PCI Incident-Breach Procedure

I. BACKGROUND

In response to increasing incidents of identify theft, the major payment card companies – American Express, Discover, MasterCard, and Visa – created regulations to help prevent theft of consumer data. These regulations are known as the Payment Card Industry (PCI) Data Security Standards (DSS). The PCI DSS's are multifaceted and include requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

The PCI Data Security Standards are not law. Compliance with the PCI DSS is a contractual obligation between the University and the acquirer to proactively protect cardholder data. Each of the major payment card companies has specific and required procedures for providing notification to them in the event of a suspected and/or confirmed unauthorized acquisition of cardholder data.

II. DEFINITIONS

Definitions are included in the Glossary.

III. PROCEDURES

A. Immediately Notify Payment Card Companies

Upon notification of a suspected unauthorized acquisition of cardholder data at SSU, the Information Security Officer or designee shall immediately notify all or some of the following entities:

  • MasterCard Compromised Account Team at compromised_acount_team@mastercard.com and by phone – (636) 722-4100
  • Visa USA Fraud Investigations and Incident Management Group – (650) 432-2978
  • American Express – (800) 528-5200
  • Discover Merchant Security Department – (800) 347-3083
  • The Merchant Bank –
    • Elavon Customer Service – Christi Selvage (800) 725-1245 x8113
    • Merchant E-Solutions – Help Desk (888) 288-2692
  • San Francisco Office of the U.S. Secret Service – (415) 744-9026

B. Incident Investigation

The Information Security Officer or designee shall start an incident investigation within 24 hours to determine the following:

  • Type of cardholder data at risk. Data may include:
    • Cardholder name
    • Cardholder address
    • Cardholder Primary Account Number (PAN)
    • Card expiration date
    • Card Validation Code/Card Verification Value
    • Magnetic stripe (track) data
    • PIN
    • PIN blocks
  • Number of cardholder accounts at risk
  • Incident timeframe for cardholder accounts at risk
  • Suspected cause of incident

If it is determined that cardholder data has not been compromised, the Information Security Officer or designee shall notify the payment card companies and advise that cardholder data has not been compromised.

C. Confirmed Security Breach

Within 24 hours of knowledge of a confirmed security breach and knowledge that cardholder data has been compromised, the Information Security Officer or designee shall notify some or all of the following entities:

  • MasterCard Compromised Account Team at compromised_acount_team@mastercard.com or by phone – (636) 722-4100
  • Visa USA Fraud Investigations and Incident Management Group – (650) 432-2978
  • American Express – (800) 528-5200
  • Discover Merchant Security Department – (800) 347-3083
  • The Merchant Bank –
    • Elavon Customer Service – Christi Selvage (800) 725-1245 x8113
    • Merchant E-Solutions – Help Desk (888) 288-2692
  • San Francisco Office of the U.S. Secret Service – (415) 744-9026

D. Subsequent Notification

Within three (3) business days of the reported compromise, the Information Security Officer or designee shall:

  • Provide an Incident Response Report to one or more of the following:
    • MasterCard Merchant Fraud Control staff
    • Visa USA Fraud Investigation and Incident Management Group
    • American Express
    • Discover Merchant Security Department
    • The Merchant Bank

Within ten (10) business days, the Information Security Officer or designee shall:

  • Provide all compromised Visa, Interlink, and Plus primary account numbers to the merchant bank as instructed by the merchant bank and to Visa Investigations and Incident Management Group.

E. Additional Requirements

Additional requirements are at the sole discretion of the payment card companies and are likely to include the following:

  • Depending upon the level of risk and data elements obtained by unauthorized persons, an independent forensic investigation and vulnerability scan of the campus network
  • Weekly written status reports addressing open questions and issues, until the audit is considered to be complete
  • Completion of a PCI DSS Compliance Questionnaire

IV. PCI RESPONSE TO NON-COMPLIANCE

If investigation of the incident reveals that the University or an auxiliary organization’s non-compliance with the PCI DSS contributed to the account compromise or if the University or auxiliary organization was negligent in reporting or investigating the loss of cardholder data, fines and penalties may be assessed.

The payment card companies may take any or all of the following actions:

  • Charge up to $500,000 per security incident if the cardholder information is compromised;
  • Prohibit the University and/or auxiliary organization from accepting payment cards for goods or services;
  • Fine the University and/or an auxiliary organization up to $100,000 per security incident for failure to notify of probable or actual violations or compromise of cardholder data
Procedure Purpose This document outlines procedures and protocols for campus response to security incidents and breaches involving credit/debit (payment) cardholder data.
Procedure Number 02-109
Version 1.0.1
Effective Date Sep 01 2009
Prepared by Barry Blackburn
Date Prepared Mar 01 2009
Approved By Samuel Scalise
Date Approved Mar 09 2009
Last Updated By Barry Blackburn
Date Last Updated Apr 23 2010
Associated Policy Payment Card Industry Security Policy
Contact(s) Barry Blackburn (ISO)
Keywords