Here is some PCI incident response advice that can often get lost amid the chaos of an incident response. First a little background:
When a cyber-attack targets electronically transmitted, collected or stored payment card information, so-called Payment Card Industry Data Security Standards (“PCI-DSS”) compliance is often one of the first aspects investigated. The Payment Card Industry Security Standards Council is the international organization founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. in 2006, which develops and manages certain credit card industry standards, including the PCI-DSS.
PCI-DSS is a set of requirements created to help protect the security of electronic payment card transactions that include so-called “PII” or “personal identifying information” of cardholders, and operate as an industry standard for security for organizations utilizing credit card information.
Protecting PII relating to individuals from identity theft has become a significant focus of U.S. state and federal agencies, and of new state and federal laws and regulations. In the U.S., though laws and regulations vary from state to state, and between state and federal law, as to exactly what information comprises PII, generally, the definition requires both a name and some additional item of information that could be used to steal a person’s identity or access his or her financial accounts (or, in some cases, healthcare information) without authorization.
PCI-DSS applies to all organizations that hold, process or pass credit card holder information and imposes requirements upon those entities for security management, policies, procedures, network architecture, software design and other critical measures that help to protect customer credit and debit card account data. If a cyber-attack against a company involves credit cards or other similar modes of payment and triggers PCI-DSS compliance, the incident response workflow involving the PCI-DSS can be extremely costly, cumbersome and disruptive.
For instance, merchants are responsible for all costs associated with any system modifications required to achieve PCI-DSS compliance and the card brands may levy significant fines and penalties on merchants that are not in compliance with PCI-DSS. Such penalties and fines, imposed separately by each card association, can include:
- Hefty fines (in multiples of $100,000) for prohibited data retention;
- Significant additional monthly fines (can be $100,000 or more per month depending on the nature of the data stored) assessed until confirmation is provided indicating that prohibited data is no longer stored;
- Separate fines (in multiples of $10,000) for PCI-DSS non-compliance;
- Additional monthly fines (likely $25,000 per month) assessed until confirmation from a qualified security assessor that the merchant is PCI-DSS compliant;
- Payment of monitoring (can be as high as $25) and reissuing (up to $5) assessments for each card identified by the card association as potentially compromised; and
- Reimbursement for any and all fraudulent activity the card association identifies as being tied to a security data breach.
In addition, after a breach, a merchant’s classification or “tier” may be adjusted upwards, resulting in the imposition of further obligations and potentially even greater fines and penalties should another breach occur. (See, “PCI DSS and Incident Handling: What is required before, during and after an incident,” SANS Institute InfoSec Reading Room and “PCI Compliance Under Scrutiny Following Big Data Breaches,” by Jen A. Miller)
Finally, when an organization suspects a PCI cyber-attack, the card brands’ PCI Data Security Standards require hiring a PCI-approved Forensic Investigator (also known as a “PFI”) from a small list of card brand approved vendors.
The PFI is required to perform a specified list of investigative work including writing a final report that is issued to both the client and the various credit card companies, which is then used by the card brand companies to calculate potential fines that will be levied against the acquiring banks. These fees are then passed along to the victim company in the form of indemnification.
Here is the tactic that is often overlooked. When companies explore hiring a PFI, the smart move is to add a second forensic examiner to the investigation, one that is completely independent of the card brand approved list, in order to have an incident response team that reports to, and is paid by, the victim of the cyber-attack. Absolute technical accuracy and completeness of the report is of paramount importance given that this report may become the foundation for regulatory inquiry and litigation, and a victim company may challenge a PFI’s draft report when the second firm identifies technical and evidentiary issues therein.
Moreover, the PCI Security Standards Council requires that official remediation plans, including an implementation time-line, follow shortly after submission of the PFI’s final investigative report, which the second firm other than the PFI, can be tasked to undertake.
Too many companies stand-by quietly and simply accept the PFI’s word on the data breach, yet incident response is far from an exact science and many findings can be too subjective, replete with errors or even fatally flawed. After all, the data breach response industry remains in its infancy – there are few academic degrees available in the realm of incident response and barely any incident response courses in college and graduate school curriculums. Many incident responders come from government , such as the Air Force’s Office of Special Investigations; the U.S. Cert team of the Department of Homeland Security; or the various cyber squads of the Federal Bureau of Investigation. Other incident response experts are simply self-taught from experience or from piecing together varying expertise of digital forensics and security science.
Think of it this way: After experiencing a fire in a home, a homeowner may have concerns about the qualifications or credibility of the insurance adjuster or may believe the insurance adjuster’s report is biased or specious, and then hires his or her own expert to challenge the report of the insurance adjuster in order to receive a better insurance payout. The same principle holds true for PCI incident response, and the added cost of the private expert may be well worth it, paying off significantly in the long run.