Data Backup Login Login
PCI Compliance Login Login
Proof of Breach Insurance Login
Speak to a Transaction Security Advisor 1-800-871-7640



http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html

http://usa.visa.com/merchants/risk_management/cisp_overview.html 


Visa® has established certain guidelines to follow if your data is compromised. These will vary by card issuer, but should give you a good idea of what you need to do right away in the event of suspected or confirmed loss or theft.

Take immediate action if compromised
Merchants and service providers that have experienced a suspected or confirmed security breach must take immediate action to help prevent additional damage and adhere to Visa CISP requirements.
If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.


Steps for compromised companies
  • Immediately contain and limit the exposure. Prevent further loss of data by conducting a thorough investigation of the suspected or confirmed compromise of information. To preserve evidence and facilitate the investigation:
    Do not access or alter compromised systems (i.e., don't log on at all to the machine and change passwords, do not log in as ROOT).
    Do not turn the compromised machine off. Instead, isolate compromised systems from the network (i.e., unplug cable).
    Preserve logs and electronic evidence.
    Log all actions taken.
    If using a wireless network, change SSID on the AP and other machines that may be using this connection with the exception of any systems believed to be compromised.
    Be on "high" alert and monitor all systems with cardholder data.
  • Alert all necessary parties immediately. Be sure to contact:
    Your internal information security group and incident response team.
    Your merchant bank.
    If you do not know the exact name and/or contact information for your merchant bank, notify Visa Fraud Investigations and Incident Management group immediately at (650) 432-2978.
    Your local office of the United States Secret Service.
  • Provide all compromised Visa, Interlink, and Plus accounts to your merchant bank within 10 business days. All potentially compromised accounts must be provided and transmitted as instructed by your merchant bank and Visa Fraud Investigations and Incident Management group. Visa will distribute the compromised Visa account numbers to Issuers and ensure the confidentiality of entity and non-public information.
  • Within 3 business days of the reported compromise, provide an Incident Report document to your merchant bank. (See Appendix A for the report template.)
    Note: Visa, in consultation with your merchant bank, will determine whether or not an independent forensic investigation will be initiated on the compromised entity.

Data Breach Insurance

Last year, nearly 36 million personal records were compromised by data beach-and that number is expected to grow in the future. What's more, nearly 40 percent of those breaches occurred at businesses, which means that you and your merchants are at significant risk. The fines, assessments, and expenses merchants are obligated to pay even if a breach of credit card data is only suspected could cost them thousands-even tens of thousands-of dollars. And if your merchants can't pay, you have to!

The RGS Data Breach Insurance for Merchants is designed to protect you and your merchants from that risk. Here are the details of what is covered:

  • The mandatory forensic audit required by the Payment Card Industry Data Security Standard (PCI DSS) when a data breach is suspected (this audit confirms whether an actual breach has occurred and pinpoints where your systems are most vulnerable)
  • Credit card replacement costs and related expenses
  • Assessments and fines levied by card sponsors for data breaches
  • Data breaches caused by employee dishonesty and/or the physical theft of data, as well as computer hacking Insurance details
  • Level 2, 3, and 4 merchants covered regardless of PCI DSS compliance
  • "A" rated insurer
  • Flexible policy limits from $50,000 up to $100,000 per MID
  • No deductible
  • No co-pay
  • No underwriting of individual merchants Simple, 3-step claim process
  • Complete an online claim form by following the easy-to-use link at the merchant portal
  • Upload or fax the appropriate notice that stipulates there has been a suspected or actual breach at the merchant's location
  • When the forensic audit is complete, upload or fax a copy of the assessor's invoice

Home | Contact Us | Privacy Policy | Terms and Conditions   © 2010 Data Compliance Services  1-800-871-7640
Compliance Services is a Registered MSP/ISO of US Bank Minneapolis, MN