If you do suffer the unfortunate effects of a compromise, it's important to have a response plan specific to your business. If you suspect or experience a compromise, contact us immediately on 0800 161 5350 and take the following steps:
If you experience a data breach we'll work with you to understand your flow of transactions, how and where your data is stored and identify any weak points in your transaction processes.
Based on the level of compromise, we’ll work with you to decide how the investigation should proceed and whether it requires the involvement of a PCI Forensic Investigator (PFI) to examine your network hardware and software. This can take a number of months and could involve a substantial cost to your business.
You’ll also need to report the theft to the police and obtain a crime reference. We’ll keep an open dialogue with the Card Schemes throughout the process and keep them up to date with how the investigation is going.
Once the Card Schemes reviewed the forensic findings, they will decide if fines are required. These will be passed on to you as per your Merchant Agreement. It’s also important to make sure that the agreements you have with your Service Providers include the provision for compensation should they be identified as the point of compromise.
You may also be faced with penalties even when no breach has occurred. Non-compliance fines can be levied for the failure to undertake due diligence to ensure your Third Parties/Service Providers/Merchant Agents are and remain compliant with the PCI DSS.
Businesses that are compromised have their PCI status set to Level 1 for 12 months from the date they become PCI DSS compliant. This means having to pay for the services of a Qualified Security Assessor (QSA) to complete the final Self Assessment Questionnaire (SAQ) or full Report on Compliance.
If a business is found to be storing any sensitive authentication data post-authentication, they must remove it within 30 days of the date the investigation begins otherwise they will remain non compliant. They must then change their processes and systems to eliminate any post-authorisation storage in the future.
If you find yourself in this situation, you then have up to a further 60 days to demonstrate that: