Skip to main content
Liaison International

Data Breach Incident Response Plan

Liaison Logo.png

About this Document

Liaison maintains an Incident Response Plan that not only provides a well-defined, organized approach for handling any potential threat to computers, but also details the appropriate action to be taken when the source of the intrusion or incident at a third party is traced back to the organization. The plan identifies and describes the roles and responsibilities of the Incident Response Team, who is responsible for putting the plan into action.

Incident Response Team

Liaison’s Incident Response Team is established to provide a quick, effective, and orderly response to computer-related incidents such as virus infections, hacker attempts and break-ins, improper disclosure of confidential information to others, system service interruptions, breach of personal information, and other events with serious information security implications. The Liaison Incident Response Team’s mission is to prevent a serious loss of profits, public confidence, or information assets by providing an immediate, effective, and skillful response to any unexpected event involving computer information systems, networks, or databases.

The Liaison Incident Response Team is authorized to take appropriate steps deemed necessary to contain, mitigate, or resolve a computer security incident. The Team is responsible for investigating suspected intrusion attempts or other security incidents in a timely, cost-effective manner and reporting findings to management and the appropriate authorities, as necessary; the Director of Information Security will coordinate these investigations.

The Incident Response Team will subscribe to various security industry alert services to keep abreast of relevant threats, vulnerabilities, and alerts from actual incidents.

Incident Response Team Members

  • Each of the following areas will have a primary and alternate member:
  • Information Security Office (ISO)
  • Information Technology Operations Center (ITOC)
  • Network Architecture
  • Operating System Architecture
  • Business Applications
  • Internal Auditing and compliance

Incident Response Team Roles and Responsibilities

 

Information Security Office
  • Determines the nature and scope of the incident
  • Contacts qualified information security specialists for advice, as needed
  • Contacts members of the Incident Response Team, as needed
  • Determines which Incident Response Team members play an active role in an investigation
  • Provides proper training on incident handling
  • Escalates to executive management, as appropriate
  • Contacts auxiliary departments, as appropriate
  • Monitors progress of an investigation
  • Ensures proper evidence gathering, chain of custody, and preservation practices are in place
  • Prepares a written summary of an incident which includes the resulting corrective action taken
Information Technology Operations Center
  • Serves as central point of contact for all computer incidents
  • Notifies Chief Technology Officer when it is time to activate the incident response team
  • Coordinates activities with the Information Security Office, as needed
  • Documents the types of personal information that may have been breached
  • Provides guidance throughout an investigation on issues relating to privacy of customer and employee personal information
  • Assists in developing appropriate communications to impacted parties
  • Assesses the need to change privacy policies, procedures, and/or practices because of a breach
Network Architecture
  • Analyzes network traffic for signs of denial of service, distributed denial of service, or other external attacks
  • Runs tracing tools such as sniffers, Transmission Control Protocol (TCP) port monitors, and event loggers
  • Monitors for signs of a firewall breach
  • Contacts external Internet service provider for assistance in handling an incident
  • Takes necessary action to block traffic from a suspected intruder
Operating Systems Architecture
  • Ensures all service packs and patches are current on mission-critical computers
  • Ensures backups are in place for all critical systems
  • Examines system logs of critical systems for unusual activity
Business Applications
  • Monitors business applications and services for signs of attack
  • Reviews audit logs of mission-critical servers for signs of suspicious activity
  • Contacts the Information Technology Operations Center with any information relating to a suspected breach
  • Collects pertinent information regarding the incident at the request of the Director of Information Security
Internal Auditing and Compliance
  • Reviews systems to ensure compliance with information security policies and controls
  • Performs appropriate audit test work to ensure mission-critical systems are current with service packs and patches
  • Reports any system control gaps to management for corrective action

Incident Response Team Notification

The Information Technology Operations Center (ITOC) will be the central point of contact for reporting computer incidents or intrusions to the Director of Information Security.

All computer security incidents must be reported to the Information Security Director. The Information Security Manager (ISM) will perform a preliminary analysis of the incident and determine whether Incident Response Team should be activated.

