How to respond to a cardholder data breach (PCI DSS Requirement 12.10)
While your company may have taken the necessary steps to prevent a data breach, is it equally prepared for an incident response should a breach actually occur?
Do you have a documented plan and dedicated resources to investigate, gauge your exposure and complete notification requirements?
The PCI DSS Requirement 12.10 of the PCI Security Standards provides guidance on how to create a thorough incident response plan so that you can respond immediately to a system breach.
Without a thorough security incident response plan that is properly disseminated, read, and understood by the parties responsible, confusion and lack of a unified response could create further downtime for the business, unnecessary public media exposure, as well as new legal liabilities.
Your incident response plan should be tested annually. Examine the incident response plan and related procedures to verify your organization is prepared to respond immediately to a system breach.
Limiting exposure and preserving evidence is ESSENTIAL. When a data breach occurs, companies are required to notify payment card brands and acquirers. Are there contractual notifications that must be made? Do your contracts require specific evidence? This information should be included in your incident plan.
Working with a PCI Forensic Investigator (PFI)
Does your company have a PFI contracted? If your PFI is not required to be on site, then your evidence will have to be securely transferred to the PFI site. The PFI will report on whether deficiencies in compliance with PCI DSS requirements were observed during his or her investigation.
Do’s and Don’ts to Remember
Do NOT access or alter compromised system(s). Do not log onto the compromised or change passwords. Do not log in as ROOT, admin, etc. To avoid losing critical data, it is highly recommended that the compromised system(s) not be used.
DO preserve all evidence and logs, security events, web, database, firewall, and so on. Make sure the integrity of the evidence is not impacted by any tools used in the collection and analysis process. Document all actions taken, including dates, times, and individuals involved.
About the Author
Dorothy JacobsFinancial Payment Systems Professional
Dorothy Jacobs is a financial payment systems professional with an extensive background in
regulatory compliance frameworks for the financial, retail and interchange business sectors including PCI, AML/BSA, and Regulations E, D and Z. Dorothy’s experience in architecting front-end authorization and back-end settlement systems has given her the in-depth knowledge required to provide comprehensive compliance programs to our clients.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.