PCI Security Standards Council recently updated the guidance document: Responding to a Cardholder Data Breach. This guide is intended to help merchants and service providers with incident response preparation. This guide also describes how and when a Payment Card Industry Forensic Investigator (PFI) should be engaged to assist.The guidance covers:
- Implementing an incident response plan: Organizations should ensure that effective incident-management controls are in place. PCI DSS Requirement 12.10 requires a thorough incident plan that is properly disseminated. Testing incident response plans is important too.
- Identifying, engaging and working with a PFI: If a cardholder data breach has occurred or is suspected, the payment brands may require an independent forensic investigation to be completed by a PFI listed on the PCI SSC website*. Guidance is provided on when to engage a PFI, the independence requirements for PFIs, what to expect from your PFI, how the investigation will be reported and how best to work with your PFI for a thorough and effective investigation. There is important advice on preserving evidence and what access (physical or remote) a PFI may need to complete their work.
- Understanding stakeholder roles and responsibilities in the event of a data breach: Stakeholders in a cardholder data breach event include acquiring banks, PCI SSC, card brands, merchants and third-party service providers. This guide gives an overview of the role and responsibilities of each of these groups in ensuring PFI investigations take place quickly and effectively.
*Note: Only PFIs listed on the PCI SSC website are approved by PCI SSC to provide forensic investigation services in the event of a cardholder data breach.