Incident Types

There are many types of computer incidents that may require Incident Response Team activation. Some examples include:

  • Breach of Personal Information
  • Denial of Service/Distributed Denial of Service
  • Excessive Port Scans
  • Firewall Breach
  • Virus Outbreak

Personal Information 

Personal information is information that is, or can be, about or related to an identifiable individual. Most information an organization collects about an individual is likely to be considered personal information if it can be linked to an individual or used to directly or indirectly identify an individual.

For our purposes, personal information is defined as an individual’s first name (or first initial) and last name used in combination with any of the following data:

  • Social Security Number
  • Driver’s license number or Identification Card number
  • Financial account number, credit or debit card number* with personal identification number (i.e., an access code, security code, or password that would permit access to an individual’s financial account)
  • Home address or e-mail address

Breach of Personal Information: Overview

This Incident Response Plan outlines the steps our organization will take upon discovery of unauthorized access to an individual’s personal information which could result in harm or inconvenience to the individual (e.g., fraud or identity theft). The individual can be either a customer or employee of our organization.

In addition to the internal notification and reporting procedures outlined below, credit card companies require us to immediately report a security breach and the suspected or confirmed loss or theft of any material or records that contain cardholder data. These specific steps and actions are outlined in Appendix A. Additionally, certain laws and regulations require us to follow specified procedures in the event of a breach of personal information. More information is provided in Appendix B.

Security Breach

A security breach is defined as unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by Liaison. Good faith acquisition of personal information by an employee or agent of our company for business purposes is not a breach, provided that the personal information is not used or subject to further unauthorized disclosure.

Requirements

Data Owner Responsibilities

Data owners responsible for personal information play an active role in the discovery and reporting of any breach or suspected breach of an individual’s personal information. In addition, they serve as a liaison between the company and any third-party associated with a privacy breach affecting the organization’s data.  

Data owners must identify and document all systems and processes that store or utilize an individual’s personal information. Documentation must contain the system name, device name (i.e., workstation or server), file name, location, database administrator, and system administrator (this must include a primary and secondary contact for both the database administrator and the system administrator). The business area and the IT development group must maintain the contact list of database and system administrators.

Data owners must also identify and document all authorized users who access or utilize an individual’s personal information. Documentation must contain the user name, department, device name, file name, location, and system administrator (this must include a primary and secondary contact for the system administrator).

All data owners must report any suspected or confirmed breach of an individual’s personal information to the ISM immediately upon discovery. This includes notification received from any third-party service providers or other business partners with whom the organization shares personal information on individuals. The ISM will notify the CTO and data owners whenever a breach or suspected breach of an individual’s personal information affects their business area.

Note: For ease of reporting, and to ensure a timely response 24 hours a day, seven days a week, the Information Technology Operations Center will act as a central point of contact for reaching the CTO and CFO.

The ISM will determine whether the breach or suspected breach is serious enough to warrant full incident response plan activation (See “Incident Response” section.) The data owner will assist in acquiring information, preserving evidence, and providing additional resources as deemed necessary by the CTO, CFO and Legal or other Incident Response Team members throughout the investigation.

Location Manager Responsibilities

Location managers are responsible for ensuring all employees in their unit are aware of policies and procedures for protecting personal information.

If a breach or suspected breach of personal information occurs in their location, the location manager must notify the Information Technology Operations Center immediately and open an incident report. (See “Incident Response” Section, Information Technology Operations Center).

Note: Education and awareness communication will be directed to all employees informing them of the proper procedures for reporting a suspected breach of personal information on an individual.

When Notification is Required

The following incidents may require notification to individuals under contractual commitments or applicable laws and regulations:

  • A user (employee, contractor, or third-party provider) has obtained unauthorized access to personal information maintained in either paper or electronic form.
  • An intruder has broken into database(s) that contain personal information on an individual.
  • Computer equipment such as a workstation, laptop, CD-ROM, or other electronic media containing personal information on an individual has been lost or stolen.
  • A department or unit has not properly disposed of records containing personal information on an individual.
  • A third-party service provider has experienced any of the incidents above, affecting the organization’s data containing personal information.

The following incidents may not require individual notification under contractual commitments or applicable laws and regulations providing the organization can reasonably conclude after investigation that misuse of the information is unlikely to occur, and appropriate steps are taken to safeguard the interests of affected individuals:

  • The organization can retrieve personal information on an individual that was stolen, and based on our investigation, reasonably concludes that retrieval took place before the information was copied, misused, or transferred to another person who could misuse it.
  • The organization determines that an individual’s personal information was improperly disposed of, but can establish that the information was not retrieved or used before it was properly destroyed.
  • An intruder accessed files that contain only individuals’ names and addresses.
  • A laptop computer was lost or stolen, but the data is encrypted and may only be accessed with a secure token or similar access device. 

