Date effective: April 18, 2020
Visa has updated the "“What To Do If Compromised" (WTDIC) document to clearly define required procedures and timeliness for reporting and responding to a suspected or confirmed account data compromise. The updated version incorporates new investigation fees and non-compliance assessment information with the following effective dates:
- Effective April 18, 2020, in the AP, CEMEA, LAC, and US regions.
- Effective July 18, 2020, in Canada.
Merchants can avoid fees by cooperating with applicable investigations in a timely fashion. Full cooperation during data breach events can help to contain and mitigate the breach event more quickly and to minimize the resulting fraud.
Merchants that suspect or have confirmed a compromise event of their payment systems or payment systems they service or support must take prompt action per the WTDIC guide to prevent additional exposure.
Responding to a suspected or confirmed account data compromise
Version 6.0 of WTDIC establishes procedures and specific timelines for reporting and responding to a suspected or confirmed account data compromise event. To mitigate payment system risk during a compromise event, prompt action is required to prevent additional exposure. This includes ensuring containment actions and remediation such as ensuring the properPCI DSS and PCI PIN Security controls are in place and are functioning correctly. Visa's updated WTDIC document will guide merchant through critical required compromise event components and procedures that include:
- Providing notification to Visa
- Conducting an initial investigation and providing an incident report to Visa
- Providing exposed payment account data to Visa
- Managing PCI forensic investigation/ independent investigation as required
- Complying with all requirements for suspected or confirmed compromise events
- Following eCommerce Threat Disruption (eTD) requirements
- Understanding potential impacts of investigation fees and non-compliance assessments (NCAs)
To ensure the timely resolution of compromise events and drive notification of at-risk accounts to stem fraud impacts, Visa is introducing investigation fees to encourage merchants to cooperate throughout each phase of the investigation process. The WTDIC document specifies the investigation fees and how they are assessed. Fees are entirely avoidable if merchants cooperate in a timely fashion.
Noncompliance assessments are designed to deter merchants from failing to comply with the required procedures an timeliness for reporting and responding to a suspected or confirmed compromise event.