Skip to Local Navigation
Skip to Content
California State University, Long Beach
Skip to Content

Information Security Management and Compliance

Security Breach of Credit/Debit Cardholder Data

Get Acrobat Reader

printable version

  • Issue Date: September 2007
  • Revision Date: N/A
  • Expiration Date: N/A

This document outlines procedures and protocols for campus response to security incidents and breaches involving credit/debit (payment) cardholder data. These procedures and protocols are additional to those outlined in the University Security Incident Reporting and Breach Notification Procedures.

  1. BACKGROUND

    In response to increasing incidents of identify theft, the major payment card companies – American Express, Discover, MasterCard, and Visa – created regulations to help prevent theft of consumer data. These regulations are known as the Payment Card Industry (PCI) Data Security Standards (DSS). The PCI DSSs are multifaceted and include requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

    The PCI Data Security Standards are not law. Compliance with the PCI DSS is a contractual obligation between the University and each of the payment card companies to proactively protect cardholder data. Each of the major payment card companies has specific and required procedures for providing notification to them in the event of a suspected and/or confirmed unauthorized acquisition of cardholder data.

  2. definitions

    Definitions are included in Appendix A.

  3. PROCEDURES

    1. Immediately Notify Payment Card Companies

      Upon notification of a suspected unauthorized acquisition of cardholder data, the Information Security Officer or designee shall immediately notify the following entities:

      • MasterCard Compromised Account Team at compromised_acount_team@mastercard.com and by phone – (636) 722-4100
      • Visa USA Fraud Investigations and Incident Management Group – (650)432-2978
      • American Express – (800) 528-5200
      • Discover Merchant Security Department – (800) 347-3083
      • The Merchant Bank
      • Los Angeles Office of the U.S. Secret Service – (213) 894-4830

    2. Incident Investigation

      The Information Security Officer or designee shall conduct an incident investigation within 24 hours to determine the following:

      1. Type of cardholder data at risk. Data may include:
        • Cardholder name
        • Cardholder address
        • Cardholder Primary Account Number (PAN)
        • Card expiration date
        • Card Validation Code/Card Verification Value
        • Magnetic stripe (track) data
        • PIN
        • PIN blocks
      2. Number of cardholder accounts at risk
      3. Incident timeframe for cardholder accounts at risk
      4. Suspected cause of incident

      If it is determined that cardholder data has not been compromised, the Information Security Officer or designee shall notify the payment card companies and advise that cardholder data has not been compromised.

    3. Confirmed Security Breach

      Within 24 hours of knowledge of a confirmed security breach and knowledge that cardholder data has been compromised, the Information Security Officer or designee shall notify the following entities:

      • MasterCard Compromised Account Team at compromised_acount_team@mastercard.com and by phone – (636) 722-4100
        Email a detailed written statement about the account compromise, including the contributing circumstances, and a complete list of all potentially or known to be compromised account numbers.
      • Visa USA Fraud Investigations and Incident Management Group – (650)432-2978
      • American Express – (800) 528-5200
      • Discover Merchant Security Department – (800) 347-3083
      • The Merchant Bank
      • Los Angeles Office of the U.S. Secret Service – (213) 894-4830

    4. Subsequent Notification

      Within three (3) business days of the reported compromise, the Information Security Officer or designee shall provide an Incident Response Report to:

      • MasterCard Merchant Fraud Control staff
      • Visa USA Fraud Investigation and Incident Management Group
      • American Express
      • Discover Merchant Security Department
      • The Merchant Bank

      Within ten (10) business days, the Information Security Officer or designee shall: Provide all compromised Visa, Interlink, and Plus primary account numbers to the merchant bank as instructed by the merchant bank and to Visa Investigations and Incident Management Group.

    5. Additional Requirements

      Additional requirements are at the sole discretion of the payment card companies and are likely to include the following:

      • Depending upon the level of risk and data elements obtained by unauthorized persons, an independent forensic investigation and vulnerability scan of the campus network
      • Weekly written status reports addressing open questions and issues, until the audit is considered to be complete
      • Completion of a PCI DSS Compliance Questionnaire

  4. PCI RESPONSE TO NON-COMPLIANCE

    If investigation of the incident reveals that the University or an auxiliary organization’s non-compliance with the PCI DSS contributed to the account compromise or if the University or auxiliary organization was negligent in reporting or investigating the loss of cardholder data, fines and penalties may be assessed.

    The payment card companies may take any or all of the following actions:

    • Charge up to $500,000 per security incident if the cardholder information is compromised;
    • Prohibit the University and/or auxiliary organization from accepting payment cards for goods or services;
    • Fine the University and/or an auxiliary organization up to $100,000 per security incident for failure to notify of probable or actual violations or compromise of cardholder data

FURTHER INFORMATION

Safety and Risk Management
(562) 985-2283