Breach of Personal Information: Incident Response

Incident Response Team members must keep accurate notes of all actions taken, by whom, and the exact time and date. Each person involved in the investigation must record his or her own actions.

Information Technology Operations Center (ITOC)

The ITOC will serve as a central point of contact for reporting any suspected or confirmed breach of an individual’s personal information. 

The ITOC is responsible for performing the following actions.

  1. After documenting the facts presented by the reporter and verifying that a privacy breach or suspected privacy breach occurred, the ITOC will open a Priority Incident Request. This will begin an escalation process to immediately notify the Chief Information Security Officer.
  2. The ITOC will notify the primary and secondary Information Security Office contacts. The ITOC will advise that a breach or suspected breach of an individual’s personal information occurred. After the Information Security Office analyzes the facts and confirms that the incident warrants incident response team activation, the Incident Request will be updated to indicate “Incident Response Team Activation – Critical Security Problem.”

Information Security Manager (ISM)

The ISM is responsible for performing the following actions.

  1. Once notified by the ITOC, performs a preliminary analysis to determine the nature and scope of the incident.
  2. Informs the Legal Department and the CTO that a possible privacy breach has been reported and provide them an overview of the situation.
  3. Contacts the individual who reported the problem.
  4. Identifies the systems and type(s) of information affected and determines whether the incident could be a breach, or suspected breach of an individual’s personal information. Every breach may not require participation of all Incident Response Team members (e.g., if the breach was a result of hard copy disposal or theft, the investigation may not require the involvement of system administrators, the firewall administrator, and other technical support staff).
  5. Reviews the preliminary details with the Legal Department and the CTO.
  6. Activates the Incident Response Team if warranted once  a privacy breach affecting personal information is confirmed.  Contacts the ITOC and advises them to update the Incident Request with “Incident Response Team Activation – Critical Security Problem.”
  7. Notifies the Public Relations Department of the details of the investigation and breach. Keeps them updated on key findings as the investigation proceeds.
  8. The Information Security Office is responsible for documenting all details of an incident and facilitating communication to executive management and other auxiliary members as needed.
  9. Contacts all appropriate database and system administrators to assist in the investigation effort. Directs and coordinates all activities involved with Incident Response Team members in determining the details of the breach.
  10. Contacts appropriate Incident Response Team members.
  11. Identifies and contacts the appropriate Data Owner affected by the breach. In coordination with the Legal Department, Information Privacy Office, and Data Owner, determines additional notification requirements (e.g., Human Resources, external parties).
  12. If the breach occurred at a third-party location, determines if a legal contract exists. Works with the Legal Department, Information Privacy Office, and Data Owner to review contract terms and determine next course of action.
  13. Works with the appropriate parties to determine the extent of the potential breach. Identify data stored and compromised on all test, development and production systems and the number of individuals at risk.
  14. Determines the type of personal information that is at risk, including but not limited to:
    • Name, address, Social Security Number, account number, cardholder name, cardholder address, medical and health information
  15. If personal information is involved, requests that the Data Owner determine who might be affected. Coordinates next steps with the Legal Department and Public Relations (e.g., individual notification procedures).
  16. Determine if an intruder has exported or deleted any personal information data.
  17. Determines where and how the breach occurred.
    • Identify the source of compromise and the timeframe involved.
    • Review the network to identify all compromised or affected systems. Consider e-commerce third-party connections, the internal corporate network, test and production environments, virtual private networks, and modem connections. Look at appropriate system and audit logs for each type of system affected.
    • Document all internet protocol (IP) addresses, operating systems, domain name system names, and other pertinent system information 
  18. Takes measures to contain and control the incident to prevent further unauthorized access to or use of personal information on individuals, including shutting down particular applications or third-party connections, reconfiguring firewalls, changing computer access codes, and modifying physical access controls.
    • Change all applicable passwords for IDs that have access to personal information, including system processes and authorized users. If it is determined that an authorized user’s account was compromised and used by the intruder, disable the account.
    • Do not access or alter the compromised system.
    • Do not turn off the compromised machine. Isolate the system from the network (i.e., unplug cable).
    • Change the wireless network Service Set Identifier (SSID) on the access point (AP) and other authorized devices that may be using the corporate wireless network.
  19. Monitors systems and the network for signs of continued intruder access.
  20. Preserves all system and audit logs and evidence for law enforcement and potential criminal investigations. Ensures that the format and platform used is suitable for review and analysis by a court of law if needed. Documents all actions taken, by whom, and the exact time and date. Each employee involved in the investigation must record his or her own actions. Records all forensic tools used in the investigation. Note: Visa has specific procedures that must be followed for evidence preservation.
  21. Notifies the CTO in coordination with the Legal Department as appropriate. Provides a summary of confirmed findings and of the steps taken to mitigate the situation.
  22. If credit cardholder data is involved, follows additional steps outlined under Appendix A. Bankcard companies, specifically Visa and MasterCard, have detailed requirements for reporting security incidents and the suspected or confirmed compromise of cardholder data. Reporting is typically required within 24 hours of compromise.
  23. If an internal user (authorized or unauthorized employee, contractor, consultant, etc.) was responsible for the breach, contacts the appropriate Human Resource Manager for disciplinary action and possible termination. In the case of contractors, temporaries, or other third-party personnel, ensures discontinuance of the user's service agreement with the company.

