions at risk- A maximum of three electronic devices, e.g., website, server and database- Do not process Mail Order Telephone Order (MOTO) via a Virtual Terminal (VT)
Note: As of June 2020, merchants that use a Magento 1 website will no longer qualify for PFI LITE.
FULL PFI – For large ADC events- Level 1-Level 3 customers or Level 4 non-eCommerce customers or Level 4 customers processing more than 10,000 Visa cards
at risk - Level 4 customers processing MOTO, including transactions via a VT - Level 4 customers using a Magento 1 website after June 2020- Previously breached customers - Customers that previously failed a PFI Lite investigation
ADC PCI SSC Forensic Investigation (PFI) criteria
7
VISA Europe ADC penalties
Penalties
€3,000 will be charged for each ADC event, regardless of the compliance level. Please note that Visa Europe can apply this cost
to all acquirers that process payments on behalf of the customer that experienced the ADC event.
PFI Lite – Customers with less than 10,000 Visa eCommerce transactions at risk
per annum and do not use a Magento 1 website
Penalties:
€3,000 case fee
No further penalties will be applied as long as the PFI Lite process is adhered to
Full PFI investigations – Level 1-3 customers or Level 4 non-eCommerce customers or Level 4 customers processing more
than 10,000 eCommerce Visa cards at risk or that use a Magento 1 website after June 2020. This includes MOTO customers,
face-to-face customers, and those who have previously failed a PFI Lite investigation.
Penalties:
€3,000 case fee
€3 per card deemed at risk (PAN data only)
€18 per card deemed at risk (PAN with CVV2 details or PAN with Track 1 and Track 2 magnetic stripe data)
Note: Any penalty figures stated here are subject to change and will be levied on a case-by-case basis.
8
How Worldpay can maximise reductions on penalties from Visa
Note: As of June 2020, merchants that use a Magento 1 website
will be considered non-compliant.
A verified by Visa (VbV) customer that incurs an ADC event and is subject to a financial penalty based on the number of accounts at risk, will have the penalty reduced up to a maximum of 50%
• Customer A who processes 35% authenticated VbV transactions would receive exactly a 35% reduction
• Customer B who processes 65% authenticated VbV transactions would receive a capped reduction of 50%
Reductions of between 25% and 100% in favour of customers will be applied based on self-notification of a breach and PCI-DSS compliance of the entity. To maximise reductions it is imperative that should you discover or merely suspect a data breach that you contact Worldpay immediately. Contact details are provided below. All reductions are at the discretion of Visa Europe, these reductions if applied are on a case by case basis.
Notification in half –
yearly report
Acquirer informed Visa, and
acquirer qualifies for the
following non-compliance
assessment reduction
Visa informed acquirer, and
acquirer qualifies for the
following non-compliance
assessments reduction
Customer found compliant
Acquirer reports customer
as compliant100% 100%
Acquirer reports customer
as non-compliant 100% 100%
Acquirer fails to declare or
incorrectly reports the
customer’s compliancy
100% 75%
Customer found non-compliant
Acquirer reports customer
as compliant75% 50%
Acquirer reports customer
as non-compliant 50% 25%
Acquirer fails to declare or
incorrectly reports the
customer’s compliancy
25% No reduction
9
Mastercard potential ADC penalties
Mastercard penalties for ADC events are known as Operational
Reimbursement (OR) and Fraud Reimbursement (FR).
For an ADC event impacting a minimum 30,000 Mastercard accounts,
Mastercard may levy OR or both OR and FR. The Mastercard ADC
reimbursement program is optional for issuers. Only issuers that opt into the
Mastercard ADC reimbursement program will be eligible for reimbursement
for OR or both OR and FR for an ADC event each calendar year.
In the event that the compromised entity is an eCommerce customer where
only PAN, expiration date and/or the CVC/CVV code have been
compromised, only OR will be levied.
It is not possible to provide exact details of Mastercard penalties that may
be levied against Worldpay customers because Mastercard reviews OR
and FR on a case-by-case basis, and calculations are based on which
issuers’ cards have been impacted and deemed at risk by a PFI
investigation.
When Mastercard provides a calculation, Worldpay will inform the customer.
10
ADC Event: example of penalties
Visa Europe
Pan & CVV 4,000
x€18 (€72,000) £61,512
Compliance
reductions 25%-(€18,000) -(£15,378
(€54,000) £46,134
VBV Reduction -(€27,000) £23,067
(€27,000) £23,067
ADC Case Fee (€3,000) £2,563
Sub Total (€30,000) £25,630
Mastercard ($0) £0
Grand Total £25,630*
In this example an ADC event occurred
involving a non compliant customer
where 4,000 Visa cards were deemed at
risk and less than 30,000 Mastercard
cards were deemed at risk. For the
purposes of this example PAN & CVV
were located.
11
The potential further costs
A rough guide to the associated costs of a suspected ADC event
• Cost of migration to an outsourced solution
- unknown/hidden costs
• Cost of website re-development
- unknown/hidden costs
• Cost of compressing existing compliance program
into 90 days
- unknown/hidden costs
• Cost of reputational risk
- unknown
• QSA engagement for full report on compliance
(level 1 certification)
- approx. £9,000 excl. VAT & Expenses
Total £9,000* + hidden costs
Penalties on previous slide £25,630 + £9,000 =
£34,630 + Unknown costs
• We support every element of this process for
your benefit
• We help you in engaging third parties and provide
impartial advice and guidance on remediation
with the goal of ensuring this process costs you
no more than is absolutely required
• You benefit in being affiliated to one of the world’s
largest acquirers, this helps us to help you
* Dependent on exchange rate and complexity of company systems
12
Contact our Payment Data
Security Team
+44 (0) 203 664 5682
www.fisglobal.com
Worldpay, The Walbrook Building, 25
Walbrook, London, EC4N 8AF
©2020 FIS and/or its subsidiaries. All Rights Reserved. FIS confidential and proprietary information.