Tuesday, June 12, 2012

What Card Issuers Should Do when Card Data Is Compromised

When a card issuer becomes aware that an account data compromise event may have occurred at the site of the card issuer or an MSP, DSE, or other person handling account data on behalf of the card issuer, within 24 hours the card issuer must take the following actions:
  • Notify the MasterCard Compromised Account Team via e-mail at compromised_account_team@mastercard.com.
  • Provide a written statement detailing what is known about the account data compromise event (including the contributing circumstances) via email at compromised_account_team@mastercard.com.
  • Provide the Merchant Fraud Control Department with the complete lists of all known at-risk and confirmed compromised account numbers.
MasterCard will not distribute the provided account numbers to acquiring banks. When a card issuer becomes aware that the account data has been lost, stolen, misplaced, or the like, by any person (for example, a tape of account data lost during transit to a storage site), the card issuer must report the occurrence as described above. MasterCard will determine whether or not it considers such occurrence to be an account data compromise event.

Read an account of a real-life data compromise.

No comments:

Post a Comment