Data breaches have been in the news a great deal lately, and in the event of a breach of cardholder data occurring, you may need the services of a PCI Forensic Investigator (PFI). In this article I’d like to outline the work of the PFI Program, look at what to expect from a PFI during an investigation and give some pointers on where to get further advice.
The list of approved PFI companies is held on the PCI SSC website. All PFI companies are experienced Qualified Security Assessors (QSAs) who are additionally qualified to perform forensic investigations. These companies must pass a rigorous set of criteria to become and remain PFIs (the quality assurance elements of the program are especially tough), and PFIs rightly consider themselves as a specialised community.
If you are choosing a PFI to work with, think firstly about geographic regions as not all PFI companies support all countries. Choose one that works in the region where the data loss is thought to originate.
Secondly, consider independence. Having an independent, unbiased view during an investigation is key, and PFIs are required to uphold strict independence requirements. For example, your PFI can’t also be your QSA or Approved Scanning Vendor (ASV) as they would be potentially investigating their own work. Performing any service which directly affects compliance with the Payment Card Industry Data Security Standard (PCI DSS) will not meet the PFI independence requirements. If in doubt, ask the PFI company themselves as they can advise on the independence restrictions they must meet.
Once an investigation is underway, then the scope must be determined by the PFI, not the company being investigated. This is to ensure that the PFI can look as broadly as possible into the causes of the breach, how it started and how the data is being extracted. Narrowing the scope of the investigation means that valuable insights in the attack may well be missed. The PFI may work onsite or remotely and will acquire data images for forensic analysis to determine how the data breach has occurred. It may well be necessary to look beyond the cardholder data environment. The goal is to determine the root cause of the incident, ensure the vulnerability or vulnerabilities no longer exist and make sure the environment is secure. Be aware though that sometimes, if logs are not available or data hasn’t been preserved, it may not be possible to establish the exact root cause.
Typically, a PFI does not perform the same level of PCI DSS assessment as a QSA but will report on whether PCI DSS deficiencies were observed. PFIs operate within the boundaries of the PFI program and have to produce reports at regular intervals culminating in a Final Incident Report.
We recommend you to take a look at the “Responding to a Data Breach” document recently published on the PCI SSC website. In addition to providing an overview on how to respond to an incident, it has a useful list of places where more detailed advice and guidance can be obtained. Always remember to work with your acquirer and the payment brands. Communication and collaboration are essential parts of making sure incidents are resolved in the quickest way possible and with the least harm done.