Communication Guidelines for PaymentVision Response to a Data Breach
Open, Honest and Transparent Prevention response:
PaymentVision® has an ongoing PCI DSS certification program and regular certified security assessments. The PCI DSS is a security standard developed by the Payment Card Industry Security Standards Council to help create and promote consistent data security measures and prevent fraud. The standard is designed to help companies proactively protect customer data and includes requirements for security management, policies, procedures, software design, network architecture and other critical protective measures. Although no formula can account for the many variations and circumstances that may be involved in individual data breaches, our approach is to respond rapidly to assemble the correct information, and be honest, open, transparent and accountable through timely communication with partners, their customers, and other important audiences.
Detection, Investigation and Escalation:
PaymentVision® asks its partners and customers to provide immediate notice if there is reason to believe a data breach may have occurred. If a data breach is known or suspected, PaymentVision® and its affected originators and/or third party service providers will promptly investigate to determine (i) if a data breach has actually occurred, (ii) the scope of the data breach, including the type and amount of data affected, (iii) the risk that the affected data will be misused, and (iv) what steps are necessary to prevent further unauthorized access to Data.
Notification of Breach:
PaymentVision® will provide the following findings concerning the data breach incident:
- Approximate cause(s) of the breach incident
- Approximate date of the breach incident
- The extent of data exposed
- Steps taken or in progress
- Other relevant findings, including any mitigating factors
Timeframe to Notify:
PaymentVision® will take appropriate steps to provide initial notice to partners and their customers and each affected source as soon as reasonably possible. PaymentVision® may not wait to complete its investigation before providing initial notice, if sufficient information has been elicited (i) to conclude that a data breach likely occurred and that misuse of Data is reasonably possible and (ii) to allow PaymentVision® to take meaningful action in response to such notice. Notice may be required to be limited or delayed if disclosure of the information to partners and their customers would impede an on-going criminal investigation.
Policy Revisions and Updates:
It is PaymentVision’s goal to maintain a best practices approach to data security and communication with our customers. This policy is not a legal contract and may be modified and updated by PaymentVision® in response to changing law, industry practice, or established public policy.