On September 29, 2015, the PCI Security Standard Council (PCI SSC) issued guidance regarding data breach responses for merchants and service providers who process payment cards. The PCI SSC is a global forum founded by card brands (American Express, Discover, JCB, MasterCard, and Visa), and it is responsible for the development and management of the data security standards (i.e., the PCI-DSS and the PA-DSS standards) required by the card brands’ security programs. The new guidance includes the PCI SSC’s recommendations on: (i) how to prepare in advance of an incident to reduce risks and costs; and (ii) engaging and working with a Payment Card Industry Forensic Investigator (PFI) following a cardholder data breach.
The payment card industry continues to take steps intended to reduce credit card fraud and data security incidents, as evidenced by the roll-out of EMV-compliant cards and the October 1, 2015, shift in liability for card-present fraud to whichever party is the least EMV-compliant in a fraudulent transaction. By issuing this guidance, the PCI SSC illustrated how the payment card industry will continue to seek effective means for minimizing overall security shortcomings, in addition to allocating risk in the event of breaches.
Data Breach Preparation
The PCI SSC guidance lays out five basic steps that merchants and service providers should take to “prepare for the worst”:
- Implementing an Incident Response Plan. The PCI SSC explains that the development and implementation of management controls for responding to incidents are critical steps to reducing exposure following a data breach. PCI DSS Requirement 12.10 requires the implementation of an incident response plan by all organizations processing payment cards, and it is critical, in the PCI SSC’s view, that this plan be “thorough, properly disseminated, read, and understood by the parties responsible,” with appropriate testing procedures in place to ensure that the plan works.
- Limiting Data Exposure. The PCI SSC recommends evaluating data systems to ensure that, in the event of a breach, systems may be appropriately isolated and investigated.
- Preparing to Notify Business Partners. When a security vulnerability or breach is identified, it is often critical to alert relevant parties promptly. The PCI DSS recommends ensuring that any incident response plan contains appropriate contact information, such as the relevant contacts at service providers, payment card brands, and acquiring banks.
- Managing Third-Party Contracts. The PCI SSC notes that service provider contracts should (i) address incident management (e.g., who will handle response and how will the parties coordinate) and (ii) address evidence-gathering or data access and review requirements, so that the parties roles in a post-breach environment are clearly defined. Following this guidance may ensure a more efficient and prompt response, particularly where breaches implicate or affect third party service provider systems.
- Identifying a PFI for Breach Response. Finally, the PCI SSC recommends that organizations establish relationships with PFIs in advance of breaches, so that they will know who to contact when an incident occurs. The guidance notes, however, that there are independence requirements for PFIs, so merchants and service providers to merchants cannot engage a PFI that is already providing other PCI related services for the organization.
Engaging and Working with a PFI
As the guidance notes, card issuers may require that PCI-listed PFIs be responsible for conducting an independent forensic investigation and analysis of a breach. Each payment card brand has its own requirements for PFI engagement (which are linked to in the guidance), and taking time to understand the role of the PFI and the services that will be provided following a breach will help organizations plan for bringing in a PFI in the event that a breach occurs.
The PCI SSC guidance explains how PFIs investigate breaches, what reports are likely to be generated through their investigations, and how merchants and service providers may work with PFIs to ensure thorough investigations occur. PFIs will typically issue interim and final reports on incidents, which will be made available to the merchant’s acquiring bank and to the payment brands, and will issue to the merchant a series of recommendations regarding containment and securing cardholder data. These recommendations are intended to supplement (and not stand in place of) the merchant’s existing incident response plan, and the PCI SSC stresses the importance of following the recommendations as soon as practicable to reduce further risks to the cardholder data.
Finally, the PCI SSC guidance provides some comments on how merchants and their service providers can assist PFIs in evaluating and remediating incidents. The PCI SSC explains basic steps that organizations should take to prevent further data compromise while appropriately preserving evidence relating to the system. Beyond evidence preservation and cardholder data risk reduction, the PCI SSC also recommends that merchants and their service providers ensure that appropriate facilities and personnel are made available to PFIs to ensure effective investigations and remediation processes.