The Payment Card Industry Security Standards Council (PCI SSC) released guidance for merchants and service providers to help in preparing to respond to an incident and engaging a Payment Card Industry Forensic Investigator (PFI). To find a list of pre-approved PFIs, visit the PCI SSC website.
Join the next ePlace Solutions webinar: PCI Readiness – Solidifying PCI Scope of Compliance Risk, to gain a better understanding of the PCI DSS requirements and how to best prepare for compliance. The webinar is October 28th at 10:30 AM PT / 1:30 PM ET, free of charge.
Preparing for the Worst
The PCI SSC recommends that organizations prepare for the worst when it comes to incident management. The guidance provides 5 key points to address when putting together an incident management program.
1. Implement an Incident Response Plan
The retail industry has seen a plethora of cardholder data breaches in recent years. Organizations need to be prepared for what seems to be the inevitable data breach. An Incident Response Plan is a crucial step in preparing for an incident.
PCI DSS provides guidance in Requirement 12.10: Implement an incident response plan. Be prepared to respond immediately to a system breach.
According to PCI DSS, an effective incident response plan should include:
- Roles, responsibilities, and communication strategies in the event of a compromise (i.e. notifying payment brands of an incident)
- Specific incident response procedures
- Business recovery and continuity procedures
- Data backup processes
- Analysis of legal requirements for reporting an incident
2. Limit Data Exposure
When responding to a security incident, too often organizations will impulsively shut down the infected systems and ruin any evidence that existed. Simply turning off a system could potentially delete key evidence in the investigation, as well as tip off the attackers that they’ve been detected.
Minimizing data loss while simultaneously preserving evidence is essential. The incident response team should ensure they have the capability to isolate an infected system without turning it off. This helps keep the attackers away from other potentially sensitive areas of the network and allows the forensics team to investigate the situation.
3. Notify Business Partners
An effective response to a security incident involves notifying the proper parties. Organizations should have a communications strategy that contains all parties and contact information that is necessary in the event of a security incident. Potential parties might include payment card brands, merchant banks, or other entities that require notification by contract or law.
4. Manage Third-Party Contracts
Third-parties represent a security concern for many organizations. Oftentimes third-parties have access to an organization’s network and systems for business operations. However, the protection of data and information ultimately falls on the data controller.
Having language to address the vendor’s data security policies and procedures, as well as their incident response management, is a key component to preparing for an incident. As the data controller, provisions to keep the third-party accountable are essential to ensuring the best protection of data and information.
5. Identify a PFI
Organizations should identify and establish a relationship with a PFI before an incident occurs. PFIs will often offer their services on retainer so the relationship exists and they are only a phone call away when you need them.
When engaging with a PFI, it’s important to understand their role in the incident management process. There are several things to consider when performing due diligence on potential PFIs for the organization.
PFIs are required to be independent of the organization they are investigating. There should be no other existing relationships with the PFI. The organization’s Qualified Security Assessor is not allowed to conduct the investigation. In addition, other third-parties representing the organization, like a public relations consultant, should not be interfering with the investigation. PFIs’ investigations must be completely independent.
The purpose of the PFI is to investigate the root cause and scope of the intrusion. PFIs will compile their findings into two reports: a PFI Preliminary Incident Response Report and a PFI Final Incident Response Report. It’s important to realize that the investigation and reports are not PCI DSS assessments and will not determine compliance with PCI DSS.