Note: the process outlined on this page is for Barclaycard customers – other acquirers may have different processes and guidance.
If your systems have been compromised, it's important to follow your incident response plan, as well as carrying out the following actions:
Once you’ve informed Barclaycard of the breach, we need to get to the bottom of how and why it happened. We'll work with you to understand your setup at the time of the breach – namely how you took transactions, and how and where your data is stored.
If the evidence shows that your systems were breached, you will need to report any data theft to the police, and obtain a crime reference number. After that, we’ll work with you to decide how the investigation should go ahead, as per the requirements laid down by the card industry. You’ll also need to work with a PCI Forensic Investigator (PFI) who will examine your network, hardware and software to ensure any breach is contained, as well as helping you get back to a secure state.
Investigations can take several months. Barclaycard and the PFI will keep the Card Schemes up to date on the progress of the investigation, and will send a final report to all relevant parties within the card industry.
The Card Schemes will decide if you should be penalised based on the PFI’s final report on the case. If you are penalised, the penalty would be based on the volume of card payments taken during the window of the data breach. All penalties would come through Barclaycard, and be passed on to you via your merchant account, as per your Merchant Agreement with us.
If the forensics investigation proves that you weren’t PCI DSS compliant, you’ll need to ensure you become compliant.
Because your systems have been breached, you’ll automatically be declared as a PCI Level 1 merchant – meaning you’ll have to comply with the most stringent criteria. This will involve you paying for a Qualified Security Assessor (QSA) to ensure you’re compliant with the PCI DSS. At the end of the process, the QSA will produce a Report of Compliance, which will be sent to the Card Schemes.
The PCI Level 1 status will last for 12 months from the date you become PCI DSS compliant. If you remain compliant after this period, you will be brought back down to the PCI level appropriate to your regular trading practice.
Note: If you were breached, but proved to be compliant with PCI DSS, then you won’t have to hire a QSA to help with the assessment.
If your third party supplier was breached, you can still receive a penalty, and might be expected to confirm to a QSA that your internal systems are PCI DSS compliant.
In order to attest their own compliance, all merchants have to ensure that any third party suppliers handling cardholder data are also proven to be compliant with PCI DSS.
To prevent messy scenarios with third parties, make sure you have written agreements in place with your suppliers which cover responsibility around the security of cardholder data, especially in the event of a data breach.