Our Data Security Operating Policy (DSOP) now includes a new incident response process. Please review the DSOP updates and update your incident response plans and related policies accordingly.  

New Changes: What to do if compromised 

Customer must notify Phillips 66 immediately, and in no case later than twenty-four (24) hours, and confirm in writing within three (3) calendar days if the Customer or Customer’s Covered Parties have reason to believe or suspect that Cardholder data or systems used to store, process, or transmit cardholder data have been accessed or used without authorization or not in compliance with this Phillips 66 DSOP. 

New: To notify Phillips 66 call 1-918-977-7612 (TF: 1-855-709-5760) or email lscert@p66.com and ask for LinkSafe Cyber Emergency Response Team. 

• Comply with merchant banks and all processed card terms, regulations, and other payment brand mandates and timelines. Within five (5) days following the discovery of a Data Incident impacting payment card environment, associated systems, and data, Customer must engage and/or permit Phillips 66 or its designee to perform an investigation of the incident at the Customer’s expense. Customer shall provide (and obtain any waivers where necessary to provide) to Phillips 66 and PCI Forensic Investigator (PFI), or other forensic firm of Phillips 66’s choosing, on request, full cooperation, and access to conduct a thorough investigation of such incident, including providing access to any data or systems impacted by the Incident. 

• The unedited forensic investigation report must be provided to Phillips 66 within five (5) business days of its completion. 

• Phillips 66, Card Brands, or payment methods, in their sole discretion, might separately engage a PFI to investigate any Data Incident and may charge the cost of such investigation to the Phillips 66 Customer. 

Please visit Phillips 66 Gateway to review the Data Security Operating Policy.