• Immediately, and no later than within twenty-four (24) hours, identify, contain, and mitigate
the ADC Event or Potential ADC Event, secure Account data and preserve all information, in
all media, concerning the ADC Event or Potential ADC Event, including:
1. preserve and safeguard all potential evidence pertinent to a forensic examination of an
ADC Event or Potential ADC Event using industry best practices;
2. isolate compromised systems and media from the network using industry best practices;
3. preserve all Intrusion Detection Systems, Intrusion Prevention System logs, all firewall,
Web, database, and events logs;
4. document all incident response actions thoroughly; and
5. refrain from restarting or rebooting any compromised or potentially compromised
system or taking equivalent or other action that would have the effect of eliminating or
destroying information that could potentially provide evidence of an ADC Event or
Potential ADC Event.
• Within twenty-four (24) hours, and on an ongoing basis thereafter, submit to Mastercard all
known or suspected facts concerning the ADC Event or Potential ADC Event, including, by
way of example and not limitation, known or suspected facts as to the cause and source of
the ADC Event or Potential ADC Event to the satisfaction of Mastercard.
• Within twenty-four (24) hours and continuing throughout the investigation and thereafter,
provide to Mastercard, in the required format, all primary account numbers (PANs)
associated with Account data that were actually or potentially accessed or disclosed in
connection with the ADC Event or Potential ADC Event and any additional information
requested by Mastercard. As used herein, the obligation to obtain and provide PANs to
Mastercard applies to any Mastercard or Maestro Account number in a bank identification
number (BIN)/Issuer identification number (IIN) range assigned by Mastercard. This
obligation applies regardless of how or why such PANs were received, processed, or stored,
including, by way of example and not limitation, in connection with or relating to a credit,
debit (signature- or PIN-based) proprietary, or any other kind of payment Transaction,
incentive, or reward program.
• Within seventy-two (72) hours, engage the services of a Payment Card Industry Security
Standards Council (PCI SSC) Forensic Investigator (PFI) to conduct an independent forensic
investigation to assess the cause, scope, magnitude, duration, and effects of the ADC Event
or Potential ADC Event. The PFI engaged to conduct the investigation must remain free of
conflict of interest as defined in the PFI Program Guide. Prior to the commencement of such
PFI’s investigation, the Customer must notify Mastercard of the proposed scope and nature
of the investigation and obtain preliminary approval of such proposal by Mastercard or, if
such preliminary approval is not obtained, of a modified proposal acceptable to Mastercard.
Mastercard and the responsible Customer(s) may agree that a PFI’s investigation of,
investigation findings, and recommendations concerning fewer than all of the Merchants (or
other Agents) within the scope of the ADC Event or Potential ADC Event will be deemed to
be representative of and used for purposes of the application of the Standards as the
investigation findings and recommendations by the PFI with respect to all of the Merchants
(or other Agents) within the scope of the ADC Event or Potential ADC Event.
• Within two (2) business days from the date on which the PFI was engaged, identify to
Mastercard the engaged PFI and confirm that such PFI has commenced its investigation.
Account Data Compromise Events
10.3.1 Time-Specific Procedures for ADC Events and Potential ADC Events
©
1991–2024 Mastercard. Proprietary. All rights reserved.
Security Rules and Procedures—Merchant Edition • 6 February 2024
118