This guide is intended to help merchants and service providers with incident response
preparation. This guide also describes how and when a Payment Card Industry Forensic
Investigator (PFI) should be engaged to assist.
Only PFIs listed on the PCI SSC website are approved by PCI SSC to provide forensic
investigation services in the event of a payment card breach.
PREPARATION FOR DATA BREACH MANAGEMENT
Implement an Incident Response Plan Your organization should ensure that effective incident-management controls are in place. PCI DSS Requirement 12.10 is essential in this effort. It requires entities to “Implement an incident response plan. Be prepared to respond immediately to a system breach.”
Guidance in this PCI DSS requirement notes that this should be a “thorough incident response
plan that is properly disseminated, read, and understood by the parties responsible.” It should
include proper testing exercises at least annually to ensure the process works as designed and to
mitigate any missed steps to limit exposure.
Limit Data Exposure
Knowing how to limit data exposure and minimize data loss while preserving evidence is essential.
For example, make sure you know how to isolate systems without simply powering them off.
Turning systems off may make the investigation more difficult and result in lost evidence or data.
For more information about evidence preservation, see the section titled “Working With Your PFI”
on page 3.
Understand Notification Requirements Be prepared to alert necessary parties immediately. Having a plan and ensuring current and accurate contact information for each party must be validated regularly. This plan will include payment card brands, acquirers (merchant banks), and any other entities that may require notification, whether by contract or law
Manage Third-Party Contracts
Make sure that all contracts with third-party service providers, hosting providers, integrators/resellers, and other relevant parties address incident-response management sufficiently. Contracts should include specific provisions on how evidence from those environments will be accessed and reviewed, such as allowing your PFI access to the environments. Contracts should include provisions to require the third party’s cooperation and allow a PFI to broaden the investigative scope to the third party if the third party is found to be the source of (or contributed to) an event that impacted cardholder data security.
IDENTIFY A PFI
Some PFIs offer their services on retainer. You can consider such an agreement so that you have a
PFI company ready to call when you need it.
You may also consider identifying and talking to several PFI companies qualified to serve in your
region in case one is unavailable when you need it or if you have specific needs that can be served
only by certain PFIs.
Keep in mind that all PFIs are required to meet strict independence requirements to prevent
conflicts of interest. Therefore, a company you use for other PCI services (for example, QSA
services) cannot also be used for your PFI investigation