This report should be completed by Business Affairs if an information security breach occurs and customer card data may have been disclosed. It must be completed within three business days, and provided to the Office of the State Treasurer. OST will forward it to U.S. Bank/NOVA. Visa and U.S. Bank/NOVA will determine and notify the agency and OST if an independent forensic investigation, compliance questionnaire, and vulnerability scan are required.

Actions Taken:


Actions Pending:

Contact Information:

Merchant Name:


Merchant ID #:

Date of Incident:

Bank Use Only:



What is the transaction date range associated with the compromise accounts?

What credit card data was compromised?

Was your system storing track 1 or track 2 data?

Was your system storing CVV/CVC 2 data?

How many credit cards were involved?

Was law enforcement notified, and if so, which department/agency?

What steps have been taken to remediate the risk/vulnerabilities?

How did the compromise occur?

What are the compromised systems?

Has all possible evidence been preserved?

What software and what version are you running?

Are you PCI Compliant?