If you have a suspicion about or confirmed account data compromise, you must contact us within three business days. In the meantime and in order to identify the root cause and facilitate investigations, it is important to ensure the integrity of the system components and environment by preserving all evidence. To this end:
- Do not access or alter compromised system(s) e.g., do not log on to the compromised system(s) and change passwords; do not log in with administrative credentials. The card association strongly recommends that the compromised system(s) should be taken offline immediately and not be used to process payments or interface with payment processing systems.
- Do not turn off, restart, or reboot the compromised system(s). Instead, isolate the compromised systems(s) from the rest of the network by unplugging the network cable(s) or through other means.
- Identify and document all suspected compromised components (e.g. PCs, servers, terminals, logs, security events, databases, PED overlays etc.).
- Document containment and remediation actions taken, including dates/times, individuals involved, and actions performed, in detail.
- Preserve all evidence and logs (e.g. original evidence such as forensic image of systems and malware, security events, web logs, database logs, firewall logs, etc.).