Customer Database Owners 

Each Customer Database Owner is responsible for performing the following steps.

Notification Steps
  1. If the IT Customer Database group or Data Owners hear of or identify a privacy breach, contact the ITOC to ensure that the Director of Information Security and other primary contacts are notified.
  2. The IT Customer Database group and Data Owner assists the Director of Information Security as needed in the investigation.
  3. IT Customer Database contact notifies the IT Contractor Liaison, if needed..
Process Steps
  1. Monitor access to customer database files to identify and alert any attempts to gain unauthorized access. Review appropriate system and audit logs for access failures prior to or immediately following the suspected breach. Other log data should provide information on who touched what file and when. If applicable, review security logs on any non-host device involved (e.g., user workstation).
  2. Identify individuals whose information may have been compromised. An assumption could be “all” if an entire table or file was compromised.
  3. Secure all files and/or tables that have been the subject of unauthorized access or use to prevent further access.
  4. Upon request from the CTO, provide a list of affected individuals, including all available contact information (i.e., address, telephone number, email address, etc.).

Credit Payment System Administrators

  1. If notified of a privacy breach by a business area directly, open an incident request with the ITOC to activate the incident response plan.
  2. When notified by the Information Security Office that the privacy breach Incident Response Plan has been activated, perform a preliminary analysis of the facts and assess the situation to determine the nature of incident.
    • Determine the type of personal information breached.
      • Current credit card customers
      • New credit card applications
      • Personal check authorizations
    • Determine data sources and method of breach (e.g., hardcopy, electronic)
    • Determine method of breach if possible.
    • Identify additional resources needed to complete investigation
  3. Determine the scope of the breach.
    • Time Frame
    • Specific Data Elements
    • Specific Customers
  4. Take necessary steps to prevent any additional compromise of personal information.
  5. Report all findings to the Incident Response Plan Team.
  6. Within 24 hours of notification of an account number compromise, contact the appropriate card companies:
    • Visa Fraud Control Group
    • MasterCard Compromised Account Team
    • Discover Fraud Prevention
    • American Express Merchant Services
  7. Act as liaison between the card companies, ISM, and Legal.
  8. Ensure credit card companies’ specific requirements for reporting suspected or confirmed breaches of cardholder data are followed. For detailed requirements, see Appendix A.

Legal Department

The Legal Department is responsible for performing the following actions.

