Card Fraud Incident Runbook
Severity classification and response steps for confirmed or suspected card fraud incidents.
Purpose
This runbook defines how Fraud Investigations classifies and responds to confirmed or suspected card fraud, from a single compromised card to a large-scale skimming or data-breach event.
Severity classification
Incidents are triaged into one of four severities on intake, which determines response speed and who must be notified.
| Severity | Definition | Card-blocking SLA | Notification |
|---|---|---|---|
| Sev1 | Confirmed compromise affecting 500+ cards or a core system | Immediate (< 15 minutes) | CISO, Executive Committee |
| Sev2 | Confirmed fraud ring or merchant-level breach | < 1 hour | Fraud Investigations lead, Card Security & Compliance |
| Sev3 | Individual confirmed fraud case | < 4 hours | Fraud Investigations queue |
| Sev4 | Suspected anomaly pending review | Next business day | Fraud Investigations queue |
Containment
Once fraud is confirmed, the affected card is blocked and a replacement is issued automatically. For Sev1 and Sev2 incidents, the merchant terminal or channel implicated in the compromise is suspended pending investigation.
Customer notification
Affected customers are notified within 24 hours of containment for Sev1–Sev2 incidents, describing the action taken and any reimbursement timeline. Sev3–Sev4 customers are notified when their individual case is resolved.
Law enforcement referral
Sev1 and Sev2 incidents, and any Sev3 case exceeding €10,000 in confirmed loss, are referred to law enforcement and the relevant financial-crime reporting authority within statutory deadlines.