April 3, 2012

VISA CISP: If Compromised

We’ve noticed over the past few months that our security articles are some of our most popular posts. Consider this post a follow up to last month’s Quick and Dirty IT Security and November’s What to do if You Think You May Have Been Breached. This is a quick list of action items for organizations that have been compromised.
The list is lifted from Visa’s Cardholder Information Security Program (CISP) and can be found (in its entirety) in the “if compromised” subsection.

Here are their tips, paraphrased for length. We encourage you to take time to read the full version on their Web site.

  • Immediately contain and limit the exposure.
    Visa’s first tip is to take immediate action. Do not wait for the breach to grow. PCI requires you to have an Incident Response Plan – put that to work immediately to limit further exposure or potential fraud. (We at Shift4 would also encourage you to follow the security advice found in our What to do if You Think You May Have Been Breached article.)
  • Alert all necessary parties immediately.
    Visa requires merchants to report any suspected or confirmed loss of Visa cardholder data (CHD). Failure to “immediately notify” Visa Fraud Control can bring fines of up to $100,000. You should also contact your IT security team, your incident response team, your bank, and appropriate law enforcement agencies (typically the local office of the Secret Service).
  • Provide all compromised Visa, Interlink, and Plus accounts to your merchant bank within 10 business days.
    Your merchant bank (or Visa’s Fraud Investigations group) will provide you with instruction as to how they prefer you send this information in a confidential and secure manner.
  • Within 3 business days of the reported compromise, provide an Incident Report document to your merchant bank.
    This form is available from the CISP Web site.

We hope you never have to use this information, but reviewing it and keeping it accessible is good preparation in case that unfortunate moment ever comes. Those of you who have fully implemented TrueTokenization® can also rest a little easier because tokens are not CHD, so, even if your system is compromised, you cannot lose any CHD, which means your responsibility to Visa stops at point one. Just one more way Shift4 makes your life easier!