Ongoing
  • Monitor relevant privacy-related legislation, provide input as appropriate, and communicate to our clients how any enacted legislation may impact them.
  • Be cognizant of major contracts which the organization enters that may impact our customers, employees, and other data.
  • Be aware of other companies’ privacy policies that may affect our organization and affiliates.
When a Privacy Breach occurs
  1. After confirmation that a breach of personal information on individuals has occurred, notify the Chief Legal Counsel.
  2. Coordinate activities between business area and other departments (e.g., Human Resources, if necessary).
  3. If necessary, notify the appropriate authorities (e.g., Federal Trade Commission (FTC), etc.)
  4. Coordinate with Public Relations on the timing and content of notification to individuals.
  5. If the Information Security Office determines that the breach warrants law enforcement involvement, any notification to individuals may be delayed if law enforcement determines the notification will impede a criminal investigation. Notification will take place once law enforcement determines it will not compromise the investigation.
  6. Notification to individuals may be delayed until the CTO is assured that necessary measures have been taken to determine the scope of the breach.
  7. Follow approved procedures for any notice of unauthorized access to personal information about individuals.
  8. Notification to individuals should be timely, conspicuous, and delivered in any manner that will ensure the individual receives it. Notice should be consistent with laws and regulations the organization is subject to. Appropriate delivery methods include:
    • Written notice
    • Email notice

Items to consider including in notification to individuals:

  • A general description of the incident and information to assist individuals in mitigating potential harm, including a customer service number, steps to obtain and review credit reports and file fraud alerts with nationwide credit reporting agencies, and information about protecting against identity theft.
  • Remind individuals of the need to remain vigilant over the next 12 to 24 months and to promptly report incidents of suspected identity theft.
  • Inform each individual about the availability of the Federal Trade Commission’s (FTC’s) online guidance regarding measures to protect against identity theft, and encourage the individual to report any suspected incidents of identity theft to the FTC. Provide the FTC’s website and telephone number for the purposes of obtaining the guidance and reporting suspected incidents of identity theft. At the time of this document’s publication, the website address is http://www.ftc.gov/idtheft. The toll-free identity theft hotline number is 1-877-IDTHEFT.

Human Resources

The Human Resources department is responsible for the following actions.

  1. Once notified of a privacy breach affecting employee personal information, open an incident request with the ITOC to activate the Incident Response Plan for a suspected privacy breach.
  2. When notified by the Information Security Office that the privacy breach incident response plan has been activated for a breach of information on an individual, perform a preliminary analysis of the facts and assess the situation to determine the nature of the incident.
  3. Work with the Director of Information Security, CTO, CFO, and business area to identify the extent of the breach.
  4. If appropriate, notify the organizational unit/department that a breach has been reported and is under investigation.
  5. Work with the business area to ensure there is no further exposure to privacy breaches.
  6. Work with the Director of Information Security, CTO, and Legal Department to determine if the incident warrants further action.

Network Architecture

The Network Architecture department is responsible for the following actions.

  1. Once notified by the Director of Security that the privacy breach Incident Response Plan is activated, provide assistance as determined by the details of the potential breach.
  2. Review firewall logs for correlating evidence of unauthorized access.
  3. Implement firewall rules as needed to close any exposures identified during the investigation.

Public Relations

The Public Relations department is responsible for the following actions.

  1. Monitor other companies’ consumer privacy breaches, responses, and practices.
  2. Maintain up-to-date generic/situational talking points.
When A Privacy Breach Occurs
  1. After confirming that a breach of personal information about individuals has occurred, notify the Director of Marketing.
  2. Coordinate with the CFO and Legal department on the timing, content, and method of notification. Prepare and issue press release or statement, if needed. Communication methods include:
    • News wire services
    • Main web site – Posted statement on home page or other conspicuous location.
    • Internal Website – If appropriate for breach of employee information
    • E-mail partners, as needed
    • News conference – If privacy breach should reach a national and/or crisis level, coordinate brief news conference at headquarters or appropriate location.
      • Appoint appropriate spokesperson.
      • Prepare statement and, if necessary, potential Q & A.
      • Coach spokesperson on statement and potential Q & A.
      • Invite select media to attend and cover organization’s proactive message.
      • Use conference as a platform for communicating who the breach involves, what the organization is doing to correct breach, how it happened, and the organization’s apology and reassurance of its privacy policies.
  3. Prepare appropriate response to media, customers, and/or employees that are approved by the CPO and Legal Department prior to distribution.
  4. Proactively respond to media inquiries, if necessary.
  5. Monitor media coverage and circulate accordingly.

Location Manager

The Location Manager is responsible for the following actions.

