What to do if card data has been lost or stolen

You need to act quickly

Organisations that handle card payments are at risk from cardholder details being stolen through hacking, card skimming or other methods used by criminals. High-profile cases make the news regularly.

Fraudsters may target systems used for storing, processing or transmitting cardholder data. These systems may belong to a company or a third party provider that works on its behalf.

In industry terminology, a breach is known as an Account Data Compromise (ADC) event.

If an ADC should ever happen to your organisation, it’s vital to have your own incident response plan in place already, tailored to your own business environment, so you can react effectively. This guide will help you.
 

Avoiding an ADC in the first place

The Payment Card Industry Data Security Standard (PCI DSS) aims to strengthen security but it cannot guarantee the security of sensitive information. So businesses must take steps to protect themselves and their customers. Elavon provides important guidance. Just ask us for details.

If there’s been an Account Data Compromise, here’s what to do

If you identify an ADC event or simply suspect one, you need to follow these steps:

Step 1
Contact Elavon’s Global Client Security Team immediately at ADCqueries-EU@elavon.com.

Step 2
Take affected devices offline but do not shut them down or make any changes.

Step 3
Do not access or alter compromised systems. The goal here is to stop action that might erase clues, contaminate evidence, or otherwise inadvertently aid the attacker.

Step 4
Invoke your incident response plan and communicate with appropriate stakeholders such as third party service providers, legal, PR, HR, customer service and any other stake-holding group that would need to be involved in the post-breach clean up.

Investigating what’s happened

Once a case is raised, there is a procedure for managing an ADC event. This includes engaging a PCI Forensic Investigator (PFI) to see what may have gone wrong.

• Within 5 days you must have identified a PFI
• Within 10 days you and the PFI must have signed a contract
• Within the next 5 days the PFI will begin
   

Elavon will help you navigate through this process.

Card schemes manage ADC events in different ways

How we handle ADC events is dictated by the card schemes (Visa, Mastercard, Amex, Diners or JCB) that have been involved in the breach.

With Visa, there are two types of PCI Forensic investigation (PFI), depending on the level of customer and the number and type of card transactions processed.

Full PFI

Who is this service for?

• Customers processing more than 10,000 transactions
• A customer processing Virtual Terminal transactions
• Previously breached customers failing the PFI Lite process
• Customers processing Point-of-Sale transactions subject to an account data compromise

Note: All card schemes will be notified by Elavon’s Client Security Team.

PFI Lite

Who is this service for?

• PCI Level 4 merchants only
• A maximum of three electronic devices, e.g. website, server and database
• Customers processing fewer than 10,000 Visa transactions
• Customers that have no Virtual Terminal infrastructure

Note: Only Visa supports the PFI Lite investigation. If you do not meet the PFI Lite criteria, then you must complete a Full PFI.
 

What kind of ADC fees can you expect from Visa?

Visa applies different levels of ADC fees. There’s a standard charge of €3,000 for all cases but costs can be greater with Full PFI investigations.

Full PFI

Customers processing more than 10,000 Visa transactions.

• €3 per card lost - long card number only
• €18 per card lost - long card number and security code
• €3,000 case fee

PFI Lite

Customer processing fewer than 10,000 Visa transactions:

• €3,000 case fee
• No further penalties will be applied as long as the PFI Lite process is adhered to

Elavon can help companies to reduce ADC fees from Visa

It may be possible to get the cost of ADC fees reduced by 25-100%, based on early self notification of a breach and correct reporting of PCI compliance status to card schemes.

But it’s imperative that you contact Elavon immediately if you discover or suspect a breach may have taken place. That way, we can maximise the likelihood of any reduction in costs.

A verified by Visa customer that incurs an ADC event and is subject to an ADC fee based on the number of accounts at risk, may have the ADC fee reduced up to a maximum of 50%.

By being PCI compliant, self reporting an ADC event and Elavon reporting correctly to card schemes on your PCI status, ADC fees might be reduced up-to 100%.

All fee reductions are at the discretion of the card schemes.

ADC fees with Mastercard

Mastercard fees for ADC events are known as Operational Reimbursement (OR) and Fraud Recovery (FR). Mastercard will levy fees when 30,000 Mastercard accounts have been impacted.

If a Mastercard fee is raised, Elavon will contact a customer immediately.
 

Calculating fees after an ADC has taken place

Depending on the nature and scale of the ADC, various factors and reductions can come into play.

For most smaller ADC events, Mastercard will not take action until after the PFI completion.

In this example an ADC occurred involving a non compliant customer where 4,000 Visa cards were deemed at risk and less than 30,000 Mastercard cards were deemed at risk. For the purposes of this example PAN and CVV were located.

Grand Total £25,630*

^{*Any ADC fees are correct at the time and date of release and are subject to change and will be allocated on a case by case basis. Mastercard is a registered trademark of Mastercard International Incorporated. What to do if card data has been lost or stolen}
 

What other costs might you face?

As well as paying card scheme ADC fees, you also need to take steps to make sure a breach doesn’t happen again. Following an ADC event, you will need to validate as a PCI Level 1 merchant for a year. This means you will need to engage with a Qualified Security Assessor to do this. Engaging a Qualified Security Assessor (QSA) for a full report on compliance (level 1 certification) could cost up to £50,000, depending on the complexity of systems and the amount of remediation work required.

But you could face a number of unknown additional costs such as:

• Migration to an outsourced solution
• Website re-development
• Compressing an existing compliance programme into 90 days
• Cost of reputational risk

The costs outlined are only the ADC fees from card schemes. These are separate from the significant Data Protection fines that can be levied by Data Protection Authorities under the General Data Protection Regulation (GDPR). This is the regulation that was introduced in May 2018 which comes to govern personal data including adequate security around payment card data. Companies may be subject to fines of up to 4% of their global annual turnover or €20million (or whichever is the greater) if they do not put in adequate security controls such as PCI DSS.

Recent precedent has shown that even high profile companies that have taken steps to protect data have been subject to fines up to 4% of their global annual turnover.
 

Elavon is here to support you

By working with one of the world’s largest acquirers, you’ll benefit from our leading expertise within the payments industry.

We can support our customers through every stage of the ADC process:

• Helping you to engage with third parties
• Providing impartial advice and guidance on remediation
• Working with you towards minimising costs
   

For more details

Elavon can help you to secure your payment channels and reduce the risk of an ADC event and the costly aftermath. We can offer you complimentary consultancy with trusted partners and the reassurance you need. For more information speak to your Elavon Relationship Manager or contact the Elavon Account Data Compromise team.