Damage Control. Data Breach … Now What?

Having your systems breached — and your customers’ payment data compromised — can create major administrative and public relations issues for your business. In the event that hackers find their way into your data system, you’ll need to take some immediate steps to minimize the impact.

First: Control what you can control. The reality is that you can’t undo the damage of a data breach that has already occurred. What you can do is prevent further loss and help investigators trace the breach. The key here is to preserve evidence which, in most cases, means resisting the impulse to disconnect and shut everything down.

In particular, consider these recommendations from Visa®:

  • Don’t log on to the compromised machine or alter any login details, such as passwords.
  • Leave the compromised machine turned on, but isolate it by unplugging the cable or otherwise removing it from the network. In cases where you are running multiple machines on a wireless network, change the network name on the wireless access point and other non-compromised machines that may be sharing a connection.
  • Save all logs and electronic evidence of the breach to share with investigators.
  • Carefully note any actions your business has taken since the breach (e.g., how you isolated compromised machines).

Second: Contact the authorities. The U.S Federal Trade Commission (FTC) recommends that you contact your local police department immediately if the compromise could result in harm to a person or business. If you feel that local law enforcement lacks the expertise to properly investigate the breach, contact the local office of the FBI or the U.S. Secret Service.

Third: Notify concerned parties. Of course, you’ll need to communicate with your merchant bank, credit card networks and any other financial institutions linked to the breached data. But you’ll also need to contact all customers who might have been affected.

Currently, 46 states, Washington D.C., Puerto Rico and the Virgin Islands have laws that require notification of individuals when a data breach exposes their personal information. Some states have specific notification deadlines, and your business could incur substantial fines for noncompliance. Be sure to check applicable state regulations to avoid noncompliance.

Fourth: Restore confidence. Restore confidence in your business by making it clear that you are taking the issue seriously. Communicate the measures that have been or will be taken to prevent similar issues from recurring.

Fifth: Harden the target. Make sure your business is compliant with at least the minimum Payment Card Industry Data Security Standards (PCI DSS). Utilizing these payment industry best practices can help make sure your system is more difficult to break into — and ensure that data is tokenized and encrypted so that even if it is stolen, cyber-criminals can’t use it.

If you have more questions about what to do in the event of a data breach, or are interested in tokenization and encryption solutions, please call PNC Merchant Services® customer service at 800-742-5030.

More Insights eNews

Get helpful articles like this sent automatically to your inbox quarterly.

Subscribe »


Important Legal Disclosures and Information

Visa is a registered trademark of Visa International Service Association and used under license.

Merchant Services provided by PNC Merchant Services Company and are subject to credit approval. PNC Merchant Services is a registered trademark of The PNC Financial Services Group, Inc.

This Merchant Business Insights e-Newsletter is designed to provide useful and practical information for merchants accepting card transactions. It is not intended to be legal, tax, accounting or financial advice, nor should it be substituted for a full and regular review of the Association Rules and any changes thereto. Internet sites provided in this e-Newsletter are provided as a convenience to our readers. While PNC Merchant Services endeavors to provide resources that are reputable and safe, we are not responsible for the information, products, or services obtained on such sites.