E-Commerce Merchant Account Data Compromise

E-commerce merchant account data compromise event (ADC) is an occurrence that results, in one way or another, in the unauthorized access to sensitive card account data. A potential ADC event is an occurrence that may result in some way in the unauthorized access to card account data.

Data security vulnerabilities in a web-based credit card processing setting may not necessarily be known. Yet, there may be signs of a data security breach, unauthorized access, or possible indicators of misuse of information within the payment processing environment that may be pointing to an ADC event or a potential ADC event. The following list shows examples of such events:

• Web connections from non-business-related internet protocol (IP) addresses or inbound web connections coming from countries that have no business relationship to the potentially compromised business or outbound web connections to non-business-related IP addresses or locations or both.
• Access from unidentified or inactive user IDs or excessive user activity.
• Uncovering of malware, suspicious files or programs in a setting, or unusual activity or volume in the network systems.
• SQL injection activity on internet-facing systems.
• Point-of-sale (POS) machines and ATM terminals showing indications of tampering.
• Key-logging discovered.
• Card-skimming machines found.
• Lost or stolen transaction receipts.
• Lost or stolen bank card data.
• Lost or stolen computers, laptops, hard drives, or other electronic devices that contain payment card information.
• Files containing card account data mistakenly sent to an unauthorized party.

If any activity related to any of the above items is uncovered, it is mandatory to immediately initiate an investigation.

Once the ADC event is reported, the requestor needs to monitor the ADC reporting form status codes.If the affected Credit Card Network receives a report of a potential ADC event or an ADC event, it may verify the information shared by the member bank through the ADC Reporting Form. When applicable, the Association will work with the acquiring banks of record to ensure compliance with applicable rules.

Registered users from the affected processing bank need to access the ADC Reporting Form online within five days of the e-mail by navigating as follows below:

• Log in.
• Go to "My Products" in the Products drop-down menu.
• Select Association Alerts.
• Click "Yes" in the Security Warning dialogue box. The Association Alerts disclaimer page opens up.
• Go over the disclaimer, and then click "Agree" if you accept the terms.
• On the Association Alerts page, click "ADC Summary."
• From the ADC Summary page, select the tracking number that matches the one in the e-mail notification.
• Select the Section B tab and fill out the data fields there asking for the acquiring bank's contact information.
• Click "Save."