Credit Card (PCI) Security Incident Response Plan
To address credit cardholder security and ensure the greatest possible protection of cardholder data, the major credit card brands, including Visa, MasterCard, American Express, Discover and JCB, established the PCI Security Standards Council to develop, enforce, and manage the Payment Card Industry Data Security Standards (PCI DSS) that are intended to serve as guidelines for safeguarding cardholder information.
Within these guidelines, merchants are required to create and document an incident response plan. Due’s incident response plan is described below:
- Each department must report an incident to the Information Security Officer or to another member of Due’s PCI Response Team.
- The member of the team team that receives the report will advise the PCI Response Team about the incident.
- The PCI Response Team will investigate the incident as well as will assist with limiting any cardholder data exposure and mitigating the risks associated with that incident.
- The PCI Response Team will resolve the problem to the satisfaction of all parties involved, including reporting the incident and findings to the appropriate parties, such as credit card associations and credit card processors.
- The PCI Response Team will determine if policies and processes need to be revised and whether additional safeguards need to be implemented to avoid any similar incident in the future.
Due’s PCI Security Incident Response Team includes: [ADD NAMES, PHONE NUMBERS AND EMAIL ADDRESSES]
- CIO
- Communications Director Compliance Officer
- Counsel
- Information Security Officer Controller
- Collections & Merchant Services Risk Manager
Due PCI Incident Response Plan V1
Last Updated: 8/31/16
The credit card companies have individually specific requirements that must be addressed in terms of reporting suspected or confirmed breaches of cardholder data.
MasterCard Specific Steps:
- Within 24 hours of an account compromise event, notify the MasterCard Compromised Account Team via phone at 1-636-722-4100 .
- Provide a detailed written statement of fact about the account compromise (including the contributing circumstances) via secured e-mail to [email protected].
- Provide the MasterCard Merchant Fraud Control Department with a complete list of all known compromised account numbers.
- Within 72 hours of knowledge of a suspected account compromise, engage the services of a data security firm acceptable to MasterCard to assess the vulnerability of the compromised data and related systems.
- Provide weekly written status reports to MasterCard about any open questions and issues until the audit is complete to the satisfaction of MasterCard.
- Promptly deliver updated lists of potential or known compromised account numbers, additional documentation, and other information that MasterCard may require.
- Provide finding of all audits and investigations to the MasterCard Merchant Fraud Control department within the required timeframe.
Once MasterCard obtains the details of the account data compromise and the list of compromised account numbers, MasterCard will identify the issuers of the accounts that were suspected to have been compromised and group all known accounts as well as distribute the account number data to its respective issuers.
VISA U.S.A. Specific Steps:
In the event of a security breach, the Visa U.S.A. Operating Regulations requires that it be immediately reported. Entities must demonstrate the ability to prevent future loss or theft of account information, consistent with the requirements of the VISA U.S.A. Cardholder Information Security Program. If VISA U.S.A. determines that an organization has been deficient or negligent in terms of securely maintaining account information or reporting or investigating loss of this information, VISA U.S.A. may require immediate corrective action.
If a merchant or its agent does not comply with the security requirements or fails to rectify a security issue, VISA may impose fines or restriction as well as permanently prohibit any participation in VISA programs.
VISA has provided the following step-by-step guidelines to assist an entity in the event of a compromise. In addition to the following, VISA may require additional investigation. This includes, but is not limited to, providing access to premises and all pertinent records.
- Immediately contain and limit the exposure.
- To prevent further loss of data, conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise.
- To facilitate the investigation, do not access or alter compromised systems or turn the compromised machine off. Preserve logs and electronic evidence and log all actions taken. IIf using a wireless network, change Service Set Identifier (SSID) on the access, point and other machines that may be using this connection (with the exception of any systems believed to be compromised), be on alert, and monitor all VISA systems.
- Alert all necessary parties, including the internal information security group and Incident Response Team as well as the legal department, merchant bank, VISA Fraud Control Group at (650) 432-2978 in the U.S., and local FBI Office, U.S. Secret Service, or RCMP local detachment.
- If VISA payment data is compromised, provide the compromised Visa account to VISA Fraud Control Group at (650) 432-2978 within 24 hours of the incident. Account numbers must be securely sent to VISA as instructed by VISA.
- For a forensic investigation, the organization must start it within 24 hours of compromise. The investigation must determine cardholder information at risk, the number of accounts at risk, and the type of account information at risk like account number, expiration date, cardholder name and address, and security number on the back or front of the card. The investigation must also include determining how the compromised occurred, the source of the compromise, and the time frame of the compromise. The entire network must be reviewed to identify all compromised or affected systems, including e-commerce, corporate, test, development, and production environments as well as VPN, modem, DSL and cable modem connections, and any third-party connections. Lastly, the investigation should determine if compromise has been contained.
Discover Card Specific Steps
- Within 24 hours of an account compromise event, notify Discover Fraud Prevention at (800) 347-3102 and prepare a detailed statement about the compromise, including a list of all compromised account numbers.
- Obtain additional specific requirements from Discover Card.
American Express Specific Steps
- Within 24 hours of an account compromise event, notify American Express Merchant Services at (800) 528-5200 in the U.S. and prepare an account about the compromise, including what contributing factors played a role and which account numbers were compromised.
- Obtain additional specific requirements from American Express.