Account Data Compromise
An Account Data Compromise is an intrusion into computer system(s) or access to physical cardholder data where unauthorised disclosure, modification, or destruction of cardholder data is suspected.
The key is having a plan in place to respond to the possibility of a data breach to your systems or those of the third parties storing, processing or transmitting cardholder data on your behalf.
PCI DSS is designed to reduce, if not eliminate, the risk of compromise. However, security can never be perfect - so it's vital to have your own incident response plan in place, tailored to your own business environment, to be able to effectively manage the ongoing risk of a possible ADC.
What to do in the case of an ADC?
If you find a compromise - or merely suspect one - you need to take the following steps:
Make contact immediately - with your merchant acquirer, WorldPay.
Leave compromised systems alone - don't access them or alter them in anyway. For example, don't log-on or change your passwords.
Don't turn off compromised systems - instead, unplug any network cables to disconnect them from your network.
Back-up immediately - carry out a back-up of your systems to preserve their current state. This also helps with any investigations at a later stage.
The account data compromise team will follow up with any merchant who has suffered, or is a suspect of, an account data compromise.
A merchant will be contacted by the Account Data Compromise team in the following scenarios:
If we receive, from WorldPay issuing, a report that the merchant is showing up as a CPP.
If we receive, from APACS, a Card Scheme or another issuing bank, a report that the merchant is showing up as a CPP.
If a merchant reports to us that they believe they have suffered a data compromise. This could be physical, such as receipts being stolen, or logical, for example a hack into merchant systems that store Card Holder data.
A CPP or Common Purchase Point is a merchant where a significant number of customers are subjected to fraudulent spend on their accounts after genuinely using the retailer within a distinct time period.