  1. Once notified of a privacy breach, contact the ITOC to ensure that the ISM and other primary contacts are notified.
  2. Secure the breached information area (e.g., computer room, data center, records room).
  3. Assist the ISM in the investigation, as needed.
  4. Update the ISM on appropriate investigation information gathered.

Appendix A

Specific requirements for reporting suspected or confirmed breaches of cardholder data.  

MasterCard Specific Steps

  1. Within 24 hours of an account compromise event, notify the MasterCard Compromised Account Team via phone at 1-636-722-4100.
  2. Provide a detailed written statement of fact about the account compromise (including the contributing circumstances) via secured e-mail to compromised_account_team@mastercard.com.
  3. Provide the MasterCard Merchant Fraud Control Department with the complete list of all known compromised account numbers.
  4. Within 72 hours of knowledge of a suspected account compromise, engage the services of a data security firm acceptable to MasterCard to assess the vulnerability of the compromised data and related systems (such as a detailed forensics evaluation).
  5. Provide weekly written status reports to MasterCard, addressing open questions and issues, until the audit is complete to the satisfaction of MasterCard.
  6. Promptly furnish updated lists of potential or known compromised account numbers, additional documentation, and other information that MasterCard may request.
  7. Provide findings of all audits and investigations to the MasterCard Merchant Fraud Control department within the required time frame and continue to address any outstanding exposures or recommendations until resolved to the satisfaction of MasterCard.

Once MasterCard obtains the details of the account data compromise and the list of compromised account numbers, MasterCard will:

  1. Identify the issuers of the accounts that were suspected to have been compromised and group all known accounts under the respective parent member IDs
  2. Distribute the account number data to its respective issuers.
Visa U.S.A. Specific Steps 

(Excerpted from Visa U.S.A. Cardholder Information Security Program (CISP), What To Do If Compromised, 3/8/2004)

Refer to documentation online at http://www.usa.visa.com/media/business/cisp/What_To_Do_If_Compromised.pdf

In the event of a security breach, the Visa U.S.A. Operating Regulations require entities to immediately report the breach and the suspected or confirmed loss or theft of any material or records that contain cardholder data. Entities must demonstrate the ability to prevent future loss or theft of account information, consistent with the requirements of the Visa U.S.A. Cardholder Information Security Program. If Visa U.S.A. determines that an entity has been deficient or negligent in securely maintaining account information or reporting or investigating the loss of this information, Visa U.S.A. may require immediate corrective action.1

If a merchant, or its agent does not comply with the security requirements or fails to rectify a security issue, Visa may:

  • Fine the Member Bank
  • Impose restrictions on the merchant or its agent, or
  • Permanently prohibit the merchant or its agent from participating in Visa programs.2

Visa has provided the following step-by-step guidelines to assist an entity in the event of a compromise. In addition to the following, Visa may require additional investigation. This includes, but is not limited to, providing access to premises and all pertinent records.3

  • Visa U.S.A. November 2003 Operating Regulations 2.3.F.5
  • Visa U.S.A. November 2003 Operating Regulations 2.3.F.7
  • Visa U.S.A. November 2003 Operating Regulations 2.3.F.3, 2.3.F.4, 2.3.F.5, 2.3.F.6
Steps and Requirements for Compromised Entities
  1. Immediately contain and limit the exposure.
    • To prevent further loss of data, conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise. To facilitate the investigation:
      • Do not access or alter compromised systems (i.e., do not log on to the machine and change passwords, do not log in as ROOT).*
      • Do not turn the compromised machine off. Instead, isolate compromised systems from the network (i.e., unplug cable).
      • Preserve logs and electronic evidence.
      • Log all actions taken.
      • If using a wireless network, change the Service Set Identifier (SSID) on the access point and other machines that may be using this connection (with the exception of any systems believed to be compromised).
      • Be on HIGH alert and monitor all Visa systems.
  2. Alert all necessary parties, including:
    • Internal information security group and Incident Response Team, if applicable
    • Legal department
    • Merchant bank
    • Visa Fraud Control Group at (650) 432-2978
    • Local FBI Office U.S. Secret Service – if Visa payment data is compromised
  3. Provide the compromised Visa account to Visa Fraud Control Group at (650) 432-2978 within 24 hours.
    • Account numbers must be securely sent to Visa as instructed by the Visa Fraud Control Group. It is critical that all potentially compromised accounts are provided. Visa will distribute the compromised Visa account numbers to Issuers and ensure the confidentiality of entity and non-public information.
  4. Requirements for Compromised Entities
    • All merchant banks must:
      • Within 48 hours of the reported compromise, proof of Cardholder Information Security Program compliance must be provided to Visa.
      • Provide an incident report document to Visa within four business days of the reported compromise
      • Depending on the level of risk and data elements obtained the following must be completed within four days of the reported compromise:
        • Undergo an independent forensic review
        • A compliance questionnaire and vulnerability scan upon Visa’s discretion
Steps for Merchant Banks
  1. Contact Visa USA Fraud Control Group immediately at (650)432-2978.
  2. Participate in all discussions with compromised entity and Visa USA.
  3. Engage in a Visa-approved security assessor to perform the forensic investigation.
  4. Obtain information about compromise from the entity.
  5. Determine if compromise has been contained.
  6. Determine if an independent security firm has been engaged by the entity.
  7. Provide the number of compromised Visa accounts to Visa Fraud Control Group within 24 hours.
  8. Inform Visa of investigation status within 48 hours.
  9. Complete steps necessary to bring entity into compliance with CISP according to timeframes described in “What to do if Compromised.”
  10. Ensure that entity has taken steps necessary to prevent future loss or theft of account information, consistent with the requirements of the Visa USA Cardholder Information Security Program.
Forensic Investigation Guidelines

