Data protection

[ { "title":"Testing", "link":"https://docs.solidgate.com/payments/testing/", "text":"Simulate payments to test your integration before launching in production.", "imgSrc":"https://solidgate.com/wp-content/uploads/2022/06/icon-customizable.svg" } , { "title":"Create your payment form", "link":"https://docs.solidgate.com/payments/integrate/payment-form/create-your-payment-form/", "text":"Understand how to integrate the payment form into your product.", "imgSrc":"https://solidgate.com/wp-content/uploads/2022/06/icon-payments.svg" } , { "title":"Subscriptions", "link":"https://docs.solidgate.com/subscriptions/", "text":"Create and maintain a stable and healthy business subscription model.", "imgSrc":"https://solidgate.com/wp-content/uploads/2022/06/icon-global.svg" } ]

Get in touch
Sign in
Data protection
A structured approach to ensuring data security and regulatory compliance

Section 10.3 of Mastercard’s Security Rules and Procedures, along with Visa’s data security guidelines, outline merchant responsibilities regarding Account Data Compromise (ADC) events and potential ADC events.

Download and view guidelines.

Merchants must follow strict guidelines for detecting, reporting, investigating, and mitigating ADC events to maintain compliance with established security standards.

A potential ADC event occurs when:

  • cardholder account information is confirmed or suspected to be compromised due to unauthorized access, theft, or leakage
  • vulnerabilities or suspicious activity indicate the possibility of such an incident

Merchant responsibilities
anchor

Merchants must comply with the following key responsibilities to manage ADC events effectively.

Effective adherence to these guidelines ensures cardholder data security and protects merchants and customers from financial and reputational damage.

Detection and reporting
anchor

  • Monitor activity
    Continuously monitor systems for suspicious activity or potential threats to cardholder data.
  • Engage law enforcement
    If criminal activity is suspected, notify law enforcement agencies in accordance with local regulations.
  • Report incidents
    Report any confirmed or suspected ADC events to Solidgate, payment brands (Mastercard, Visa), and other relevant stakeholders.

Incident containment
anchor

  • Minimize impact
    Take immediate steps to contain the incident and prevent further exposure of cardholder data.
  • Engage forensic investigators
    • Mastercard requires engaging a PCI Forensic Investigator (PFI) within 72 hours.
    • Visa mandates contacting a Visa-approved forensic investigator as soon as a compromise is suspected, but no later than 5 days.
  • Provide updates
    Merchants must provide Mastercard and Visa with continuous updates on the incident, including potential sources, cause analysis, and suspected affected data.

Preventative measures
anchor

  • Ensure compliance
    Ensure full compliance with Payment Card Industry Data Security Standards ( Guide
    Understanding PCI DSS compliance and secure payment integration.     PCI DSS     ).
  • Train employees
    Educate staff on security best practices and procedures for handling sensitive cardholder data.
  • Strengthen controls
    Use encryption, firewalls, and intrusion detection systems to protect cardholder data.

Time-specific procedures
anchor

  • Isolate systems
    Ensure compromised systems are isolated from the network to prevent further access.
  • Submit compromised data
    • Mastercard requires submitting affected Primary Account Numbers (PANs) within 72 hours.
    • Visa requires providing a list of compromised accounts immediately but no later than 3 days later.
  • Deliver final report
    A final forensic report must be submitted to Mastercard and Visa within 10 business days after the forensic investigation concludes.

Ongoing compliance and reporting
anchor

  • Coordinate with stakeholders
    Maintain open communication with issuers, acquirers, and law enforcement to enhance fraud prevention efforts.
  • Submit reports
    Submit weekly reports detailing the investigation status, remediation efforts, and corrective actions.
  • Implement remediation
    Develop and implement a remediation plan addressing vulnerabilities and security weaknesses identified in the forensic investigation.
  • Validate action
    Ensure all corrective measures the PFI recommends are implemented and validated to prevent future ADC events.
Looking for help? Contact us
Stay informed with Changelog