What To Do If Compromised

Taking immediate action

Merchants and service providers that have experienced a suspected or confirmed security breach must take immediate action to help prevent additional damage and adhere to Visa CISP requirements.

Steps for compromised entities

1. Contain and limit the exposure. Conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise. To facilitate the investigation:
   • Do not access or alter compromised systems (e.g., do not log on or change passwords; do not log in as ROOT).
   • Do not turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the cable).
   • Preserve logs and electronic evidence.
   • Log all actions taken.
   • If using a wireless network, change SSID on the AP and other machines that may be using this connection (with the exception of any systems believed to be compromised).
   • Be on high alert and monitor all Visa systems.
2. Alert all necessary parties. Be sure to notify:
   • Internal information security group and Incident Response Team, if applicable
   • Merchant bank
   • Visa Fraud Control Group at (650) 432-2978
   • Local FBI Office
   • U.S. Secret Service (if Visa payment data is compromised)
3. Provide the compromised Visa accounts to Visa Fraud Control Group within 24 hours. For assistance, please call (650) 432-2978. Account numbers must be securely sent to Visa as instructed by the Visa Fraud Control Group. It is critical that all potentially compromised accounts are provided. Visa will distribute the compromised Visa account numbers to issuers and ensure the confidentiality of entity and non-public information.
4. Within four business days of the reported compromise:
   • Provide Visa with an incident report.
   • Depending on the level of risk and data elements obtained, complete an independent forensic review and conduct a compliance questionnaire and vulnerability scan upon Visa's discretion.

Visa incident response team

In the event of a suspected compromise, the Visa Incident Response Team (which includes the Visa Fraud Control Team and a CISP Team) will immediately begin working with the entity and responsible member.

The Fraud Control Group:	The CISP Team:
Works with the compromised entity to obtain all potentially compromised account numbers. Disseminates "at risk" account numbers (or data) to the issuing banks. Begins monitoring the activity on the affected accounts. Works with the appropriate law enforcement on the entity’s behalf.	Provides guidelines to the compromised entity to assist them in responding to the incident. Works with the entity to identify security deficiencies. Facilitates forensic investigation in a timely manner. Ensures the entity takes corrective action to minimize the risk of future loss or theft of account information. Works with the entity to verify CISP compliance in an expedited timeframe.

Download the What to Do If Compromised (PDF, 176k).

To learn more about the Visa CISP, contact Visa via email at AskVisaUSA@Visa.com and/or download our CISP Frequently Asked Questions (PDF, 147k).