Organisations that handle card payments are at risk from cardholder details being stolen through hacking, card skimming or other methods used by criminals. High-profile cases make the news regularly.
Fraudsters may target systems used for storing, processing or transmitting cardholder data. These systems may belong to a company or a third party provider that works on its behalf.
In industry terminology, a breach is known as an Account Data Compromise (ADC) event.
If an ADC should ever happen to your organisation, it’s vital to have your own incident response plan in place already, tailored to your own business environment, so you can react effectively. This guide will help you.
The Payment Card Industry Data Security Standard (PCI DSS) aims to strengthen security but it cannot guarantee the security of sensitive information. So businesses must take steps to protect themselves and their customers. Elavon provides important guidance. Just ask us for details.
If there’s been an Account Data Compromise, here’s what to do
If you identify an ADC event or simply suspect one, you need to follow these steps:
Step 1
Contact Elavon’s Global Client Security Team immediately at ADCqueries-EU@elavon.com.
Step 2
Take affected devices offline but do not shut them down or make any changes.
Step 3
Do not access or alter compromised systems. The goal here is to stop action that might erase clues, contaminate evidence, or otherwise inadvertently aid the attacker.
Step 4
Invoke your incident response plan and communicate with appropriate stakeholders such as third party service providers, legal, PR, HR, customer service and any other stake-holding group that would need to be involved in the post-breach clean up.
Once a case is raised, there is a procedure for managing an ADC event. This includes engaging a PCI Forensic Investigator (PFI) to see what may have gone wrong.
Card schemes manage ADC events in different ways
How we handle ADC events is dictated by the card schemes (Visa, Mastercard, Amex, Diners or JCB) that have been involved in the breach.
With Visa, there are two types of PCI Forensic investigation (PFI), depending on the level of customer and the number and type of card transactions processed.
Full PFI
Who is this service for?
Note: All card schemes will be notified by Elavon’s Client Security Team.
PFI Lite
Who is this service for?
Note: Only Visa supports the PFI Lite investigation. If you do not meet the PFI Lite criteria, then you must complete a Full PFI.
Visa applies different levels of ADC fees. There’s a standard charge of €3,000 for all cases but costs can be greater with Full PFI investigations.
Full PFI
Customers processing more than 10,000 Visa transactions.
PFI Lite
Customer processing fewer than 10,000 Visa transactions:
It may be possible to get the cost of ADC fees reduced by 25-100%, based on early self notification of a breach and correct reporting of PCI compliance status to card schemes.
But it’s imperative that you contact Elavon immediately if you discover or suspect a breach may have taken place. That way, we can maximise the likelihood of any reduction in costs.
A verified by Visa customer that incurs an ADC event and is subject to an ADC fee based on the number of accounts at risk, may have the ADC fee reduced up to a maximum of 50%.
By being PCI compliant, self reporting an ADC event and Elavon reporting correctly to card schemes on your PCI status, ADC fees might be reduced up-to 100%.
All fee reductions are at the discretion of the card schemes.
Notification in half-yearly report |
Acquirer informed Visa and acquirer qualifies for the following non-compliance assessment reduction |
Visa informed acquirer and acquirer qualifies for the following non-compliance assessment reduction |
---|---|---|
Acquirer reports merchant as non-compliant |
100% |
100% |
Acquirer fails to declare or incorrectly reports the merchant's compliance |
100% |
75% |
Merchant found non-compliant |
|
|
Acquirer correctly reports merchant as compliant |
75% |
50% |
Acquirer correctly reports merchant as non-compliant |
50% |
25% |
Acquirer fails to declare or incorrectly reports the merchant’s compliance |
25% |
No reduction |
Notification in half-yearly report
Acquirer reports merchant as non-compliant
Acquirer informed Visa and acquirer qualifies for the following non-compliance assessment reduction
100%
Visa informed acquirer and acquirer qualifies for the following non-compliance assessment reduction
100%
Notification in half-yearly report
Acquirer fails to declare or incorrectly reports the merchant's compliance
Acquirer informed Visa and acquirer qualifies for the following non-compliance assessment reduction
100%
Visa informed acquirer and acquirer qualifies for the following non-compliance assessment reduction
75%
Notification in half-yearly report
Merchant found non-compliant
Acquirer informed Visa and acquirer qualifies for the following non-compliance assessment reduction
Visa informed acquirer and acquirer qualifies for the following non-compliance assessment reduction
Notification in half-yearly report
Acquirer correctly reports merchant as compliant
Acquirer informed Visa and acquirer qualifies for the following non-compliance assessment reduction
75%
Visa informed acquirer and acquirer qualifies for the following non-compliance assessment reduction
50%
Notification in half-yearly report
Acquirer correctly reports merchant as non-compliant
Acquirer informed Visa and acquirer qualifies for the following non-compliance assessment reduction
50%
Visa informed acquirer and acquirer qualifies for the following non-compliance assessment reduction
25%
Notification in half-yearly report
Acquirer fails to declare or incorrectly reports the merchant’s compliance
Acquirer informed Visa and acquirer qualifies for the following non-compliance assessment reduction
25%
Visa informed acquirer and acquirer qualifies for the following non-compliance assessment reduction
No reduction
Mastercard fees for ADC events are known as Operational Reimbursement (OR) and Fraud Recovery (FR). Mastercard will levy fees when 30,000 Mastercard accounts have been impacted.
