This FAQ covers questions Visa clients may have on the Account Data Compromise Program changes effective from 1st October 2021, please see the new What To Do If Compromised Document v.11 – Europe Region. Why are the changes happening?

Account Data Compromise Event Program Changes – Europe Region

This FAQ covers questions Visa clients may have on the Account Data Compromise Program changes effective from 1st October 2021, please see the new What To Do If Compromised Document v.11 – Europe Region.

Why are the changes happening?

  • Increasing adoption of payment security technology, such as tokenisation and increasing understanding and implementation of Strong Customer Authentication (SCA) practices in response to PSD2, is working to devalue payment card data for fraudsters.
  • Attack trends are changing, with an increase in attacks designed to inhibit or disable the transaction flow, such as ransomware or DDoS attacks.
  • The changes will facilitate an increased focus on cybersecurity and the resilience of the payment’s ecosystem.

What type of data compromise or security events will Visa request an investigation for?

Any data compromise event that puts Visa account data at risk including but not limited to:

  • Any entity that has been Common Point Of Purchase (CPP) reported by an issuing client.
  • Material public reported data compromise events.
  • Self-reported data compromise events.
  • Any data compromise event that has not been contained or there is a continuation in fraud.
  • Ransomware cases where Visa account data may be at risk.

How will Visa notify clients of a suspected or potential data compromise event at one of their merchants/entities?

  • Visa will send a notification of the event though Visa’s Global Investigation Management Tool (GIMT). If the acquirer does not have GIMT, Visa will notify through email and request the acquirer gain access to GIMT. This notification will contain the acquiring client and will include the CPP report details. This will be the Card Acceptor ID (CAID) or Merchant Identifier (MID), the Window Of Exposure and the entity name.
  • Acquirers will be expected to validate the CPP reports using any methods available to them.
  • Acquirers will be required to provide the potential AAR using initial CPP report window of exposure and/or the results of the acquirer’s initial investigations findings.

What are the investigation options available for use by acquiring clients?

– For Level 3 and 4 merchants:

  • Acquiring clients will be required to determine the most appropriate measures to manage an account data compromise event. An acquirer led ‘independent investigation’ may be used to ensure effective containment of an account data compromise event and this must be achieved using a competent and appropriately qualified individual or company.

-For Level 1 and 2 merchants including service providers, agents etc.:

  • The current full PCI PFI investigation requirement remains extant.

The PFI Lite service will be terminated from 1st October 2021.

What is an ‘independent investigation’?

  • Managed by the acquiring client
  • Must be completed Within sixty (60) business days
  • The acquiring client may use whatever resources they deem appropriate but must ensure that containment actions are validated by a competent and appropriately qualified individual or company
  • Any containment action should immediately contain the specific cause of the account data compromise event and be effective enough to prevent the further loss of payment account data until full PCI DSS remediation is completed
  • If effective containment cannot be achieved due to underlying or additional security weaknesses, consideration should be given to either:
    • Stop taking payment account data or
    • Divert customers to a known secure payment channel such a MOTO or face to face until the security weakness have been addressed and effective containment has been achieved.
  • A report submitted by the acquiring client to Visa in Europe within 60 business days confirming who carried out the independent investigation, their contact details, the key findings of the investigation, the Window of Exposure of any payment account data and the data elements at risk, the containment actions taken and the containment date and finally any remediation actions required to ensure the security of payment account data moving forward.
  • Acquiring clients will be expected to work with their merchants to ensure PCI DSS compliance validation.

What happens if the Independent Investigation does not meet the deadline or containment requirements?

  • Failure to contain the ADC Event within sixty (60) business days may result in Visa in Europe requiring a Full PCI PFI investigation.

Please Note: Visa in Europe reserve the right to require a PCI Forensic Investigation irrespective of

the number of accounts at risk or merchant Payment Card Industry Data Security Standard (PCI DSS) merchant validation level.

What Other account data compromise program administration changes are happening?

  • Any changes to the Account Data Compromise Event program will be communicated to clients through VBN, training and guides.

Does this change impact case management fees?

  • Yes. Case management fees as detailed within the Visa Rules (ID#: 0029794), will not be applied when an acceptable independent investigation has been completed.

Does this change impact non-compliance assessments?

  • Account Information Security (AIS) Non-Compliance Assessments (NCA’s) will not be applied to cases with less than 30K accounts at risk. However, non-compliance assessments under the AIS program, as detailed within the Visa Rules (ID#: 0029794), may apply to account data compromise cases when 30K accounts or more accounts have been placed at risk.

Please Note: A Member must cooperate with Visa to protect the Visa system and Members against data compromises of account information and Transaction Information. A Member that fails to do so may be subject to a non-compliance assessment of EUR 100,000 as detailed within the Visa Rules(ID#: 0029596).