RunbookFraud Investigations

Card Fraud Incident Runbook

Severity classification and response steps for confirmed or suspected card fraud incidents.

v1.3effective 2025-08-18

Purpose

This runbook defines how Fraud Investigations classifies and responds to confirmed or suspected card fraud, from a single compromised card to a large-scale skimming or data-breach event.

Severity classification

Incidents are triaged into one of four severities on intake, which determines response speed and who must be notified.

SeverityDefinitionCard-blocking SLANotification
Sev1Confirmed compromise affecting 500+ cards or a core systemImmediate (< 15 minutes)CISO, Executive Committee
Sev2Confirmed fraud ring or merchant-level breach< 1 hourFraud Investigations lead, Card Security & Compliance
Sev3Individual confirmed fraud case< 4 hoursFraud Investigations queue
Sev4Suspected anomaly pending reviewNext business dayFraud Investigations queue

Containment

Once fraud is confirmed, the affected card is blocked and a replacement is issued automatically. For Sev1 and Sev2 incidents, the merchant terminal or channel implicated in the compromise is suspended pending investigation.

Customer notification

Affected customers are notified within 24 hours of containment for Sev1–Sev2 incidents, describing the action taken and any reimbursement timeline. Sev3–Sev4 customers are notified when their individual case is resolved.

Law enforcement referral

Sev1 and Sev2 incidents, and any Sev3 case exceeding €10,000 in confirmed loss, are referred to law enforcement and the relevant financial-crime reporting authority within statutory deadlines.