If a Mastercard fee is raised, Elavon will contact a customer immediately.
Depending on the nature and scale of the ADC, various factors and reductions can come into play.
For most smaller ADC events, Mastercard will not take action until after the PFI completion.
Visa |
€ |
£ |
---|---|---|
PAN and CVV 4,000 x €18 |
(€ 72,000) |
£ 61,512 |
Visa reduction for self-reporting breach 25% |
- (€ 18,000) |
- £ 15,378 £ 46,134 |
Verified by Visa reduction |
- (€ 27,000) (€ 27,000) |
- £ 23,067 £ 23,067 |
ADC case fee |
(€ 3,000) |
£ 2,563 |
Sub total |
(€ 30,000) |
£ 25,630 |
Visa
PAN and CVV 4,000 x €18
€
(€ 72,000)
£
£ 61,512
Visa
Visa reduction for self-reporting breach 25%
€
- (€ 18,000)
(€ 54,000)
£
- £ 15,378
£ 46,134
Visa
Verified by Visa reduction
€
- (€ 27,000)
(€ 27,000)
£
- £ 23,067
£ 23,067
Visa
ADC case fee
€
(€ 3,000)
£
£ 2,563
Visa
Sub total
€
(€ 30,000)
£
£ 25,630
In this example an ADC occurred involving a non compliant customer where 4,000 Visa cards were deemed at risk and less than 30,000 Mastercard cards were deemed at risk. For the purposes of this example PAN and CVV were located.
Grand Total £25,630*
*Any ADC fees are correct at the time and date of release and are subject to change and will be allocated on a case by case basis. Mastercard is a registered trademark of Mastercard International Incorporated. What to do if card data has been lost or stolen
As well as paying card scheme ADC fees, you also need to take steps to make sure a breach doesn’t happen again. Following an ADC event, you will need to validate as a PCI Level 1 merchant for a year. This means you will need to engage with a Qualified Security Assessor to do this. Engaging a Qualified Security Assessor (QSA) for a full report on compliance (level 1 certification) could cost up to £50,000, depending on the complexity of systems and the amount of remediation work required.
But you could face a number of unknown additional costs such as:
The costs outlined are only the ADC fees from card schemes. These are separate from the significant Data Protection fines that can be levied by Data Protection Authorities under the General Data Protection Regulation (GDPR). This is the regulation that was introduced in May 2018 which comes to govern personal data including adequate security around payment card data. Companies may be subject to fines of up to 4% of their global annual turnover or €20million (or whichever is the greater) if they do not put in adequate security controls such as PCI DSS.
Recent precedent has shown that even high profile companies that have taken steps to protect data have been subject to fines up to 4% of their global annual turnover.
By working with one of the world’s largest acquirers, you’ll benefit from our leading expertise within the payments industry.
We can support our customers through every stage of the ADC process:
Elavon can help you to secure your payment channels and reduce the risk of an ADC event and the costly aftermath. We can offer you complimentary consultancy with trusted partners and the reassurance you need. For more information speak to your Elavon Relationship Manager or contact the Elavon Account Data Compromise team.