Linkedin Instagram Facebook X-twitter
Search
Close this search box.

Protect Your Business: What to Do If Your Data Is Compromised

Do you know what to do if your business data is compromised? Below, we provide a practical guide with the steps to follow in case of suspicion or confirmation of a security breach that could put credit card transaction information at risk. It is essential to comply with the requirements established for such incidents.

What you need
to know?

Any entity that suspects or confirms unauthorized access to, or misuse of, cardholder information—including those that store, process, or transmit cardholder data, or have access to payment systems—must follow certain key procedures. 

Essential steps:

 

1. Containment and control

Act swiftly to limit the exposure of compromised data. 

  • Isolate the affected systems. 
  • Preserve all evidence to facilitate the investigation. 


2. Notify Visa and Mastercard Immediately

Report the security incident: 

  • Visa: Within three calendar days. 
  • Mastercard: Immediately. 


Include in your notification: 

  • Sufficient evidence to reasonably suspect or confirm a security breach. 
  • Key details of the incident. 
  • Contact us to report the incident and receive guidance on the next steps. 


3. Conduct an Initial Investigation

Prepare a detailed report and submit it to Visa, Mastercard, and Evertec within three calendar days from the initial notification. 

4. Preserve Evidence

Ensure all evidence remains intact to identify the root cause of the incident, aid in investigations, and protect system integrity. 

5. Independent Investigation

Visa and Mastercard may require an independent investigation before or in place of a PCI forensic review. 

  • The investigating entity must not have provided services to the affected organization within the past three years. 
  • Visa and Mastercard reserve the right to reject reports not meeting their standards. 


6. Notify Other Parties Involved

Notify: 

  • Internal teams responsible for incident management and information security. 
  • Manufacturers or integrators of devices (PED/POS), if applicable. 
  • Legal advisory teams, especially if applicable laws require customer notification. 
  • Local or federal authorities (e.g., DACO in Puerto Rico or the U.S. Secret Service Cyber Crimes Unit for incidents in the U.S.). 
  • Any other relevant parties as required by applicable laws. 


7. Remediation

Address the identified vulnerabilities. 

  • Update security protocols. 
  • Ensure compliance with PCI DSS. 
  • Submit final reports and findings to Visa, Mastercard, and the acquiring bank. 


8. Monitoring and Follow-Up

Implement continuous monitoring to prevent future security breaches and reinforce preventative measures. 

At Evertec, we are committed to ensuring that our business partners comply with these requirements. Contact us to ensure your business is protected. 

Leave a Reply

Your email address will not be published. Required fields are marked *