Note: If you suspect or confirm a Compromise Event, it is important to notify Popular Merchant immediately via email to merchantclaims@popularmerchant.com. Popular Merchant will assist and guide you with the Visa and Mastercard Requirements for Compromise Events.
1 Submit notification to Visa and Mastercard immediately
An entity that suspects or confirms unauthorized access to any payment account data, or to any payment system that stores, processes, or transmits payment account data, is required to ensure that the Compromise Event is reported to Visa (within 3 calendar days) and Mastercard (immediately) of either:
- The discovery of evidence sufficient to raise a reasonable suspicion of a Compromise Event,
- or the discovery of evidence sufficient to confirm the existence of a Compromise Event.
Popular Merchant is responsible for ensuring compliance with this requirement by their affiliates, agents, and customers.
2 Perform initial investigation and provide incident report
Within three (3) calendar days of notifying Visa and Mastercard, provide a report describing the event (the “Incident Report”) to Visa, Mastercard and Popular Merchant.
3 Provide notice to other relevant parties
- Your internal incident response team and information security group.
- Your PIN Entry Device (PED) manufacturer, your Point-of-Sale (POS) manufacturer or POS reseller/integrator, or shopping cart manufacturer if it is determined the incident involves a vulnerability in your payment processing system. Vendors of applications certified under the PCI SSC’s Software Security Framework are required to notify the SSC of any application vulnerabilities.
- Your legal department, particularly if applicable law mandates customer notification.
- The appropriate local or national law enforcement agencies..
- The United States Secret Service Electronic Crimes Task Forces (ECTF) if the Compromise Event is in the United States. The ECTF focuses on investigating financial crimes and can assist with incident response and mitigation of a Compromise Event.
- Visit www.secretservice.gov/investigation/ for ECTF field office contact information.
- Notify the Department of Consumer Affairs (DACO) for companies doing business in Puerto Rico and notify local authorities as required by applicable laws.
4 Provide exposed payment account data to Visa and Mastercard
Within three (3) calendar days of any of the following scenarios: (a) discovery of compromised account data; (b) the date at-risk account numbers were exposed; or (c) a Window of Exposure (WOE) is determined, entities are required to ensure that all compromised account numbers (known or suspected) are provided to Visa and Mastercard.
5 Conduct PCI forensic investigation (PFI)
Visa and Mastercard may, at its discretion, require a potentially compromised entity to engage a Payment Card Industry (PCI) Forensic Investigator (PFI) to perform an investigation. Should they require an investigation by a PFI, Members or responsible parties will receive formal notification.
- A list of approved PFI organizations is available at: pcisecuritystandards.org/assessors_and_solutions/pci_forensic_investigators
6 Conduct independent investigation
Not all Compromise Events necessitate a PCI Forensic Investigation (PFI). Visa and Mastercard may require a potentially compromised entity to conduct an Independent Investigation in lieu of, or prior to, a PCI forensic investigation. Independent Investigators are required to provide Independent Investigation reports and other investigative findings directly to Visa and Mastercard. The investigator’s company cannot be an organization that is affiliated with the compromised entity or has provided services to the compromised entity such as previous PFI investigation, Qualified Security Assessor (QSA), advisor, consultant, monitoring, or network security support, etc., within the past 3 years. Visa reserves the right to reject reports that do not satisfy the requirements and to require a PFI investigation if the requirements are not fulfilled.
7 Preserve evidence
To identify the root cause of a potential Compromise Event, facilitate investigations, and ensure the integrity of the system components and environment, it is critical to preserve all evidence.
Sources: SPME Manual, What to do if compromised