Entity must initiate investigation of the suspected or confirmed loss or theft of account information within 24 hours of compromise.

The following must be included as part of the forensic investigation:

  1. Determine cardholder information at risk.
    • Number of accounts at risk. Identify those stored and compromised on all test, development, and production systems
    • Type of account information at risk
    • Account number
    • Expiration date
    • Cardholder name
    • Cardholder address
    • CVV2
    • Track 1 and Track 23
    • Any data exported by intruder
  2. Perform incident validation and assessment.
    • Establish how compromise occurred.
    • Identify the source of compromise.
    • Determine timeframe of compromise.
    • Review entire network to identify all compromised or affected systems, considering the e-commerce, corporate, test, development, and production environments as well as VPN, modem, DSL and cable modem connections, and any third-party connections.
    • Determine if compromise has been contained.
  3. Check all potential database locations to ensure that CVV2, Track 1, and Track 2 data are not stored anywhere, whether encrypted or unencrypted (e.g., duplicate or backup tables or databases, databases used in development, stage or testing environment data on software engineers’ machines, etc.).
  4. If applicable, review VisaNet endpoint security and determine risk.
  5. Preserve all potential electronic evidence on a platform suitable for review and analysis by a court of law if needed.
  6. Perform remote vulnerability scan of entity’s Internet facing site(s).
Visa Incident Report Template

This report must be provided to Visa within 14 days of the initial report of incident to Visa. The following report content and standards must be followed when completing the incident report. Incident report must be securely distributed to Visa and Merchant Bank. Visa will classify the report as “Visa Secret” (note: this classification applies to the most sensitive business information, which is intended for use within Visa. Its unauthorized disclosure could seriously and adversely impact Visa, its employees, member banks, business partners, and/or the Brand).

  1. Executive Summary
    • Include overview of the incident.
    • Include Risk Level (High, Medium, Low).
    • Determine if compromise has been contained.
  2. Background
  3. Initial Analysis
  4. Investigative Procedures
    • Include forensic tools used during investigation.
  5. Findings
    • Number of accounts at risk, identify those stored and compromised
    • Type of account information at risk
    • Identify ALL systems analyzed. Include the following:
      • Domain Name System (DNS) names
      • Internet Protocol (IP) addresses
      • Operating System (OS) version
      • Function of system(s)
    • Identify ALL compromised systems. Include the following:
      • DNS names
      • IP addresses
      • OS version
      • Function of system(s)
    • Timeframe of compromise
    • Any data exported by intruder
    • Established how and source of compromise
    • Check all potential database locations to ensure that no CVV2, Track 1, or Track 2 data is stored anywhere, whether encrypted or unencrypted (e.g., duplicate or backup tables or databases, databases used in development, stage or testing environments data on software engineers’ machines, etc.).
    • If applicable, review VisaNet endpoint security and determine risk.
  6. Compromised Entity Action
  7. Recommendations
  8. Contact(s) at entity and security assessor performing investigation

Discover Card Specific Steps

  1. Within 24 hours of an account compromise event, notify Discover Fraud Prevention at (800) 347-3102.
  2. Prepare a detailed written statement of fact about the account compromise including the contributing circumstances.
  3. Prepare a list of all known compromised account numbers.
  4. Obtain additional specific requirements from Discover Card.

