Customers’ card holder data stolen!
Cardholder data compromise occurs when cardholder account information is stolen due to a breach in the merchant’s payment system.
According to the Payment Card Industry Data Security Standard (PCI DSS), a cardholder is a customer to whom a payment card is issued or any individual authorized to use the payment card; and merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Cardholder data could be compromised from sources like Payment system database, card reader, Loss/theft of property that contains cardholder data, etc.
Cardholder Data includes:
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
Sensitive Authentication Data includes:
- Full magnetic stripe data or equivalent on a chip
- CAV2/CVC2/CVV2/CID
- PINs/PIN blocks
By stealing this sensitive authentication data, a thief can impersonate the cardholder and use the card for illicit activity.
Top Recovery Tips
1. Don’t Panic. Immediately isolate the compromised system(s) and preserve evidence.
When a data compromise occurs or is suspected it is imperative that you contain the damage quickly to protect customer data and preserve evidence in case of a forensic investigation. Subsequently, work towards identifying the root cause for the incident. If you are a merchant, produce an accurate record of events for authorities.
Remember to comply with requirements that the payment card brands like American Express, Discover, JCB, MasterCard, Visa, etc. have. These requirements include notification timelines and the use of certified companies specializing in incident response.
2. Notify relevant authorities.
Notify the incident to the relevant authorities and also consider the following audience for notification:
- Cardholders
- Employees
- Customer service
- Shareholders
- Analysts
- Media
- Partners
- Regulators
- Legislators
Once the compromise is confirmed, immediately acknowledge responsibility for the compromise and express regret for its impact. Inform customers about the solution/plan for recovery.
The cardholder brand in consultation with your merchant bank, will determine whether or not an independent forensic investigation is required on the compromised entity.
3. If illegal usage of card data is suspected or possible, contact your local law enforcement.
Cardholder data breach may be a result of insider breach. If you are concerned that the cardholder data is compromised by an insider, refer to the Insider Breach section.