A card data breach is not just a technical incident: it activates notification obligations under GDPR, forensic investigation procedures under PCI DSS, and chargeback management processes with the acquirer. The GDPR data breach notification must occur within 72 hours, while PCI DSS data breach fines can reach significant figures before the investigation is even concluded. This article describes the concrete sequence of events following a breach.
What happens in the first 72 hours after a payment breach
The first 72 hours after discovering a breach are the most critical. Under GDPR, the data controller must notify the supervisory authority (in most EU countries, the data protection authority) within this timeframe, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. For card data, this condition is rarely met: the risk of fraud is concrete and immediate.
In parallel, the acquirer must be notified following PCI DSS procedures. Requirement 12.10.1 of the standard requires every organisation to have a documented and tested incident response plan. If the plan does not exist or has not been tested, breach management becomes chaotic, notification timelines lengthen, and the risk of additional penalties increases. At this stage, many organisations also involve card network brands (Visa, Mastercard) who have their own contractual notification obligations.
Mandatory notifications: GDPR, PCI DSS and acquirer
The post-breach notification system is layered across multiple levels. GDPR requires notification to the supervisory authority within 72 hours and, if the risk to data subjects is high, direct communication to the individuals affected. PCI DSS requires notification to the acquirer and card network brands, who initiate their own forensic investigations. The acquirer may, in turn, temporarily block the merchant's payments pending the conclusion of the investigation.
Networks like Visa and Mastercard have specific breach management programmes (Visa Account Information Security, MC Site Data Protection) that provide for penalties separate from PCI penalties. Card network penalties are often the most immediate: they can start from €5,000 per month up to hundreds of thousands, and are in addition to any supervisory authority fines (up to 4% of global annual turnover for the most serious GDPR violations).
The real costs of a breach: forensics, chargebacks and penalties
The cost of a PCI data breach goes well beyond formal penalties. The mandatory forensic investigation, conducted by a certified QSA or PFI (PCI Forensic Investigator), typically costs between €30,000 and €100,000 for a medium-sized merchant, and the merchant is required to pay even when the investigation shows the breach was limited. Added to these are the costs of replacing compromised cards (borne by the merchant in the most serious cases), chargebacks on fraudulent transactions, and legal costs.
On the operational front, the acquirer may impose an increased reserve rate (a percentage of transactions held back as a guarantee) or, in the most serious cases, revocation of the ability to accept cards. Reputational damage is difficult to quantify but can be the highest cost for B2C companies. According to Ponemon Institute estimates, the average cost of a breach involving payment data exceeds €150 per compromised record, including response, notification and customer loss costs.
Frequently asked questions
By when must I notify the supervisory authority in the event of a breach?
GDPR requires notification within 72 hours of discovering the breach, not from the moment the breach occurred. If the discovery happens on a Friday evening, the deadline expires Monday morning. The notification must include the nature of the breach, the categories of data involved, the approximate number of data subjects, the measures taken, and those planned to mitigate the damage.
Who pays forensic costs after a PCI breach?
The costs of a PCI forensic investigation are borne by the merchant under the standard contract with the acquirer. Even if the breach were caused by a vulnerability in a third-party supplier, the merchant remains primarily responsible to the acquirer. Cyber insurance policies exist that cover these costs, but they require the merchant to demonstrate a minimum level of PCI compliance at the time of the breach.
Does tokenization reduce the impact of a breach?
Significantly. If the merchant's systems do not store PANs but only tokens, a breach does not expose card data usable for fraud. The token has no commercial value outside the system that issued it. In these cases, the forensic investigation can conclude that no card data was compromised, with a drastically reduced impact on penalties, chargebacks and card replacement obligations.
With zero PANs in your system, a breach does not become a PCI breach. Find out how tokenization reduces the impact to zero. Discover PCI Proxy EU.