How to Manage a Credit Card Data Breach

We all hope it will never happen to us. A breach of the data security system of any company that stores payment card account data can be an enormously damaging event. Most of the damage is done to the company’s reputation, as consumers are protected against fraud and at most can suffer from the inconvenience of having to get their account information updated and their cards re-issued. Still, no one enjoys having their privacy violated.

Data Breaches Do Happen

Yet, as recent events with Sony PlayStation’s data breach remind us, our efforts to keep sensitive card account information from falling into the wrong hands are unfortunately not always successful. Of course there are those who are now pointing to a laundry list of lapses in Sony’s data security system, but then hindsight vision is always 20 / 20.

The point is that there are plenty of things that can go wrong and plenty of hackers out there that are working hard to identify these week spots and exploit them. Sometimes the bad guys are successful.

I am not saying that we should simply accept data breaches as part of life. On the contrary, there are a number of security measures that can and should be taken and we have written about many of them in previous posts. Moreover, compliance with PCI DSS requirements is mandatory and can go a long way towards securing your customers’ data.

What I am saying is that we should be prepared to handle the aftermath of a data breach, in case it happens, because history teaches us that no security system is impenetrable and the hackers sometimes gain the upper hand.

What to Do if Your Data Security Is Breached

You need to develop and implement a system that will enable you to detect suspected data breaches and respond quickly to limit the damage in case data are indeed compromised. If you suspect or have confirmed that your data security system was breached, you need to take the following actions:

• Contain and limit exposure. To prevent any further loss of data, immediately investigate the event within 24 hours of the suspected or confirmed compromise. In particular:
  • Do not access the systems that were compromised and do not change any log-in details.
  • Do not turn off the compromised system, but unplug the cables that connect it to the rest of your company’s network.
  • Attempt to save the logs and all other information that can be used in the course of your investigation.
  • Document all actions that you have taken.
  • If using a wireless network, change its access code and name on the access point. Update all systems accordingly, except the compromised one(s).
• Contact all affected parties. All parties that could be affected by the data breach should be immediately contacted and alerted of the security breach. In particular, contact:
  • Your internal security group, if applicable.
  • Your company’s legal department.
  • Your payment processing provider.
  • The local authorities and the FBI.

Your processor will alert Visa, MasterCard and the credit card companies and they will contact you to assist in your investigation. Each affected credit card company or association may send a team on-site to try to identify the security deficiencies that led to the breach and determine what needs to be done to prevent such events from occurring in the future.

You will need to identify all compromised card account numbers and distribute them to the respective credit card companies and associations and there is a procedure that you will need to follow to do that. These numbers will then be sent to the cards’ issuers for replacement.

Image credit: Cablenoticias10.blogspot.com.