The PCI Security Standards Council (PCI-SSC) has released new guidance on its website advising merchants how to deal with a data breach. The guidance particularly details when a PCI Forensic Investigator (PFI) will be required, and provides tips on making the PFI process go smoothly.
The PCI-SSC states that “preparing for the worst is the best defense” by having an incident response plan. In addition, PCI-SSC advises limiting data exposure by isolating affected systems without turning them off, notifying necessary business partners (such as the payment brands and merchant banks) immediately and managing third party contracts by ensuring that those contracts sufficiently address incident response management.
The bulk of the document provides information on engaging and working with PFIs. First, PCI-SSC recommends identifying a PFI that meets applicable independence requirements in advance. When an incident occurs, PCI-SSC emphasizes that the PFI investigation must be independent, and that other forensic investigators (i.e., non-PFIs) and other outside consultants (legal counsel, etc.) hired by or representing the company must not interfere with the PFI’s investigation. Though they are nominally independent, from a practical standpoint, PFIs often are adverse to the entities they are investigating because they act at the behest of the payment brands. This can create tension between the breached entity and the PFI that requires experience to navigate.
PCI-SSC also provides specific guidance on evidence preservation following a breach. The guidance recommends against logging into compromised systems, changing passwords and turning compromised systems off (but recommends disconnecting such systems from the Internet). In addition, compromised entities should document all actions taken and preserve security event, web, database and firewall logs, among other evidence.
The payment card industry hopes to reduce credit card fraud by rolling out EMV-compliant cards. On October 1, the liability for card-present fraud shifted to whichever party is the least EMV-compliant in a fraudulent transaction. However, it may be some time before every merchant is able to install terminals that accept smart chips embedded within new EMV-compliant credit and debit cards and issuers replace each payment card with an EMV-compliant version. The new guidance published by PCI-SSC acknowledges that payment card-related data breaches are not yet in the past.