A security event involving payment card data, especially card present data, can be one of the most costly events a company may face. Not only did a recent study report the average total cost of a data breach as $3.8 million, large payment card incidents such as those that occurred at Target and Home Depot involve hundreds of millions of dollars. To assist merchants and service providers in preparing for and responding to a potential data compromise, the Payment Card Industry (PCI) Security Standards Council recently published new guidance, titled “Responding to a Data Breach: A How-to Guide for Incident Management.” The guidance was developed with a focus on how a business can prepare for an incident and effectively work with a Payment Card Industry Forensic Investigator (PFI), an independent investigator that a business may be required by its acquirer or the card brands to engage following a suspected data compromise. The PCI Security Standards Council publishes a list of approved PFI companies.
The guidance focuses specifically on what a business can do to prepare for an incident and immediate steps a business should take in response to an incident in order to facilitate a thorough and effective investigation by a PFI. The specific recommendations are:
Implement an Incident Response Plan. This is a requirement of PCI DSS 12.10 (an incident response plan must be “thorough, properly disseminated, read, and understood by the parties responsible” and a business must perform proper testing of the plan at least annually). Preparation for a data breach helps a business respond quickly to a compromise to limit exposure, assess what information may have been exposed, and determine a course of action. In particular, development of an incident response plan and practicing its execution can help a company become “compromise ready” in the event of an incident.
- Limit Data Exposure
- Notify Business Partners
- Manage Third-Party Contracts
- Identify a PFI
Working With a PFI Following an Incident
Following a security compromise involving payment card information, the card brands frequently require that the business retain a PFI to complete an independent investigation of the incident. The specific direction of a PFI investigation will depend on the nature of the compromise and the scope of information involved. However, the guidance sets forth some important steps in working with a PFI, including:
- Preserving and documenting evidence. In order to ensure that evidence is preserved for the PFI investigator to complete his or her investigation, a business must not access, alter, or turn off the compromised system. In addition, a business should take steps to preserve logs and document actions taken in relation to the incident.
- Ensuring PFI access to essential physical facilities and the appropriate employees for PFI investigation and remediation efforts.
- Documenting actions taken, including dates and individuals involved.
These steps are designed to assist a PFI in identifying the cause of the incident and any containment measures that should be taken.
The guidance, under the heading of “What to Expect from Your PFI After a Data Breach,” also covers some practical questions that merchants going through this process for the first time often have as well as actions that are disfavored by the card networks, including:
- If the merchant’s QSA is also a PFI, the merchant cannot select that company to conduct the PFI investigation;
- Warnings to not allow legal counsel or non-PFI investigators to “interfere” with the PFI’s investigation;
- Why PFIs often find areas of non-compliance with PCI DSS even though the merchant’s QSA previously validated the merchant as compliant; and
- What kind of reports a PFI completes