Merchant Account Services Data Compromise Management

Merchant account services data compromise event (ADC) is an instance that results, in some way or other, in the unallowed access to personal card account information. A potential ADC event is an instance that may lead to, in some way or other, to the unpermitted access to card account data.

Data security failings in an online payment processing setting does not necessarily have to be known. Still, there can be indications of an information security breach, unallowed access, or probable signs of misuse of data within the credit card processing setting that may be indicating an ADC occurrence or a potential ADC event. The list below shows a few such events:

• Internet connections from an internet protocol (IP) address that is not business-related or an inbound internet connection coming from locations that have no sort of business relationship to the potentially affected business or an outbound web connection to a not business-related IP address or country or both.
• Access from an unidentified or a not active user's ID or inordinate user activity.
• Discovering of malware, suspicious programs or files in an environment, or unusual action or volume in the processing systems.
• SQL suspicious action on web-facing systems.
• Point-of-sale (POS) devices and ATM machines displaying indications of tampering.
• Key-logging activities discovered.
• Card-skimming devices discovered.
• Lost or stolen sales receipts.
• Lost or stolen payment card information.
• Lost or stolen PCs, laptops, hard drives, or any other electronic machines that store bank card data.
• Files featuring bank account information mistakenly communicated to an unauthorized party.

If any action related to any of the above features is found, it is necessary to immediately begin an investigation.

Once the ADC occurrence is reported, the requesting party has to monitor the ADC reporting activity form status codes. If the respective Credit Card Association gets a report of a potential ADC occurrence or an ADC event, it can validate the data shared by the affected bank via the ADC Reporting Form. When possible, the Card Network will cooperate with the processing banks of record to make sure there is compliance with the rules.

Registered bank users from the respective acquiring bank need to access the ADC Reporting Form over the web within no more than five days of the received e-mail by using the step-by-step process below:

• Logging in.
• Navigate to "My Products" in the "Products" drop-down list.
• Choose "Association Alerts."
• Select "Yes" in the "Security Warning" option box. The "Association Alerts" disclaimer page will open up.
• Examine the disclaimer, and then select "Agree" if you agree to the terms.
• From the list on the the "Association Alerts" page, choose "ADC Summary."
• From the "ADC Summary" section, choose the number that is the same as the one in the e-mail notification.
• Choose the "Section B" tab and populate the data fields requesting the processing bank's contact information.
• Select "Save."