“Protecting the payment system is a shared responsibility.” — Visa
Visa recently revised its “What to Do If Compromised” guidelines for handling a data breach to clarify the appropriate procedures for responding to a compromise. We’ve pulled together the highlights.
As business owners know, anyone involved in the handling of payment card data must comply with the Payment Card Industry Data Security Standard (PCI DSS). And as our clients know, we offer solutions that both reduce the burden of PCI DSS compliance and instantly secure payment transactions at the point of entry.
PCI DSS, P2PE, EMV and tokenization are all components a business should employ to properly safeguard their customer's data. Yet in today’s world of heightened cyber threats, even with these standards in place, all businesses should still be prepared for a potential breach. If a breach does happen, it's critical to take the right steps to ensure that no sensitive information has been stolen.
We recommend following the recently updated breach response guidelines set by Visa. Let's take a look at Visa's revisions to important steps (and even requirements) for handling a breach.
- Preserve evidence. If a system is suspected to have been compromised, it’s important the system is not accessed or altered. It should be immediately taken offline and definitely not used to process payments. The system should then be isolated from the network it’s connected to, to protect other systems from vulnerabilities. Anything that is compromised should be documented, such as computers, servers and databases.
- Provide investigation report. Once the necessary information has been collected, it’s critical to provide an investigation report to the acquiring bank and notify all parties that may be involved. This can include internal security teams, the manufacturer of a compromised device, the legal department and even federal law enforcement.
- Perform forensic investigation. At times Visa may require that a Payment Card Industry Forensic Investigator, or PFI, that is not affiliated with the compromised system, perform an independent forensic investigation. A preliminary investigation must also be conducted and submitted by the compromised entity.
- Provide all exposed accounts. For the accounts that are exposed, they must be uploaded to Visa’s Compromised Account Management System, within five days after a system is compromised.
- Comply with PCI DSS. If a system is compromised, it must achieve full PCI compliance. To learn more about the security standards and requirements of the PCI Security Standards Council, visit PCISecurityStandards.org.
Of course, no business should experience a system compromise, or go through the unfortunate (but necessary) procedures in response. Our own Information Security Manager Justin Shipe has his own helpful recommendations for handling a breach.
"Your response to a breach is only as good as your incident response plan. Your plan should outline a clear path of communication," said Shipe. "It’s important that you control the conversation, informing the right parties with accurate and complete information. Your plan should also prepare you for a forensic investigation. Select a PFI vendor before you need one, and include their contact information in your plan. You may also want to consider cyber insurance, depending on your business model and risk appetite."