-

How to deal with a data security breach 

 

To speak to a PCI DSS advisor, call:

0844 811 6666 (Monday - Friday 9am - 5pm)

Note: the process outlined on this page is for Barclaycard customers – other acquirers may have different processes and guidance.  

What to do if your systems have been compromised


If you think you’ve been compromised, please contact us on 0844 811 6666 (Monday – Friday, 9am – 5pm) and take the steps set out below. 

If your systems have been compromised, it's important to follow your incident response plan, as well as carrying out the following actions:

  1. Ensure that no-one can access or alter compromised systems

  2. Isolate the compromised systems from your network, and unplug any network cables and/or disable wireless access, without turning the systems off

  3. Keep all logs and other electronic evidence of what’s happened

  4. Back up your systems to preserve their current state, which will help with any investigations

  5. Take note of all the actions you take in the process

  6. Make sure you get advice from us before you process any more transactions

What happens next?

Once you’ve informed Barclaycard of the breach, we need to get to the bottom of how and why it happened. We'll work with you to understand your setup at the time of the breach – namely how you took transactions, and how and where your data is stored.

If the evidence shows that your systems were breached, you will need to report any data theft to the police, and obtain a crime reference number. After that, we’ll work with you to decide how the investigation should go ahead, as per the requirements laid down by the card industry. You’ll also need to work with a PCI Forensic Investigator (PFI) who will examine your network, hardware and software to ensure any breach is contained, as well as helping you get back to a secure state.

Investigations can take several months. Barclaycard and the PFI will keep the Card Schemes up to date on the progress of the investigation, and will send a final report to all relevant parties within the card industry.

The Card Schemes will decide if you should be penalised based on the PFI’s final report on the case. If you are penalised, the penalty would be based on the volume of card payments taken during the window of the data breach. All penalties would come through Barclaycard, and be passed on to you via your merchant account, as per your Merchant Agreement with us. 

Complying with the PCI DSS again

If the forensics investigation proves that you weren’t PCI DSS compliant, you’ll need to ensure you become compliant.

Because your systems have been breached, you’ll automatically be declared as a PCI Level 1 merchant – meaning you’ll have to comply with the most stringent criteria. This will involve you paying for a Qualified Security Assessor (QSA) to ensure you’re compliant with the PCI DSS. At the end of the process, the QSA will produce a Report of Compliance, which will be sent to the Card Schemes.

The PCI Level 1 status will last for 12 months from the date you become PCI DSS compliant. If you remain compliant after this period, you will be brought back down to the PCI level appropriate to your regular trading practice.

Note: If you were breached, but proved to be compliant with PCI DSS, then you won’t have to hire a QSA to help with the assessment.

What if one of my suppliers was breached?

If your third party supplier was breached, you can still receive a penalty, and might be expected to confirm to a QSA that your internal systems are PCI DSS compliant.

In order to attest their own compliance, all merchants have to ensure that any third party suppliers handling cardholder data are also proven to be compliant with PCI DSS.

To prevent messy scenarios with third parties, make sure you have written agreements in place with your suppliers which cover responsibility around the security of cardholder data, especially in the event of a data breach.

What are the potential consequences of a data breach?

  1. Cost of engaging with a PCI Forensic Investigation Company to investigate and contain the breach.

  2. Cost of penalties associated with the data breach.

  3. Cost of engaging with a Qualified Security Assessor to confirm PCI DSS compliance going forward.

  4. Cost of penalties associated with not meeting compliance requirements.

  5. Cost to the business to meet the breach and compliance requirements.

  6. Reputational damage.


For more information around PCI DSS, please visit the official PCI SSC website.