What is an account data compromise (ADC)?

An ADC happens when an unauthorised person accesses card payment data in your business environment with the intention to commit fraud. Card payment data is any information about a credit or debit card such as the card number, cardholder PIN, expiry date, card verification code (three numbers on the back of the card) or cardholder name.

How can fraudsters gain access to my business?

Fraudsters will look for any vulnerability in your business environment to try and gain access to valuable information like card payment data. Common tactics include:

  • Terminal skimming. A device is placed on your payment terminal that reads the magnetic stripe on the back of the card and records this information
  • Installing malware. This is software that can be used by fraudsters to lock you out of your systems and give them access and control over your information
  • Phishing. Fraudsters may send you an email from a hacked account or a legitimate looking email address to trick you into providing information or clicking on a link that contains malware
  • Physical theft of paper-based information. This could include card numbers that have been written down while taking payments over the phone or any other sensitive information about your customers or business.

What can fraudsters do with card payment data?

Once fraudsters have access to card payment data, they usually sell it on the dark web to the highest bidder. The buyer can then use this stolen data to make purchases online or in store using a fake card. They may even resell these purchases for cash to avoid detection. Stolen data can circulate for months or even years on the dark web.

What types of businesses are likely to be targeted?

Every type and size of business that handles card payment data is at risk of an account data compromise. The less secure your business is, the more likely it is that you will become a target.

What will happen if my business suffers an ADC?

The Westpac PCI DSS compliance team will contact you if we suspect or have confirmation that your business has suffered an ADC. You may then be asked to temporarily disable your payment acceptance method and pay for an investigation if required.

If the investigation finds that your business is non-compliant with PCI DSS requirements, you could face penalties levied by the card schemes, suffer reputational damage for not protecting your customers' data and risk losing your payment facility.

How to help prevent an ADC.

Find out steps you can take to protect your payment environment when you're accepting cards in store, online, over the phone or through a recurring payment facility.

What should I do if my business has been compromised?

Steps for merchants to follow if they experience an Account Data Compromise

Get help with preventing & responding to an ADC.

Contact your Westpac Relationship Manager or email the PCI DSS compliance team at PCI.DSS.Compliance@westpac.co.nz. You can also call the Westpac Merchant Assist team on 0800 888 066, option 4 weekdays 8:30am - 5pm.

Things you should know.

The information on this page is intended as a guide only. We make no warranty or representation, express or implied, regarding the accuracy of any information, statement or advice contained on this page. We recommend you seek independent advice before acting or relying on any of the information on this page. All opinions, statements and analysis expressed are based on information current at the time of writing from sources which Westpac believes to be authentic and reliable. Westpac issues no invitation to anyone to rely on this material.

Mastercard® is a registered trademark and the circles design is a trademark of Mastercard International Incorporated. 

Links to other sites are provided for convenience only and Westpac accepts no responsibility for the availability or content of such websites.