March saw the release of new guidance from the PCI Security Standards Council (PCI SSC), ‘Responding to a Cardholder Data Breach.’ This is a short, five paged document aimed at merchants and service providers to assist with preparing for and responding to a breach of cardholder data. What does the document consist of? Essentially it can be broken down into three key areas; Preparation, Investigation and Accountability.
The guide leads with preparation for managing a data breach. It is most pertinent to requirement 12 of the PCI DSS, ‘Maintain a policy that addresses information security for all personnel’ and is broken down into the following four steps:
- Implement an Incident Response Plan – Businesses should have a thorough incident response plan that is available and disseminated to all relevant staff, and regular testing will allow for any lapses to be identified and ensures that the plan is adequate.
- Limit Data Exposure – Given the broad spectrum of entities this guidance is pertinent to, there is no detailed explanation of how to do this. The guidance does advise however that a thorough knowledge of how to do this without shutting down systems entirely is essential for evidence should a PCI Forensic Investigator (PFI) be required.
- Understand Notification Requirements – This includes recording and maintaining up-to-date records of relevant parties (i.e. merchants, payment card brands…) who need to be notified should a breach occur. All of this should be recorded and accessible to relevant employees.
- Manage Third-Party Contracts – Several businesses use third party services which may be in-scope of PCI DSS. It’s the responsibility of the organisation to ensure contracts address incident response plans, including how evidence would need to be accessed should a breach occur.
The guidance then goes on to lay out what could happen if the breach is severe enough to require the services of a PCI Forensic Investigator (PFI.) The parameters for when a PFI would be needed vary and depends on the payment card brand. As such, organisations should be aware of what these are by contacting the relevant payment card brand and incorporating this into their incident response plan. It explains how a PFI will help determine the occurrence of a cardholder data compromise and when and how it may have occurred, and how they will also advise the organisation it is investigating on how to limit data to being further exposed.
By breaking it down into small steps, the guide gives a clear view on what is expected of an organisation should they have a breach of cardholder data, and what to expect from the investigation. What is clear is that organisations should be prepared for a data breach by following the guidance of requirement 12 of the PCI DSS, and by taking the four steps detailed in the Preparation stage. . Doing so will allow for a swift investigation and will limit data exposure.
The guide concludes with the table ‘Stakeholder Roles and Responsibilities.’ This lists various participants (i.e. the PCI Security Standards Council, merchants, acquiring banks…) who might need to be involved in a data breach response, what their roles would be and what they are ultimately responsible for. By clearly setting out what role is expected of each participant, it gives merchants and service providers the parameters needed when creating and revising their own incident response plan.
With all this considered, how could this guide assist businesses with reporting a data breach of credit card data? The PCI DSS is a standard which applies to any business who processes or stores credit card data and applies globally. Should a breach of cardholder data occur it is likely that other data privacy laws will apply i.e. the GDPR in the EU or PIPEDA in Canada. This guide gives businesses enough insight and instruction to ensure they have a solid incident response plan in place should the worst happen. Businesses who take heed of this guidance will not only ensure they adhere to what is expected of them for PCI compliance, it could also cross over to other regulations which will make responding to a data breach simpler across the board.