The scenario
Families report unauthorized charges on the cards they have on file in the school lunch portal. The vendor confirms a 'security event'.
First 60 minutes
- Pull the vendor's incident disclosure and timeline in writing — date of compromise, scope, data classes.
- Disable any pass-through integrations from your SIS to the payment vendor if they share student PII.
- Notify families using the dedicated payment-vendor breach template (see parent-communication playbook).
- Contact your acquiring bank if the district holds any merchant relationship (some districts do).
- Document the vendor's response for the next procurement renewal.
Decisions to make
Data scope
- — Payment-card data only: route to PCI-DSS-aware vendor process.
- — Student PII (name, school, lunch-status) in addition: notify under state student-data law.
Who to call
- Payment vendor incident response
- State breach-notification regulator
- Card-brand fraud monitoring if district-issued cards
FAQ