American Express Specific Steps

  1. Within 24 hours of an account compromise event, notify American Express Merchant Services at (800) 528-5200.
  2. Prepare a detailed written statement of fact about the account compromise including the contributing circumstances.
  3. Prepare a list of all known compromised account numbers.
  4. Obtain additional specific requirements from American Express.

Appendix B

The following are selected laws and regulations relating to the breach of personal information about an individual. This Appendix should not be considered a complete list.

California Civic Code 1798.82 (Senate Bill 1386)

On July 1, 2003, California Senate Bill 1386 became Civil Code 1798.82. The law requires companies that do business in California and own or license computerized data containing unencrypted personal information, to notify California residents of any security breach of their unencrypted personal information where the information was, or is reasonably believed to have been, acquired by an unauthorized person.

Note: Be prepared to identify and separate (if necessary) California residents from other records in databases containing personal information on individuals.

Health Insurance Portability and Accountability Act of 1996 (HIPPA)

The primary focus of HIPAA was to improve health insurance accessibility to people changing employers or leaving the workforce. It also addressed issues relating to electronic transmission of health-related data in Title II, Subtitle F of the Act entitled “Administrative Simplification.” The administrative simplification provisions include four key areas:

  • National standards for electronic transmission
  • Unique health identifiers for providers, employers, health plans and individuals
  • Security Standards
  • Privacy Standards

The HIPAA Security Standards require a covered entity to implement policies and procedures to:

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information
  • Protect against any reasonably anticipated threats or hazards to the security of such information
  • Protect against any reasonably anticipated uses or disclosures that are not permitted

Within this context, HIPAA requires a covered entity to implement policies and procedures to address security incidents. A security incident means the attempted or successful unauthorized access, use disclosure, modification, or destruction of information or interference with system operations in an information system. Response and reporting implementation requirements include identifying and responding to suspected or known security incidents, mitigating, to the extent practicable, harmful effects of security incidents that are known to the covered entity, and documenting security incidents and outcomes.

The HIPAA security standards were effective on April 21, 2003.  The compliance date for covered entities is by April 21, 2005 and April 21, 2006 for small health plans.

Gramm-Leach-Bliley Act (GLBA)

The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: Financial Privacy Rule, Safeguards Rule, and Pretexting provisions.

The GLB Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to “financial institutions,” which include not only banks, securities firms, and insurance companies, but also companies that provide other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts, and an array of other activities. Such non-traditional “financial institutions” are regulated by the FTC.

The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information.

The Safeguards Rule requires all financial institutions to design, implement, and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions – such as credit reporting agencies – that receive customer information from other financial institutions. The Rule requires the organization to consider all areas of its operations including employee management and training, information systems, and system failure management. Effective security includes prevention, detection, and response to attacks, intrusions, or other system failures. Specific considerations include maintaining up-to-date and appropriate programs and controls by following a written contingency plan to address any breaches of nonpublic personal information and notify customers if their personal information is subject to loss, damage, or unauthorized access.

The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as “pretexting.”

The Privacy Rule took effect on November 13, 2000 and compliance on July 1, 2001. The Safeguard Rule was effective on May 23, 2003.


A person with unlimited access privileges who can perform all operations on the computer.

CVV2 is an authentication process established by credit card companies to further reduce fraud for Internet transactions. It consists of requiring a card holder to enter the CVV2 number at transaction time to verify that the card is on hand. This number is printed on MasterCard & Visa cards in the signature area of the back of the card (last 3 digits AFTER the credit card number in the signature area of the card).

Track 1 is a "track" of information on a credit card that has a 79-character alphanumeric field for information. Normally a credit card number, expiration date, and customer name are contained on track 1. Track 2 is a "track" of information on a credit card that has a 40- character field for information. Normally a credit card number and expiration date are contained on track 2.

  • Was this article helpful?