The document discusses preparing for a PCI forensic investigation following a payment card data breach. It provides lessons learned from over 100 card compromise investigations, including what merchants can expect from the process, who the key stakeholders are, and common trends seen in breaches. Merchants are advised to have an incident response plan in place, know their responsibilities, work with qualified forensic experts and lawyers, and notify all necessary parties immediately in case of a breach.
18. In this case, the similarity is a single business where all of the stolen credit cards had been used before the cards had been involved in fraudulent activity. This could potentially be the sign of an employee skimming card numbers, or a breach in a database. There are always going to be coincidences involving data on a large scale, but because of the scale, it’s very difficult to end up with false positive fraud once a margin of error is established.
41. Monthly Prohibited Data Storage Violation Fines Months Months 1-3 Months 4-6 Months 7 and up Merchant Level 1 $10,000 $50,000 $100,000 Merchant Level 2 $5,000 $25,000 $50,000 $5,000 $25,000 $50,000 $5,000 $25,000 $50,000 $5,000 $25,000 $50,000 $5,000 $25,000 $50,000 $5,000 $25,000 $50,000 $5,000 $25,000 $50,000 Fines for Merchant Data Compromise Up to $600,000 for non-compliance with PCI DSS requirements.Issuer Recovery Cost of Fraud. Charges that occurred on all exposed cards from the compromised location.The cost of the forensic investigation.The cost to replace exposed credit cards. Up to $600,000 for non-compliance with PCI DSS requirements.Issuer Recovery Cost of Fraud. Charges that occurred on all exposed cards from the compromised location.The cost of the forensic investigation.The cost to replace exposed credit cards.
52. In an interesting development, a handful of issuing banks impacted by the Heartland breach have filed a class action lawsuit against two acquiring banks related to Heartland Payment Systems. According to this article , the issuing banks are unhappy with Heartland's proposed settlement with Visa. This appears and to be an attempted end-run around the proposed $60 million settlement with Visa. It also may demonstrate that issuing banks are not satisfied with the dispute resolution mechanisms under the Visa Operating Regulations (the Account Data Compromise Recovery process estimated the loss at $140 million, yet the settlement was for only $60 million), and their ability to be made whole under those mechanisms. From 01/21/2010 www.infolawgroup.com