Experience and statistics show us that the unlikely happens, we don’t know when, we don’t know how but we know it will occur. So management should better be concerned by being prepared to face an incident than by being secure.
"I’m compliant so I don’t care."
The above principle has never been so true within the context of PCI where compliance doesn’t really shelter organizations from compromises and therefore penalties.
Achievement of PCI compliance is a long, costly, and fastidious journey to the promised land of immunity towards penalties. To avoid or minimize penalties, compromised companies must prove that they did everything they could to prevent, detect, report, and follow up on an incident in accordance with the, “rules”.
Payment Brands have stringent rules and fines related to incident reporting.
For instance, VISA is requiring their members (banks) to immediately report suspected or confirmed losses or theft of any transaction data. Members failing to do so are subjected to a $100,000 fine per incident + $50,000 for any merchant or service provider that is not compliant at the time of the incident.
As a merchant or service provider what do I have to do?
Upon occurrence of a security breach and/or suspicion of compromised card data, an overwhelming sense of panic could paralyze any individual responsible for security and/or compliance. The fear of responsibilities and business impacts in terms of penalties and reputation could disconcert more than one. As mentioned above, the compliance status at the time of the incident would not be sufficient to keep you sheltered against these fears. You have to act rapidly accordingly to the procedures. In this domain as indicated by PCI DSS 12.9 preparation is key.
Req 12.9 of the PCI bible (PCI DSS) requires merchants and service providers to be prepared to respond immediately to a breach.
What are the procedures?
It's important to note that the payment brand reporting procedures and associated fines are applied to members (Banks) not the merchants and services providers. Unfortunately there are no publicly available rules applicable for merchants and service providers in case of compromises. So the first advice would be to liaise with your bank to determine what are these procedures and associated milestones as well as specific reporting templates. Different procedures and report templates could be required for different payment brands. Act right now and don’t wait for a compromise. You will not have the time.
Such procedures could include the following parts:
Contain, limit the exposure, and monitor.
- Do not access or alter compromised system(s). Do not turn the compromised system(s) off. Instead, isolate compromised systems(s) from the network
- Preserve evidence and logs
- Document all actions taken.
- Be on high alert and monitor traffic on all systems with cardholder data.
Alert all necessary parties immediately
- Internal incident response team
- Your Bank (PCI contact)
- Law enforcement agency
Make Inventory of compromised data
Make an inventory of potential compromised data and report it to your bank
Perform Initial investigation and deliver breach report
Perform an initial investigation and provide a breach report to your bank. This report must help them understand the breach vectors and potential extent of the compromise as well as the actions taken to contain and limit exposure. For this investigation merchants could use their own internal resources or the services of a consulting company.
Is it mandate to use a PFI (PCI Forensic Investigator)?
When deemed necessary by the payment brands, an independent forensic investigation could be required. In this case the compromised organization must engage a PFI company from this list and support the cost. The role of such a company is to investigate the case and verify the level of responsibility of the compromised entity.
- Have you already been through such "after compromise" process?
- If Yes, what would you recommend to the community?