Dan Lapierre, Online Business Systems’ Senior Security Consultant, discusses Visa’s recently released and updated guide on “What To Do If Compromised” (WTDIC). The updated guide can be located on Visa’s website by clicking here.
As the Scout Motto goes – Be Prepared! Make sure your Incident Response (IR) Team downloads Visa’s WTDIC guide. Any good Incident Response plan accounts for a Security Practitioner’s biggest fear. Having to deal with a Credit Card breach.
We run across so many clients that are only trying to get the compliance checklist completed, rather than actually preparing for a breach. Simple steps such as an internal contact list, involving your legal and communications teams in the preparation, and the actual testing of a plan go a long way towards reducing the confusion during an actual breach.
As a Payment Card Industry Qualified Security Assessor (PCI QSA), I am looking specifically for this type of reference in your Incident Response plan as part of DSS control 12.10.1.
This latest version of the WTDIC has some great grassroots details that all IR teams need to be aware of and follow. The guide provides detailed guidelines, requirements, and time frames to investigate a suspected or confirmed compromise, as well as information on the following critical topics:
- The instinct to shut down a suspected compromised system can be overwhelming. It has been ingrained into System Administrators to get systems back up and running as fast as possible. Often the simple act of logging into a compromised system will destroy data and logs that can be used to perform forensic analysis to determine the who, what, and when of a compromise.
- Rather than shutting down or rebooting a suspected compromised system, take it offline by unplugging the network cable(s) or through the VM console until such time when a trained forensic expert can examine the system.
Providing a Visa Initial Investigation Report
- Within three days of a suspected or confirmed compromise, merchants are required to provide Visa with an initial investigation report.
- Often organizations are leery to divulge the fact that they have been breached, this can result in lengthy internal discussions about whether to disclose, and if so, what to disclose. As mentioned earlier, including your legal and communications teams during IR testing will soften the blow and often reduce the time to come to a decision about reporting.
- Page four of WTDIC includes a template of what the report needs to include. It would be beneficial to include this in your IR plan and to identify who can provide the needed data as this will help streamline IR processes.
Performing a forensic investigation
- In extreme situations, a compromised entity may be required by Visa to engage a Qualified Payment Card Forensic Investigator (PFI). At the time of writing, there were 19 organizations qualified by the PCI council to act as a PFI.
- This new guide outlines very specific requirements as it relates to engaging a PFI. This includes conditions on past business relationships and previous investigations. These conditions may make it difficult to pre-sign a contract with one of these firms, so do your legwork up front to select your ‘go-to’ forensic investigator.
- Socialize this requirement within your organization. Ensure your legal team is aware of this requirement in hope of reducing the time it takes to get a contract signed. At a minimum, include this as a step in your IR testing & training.
Providing all exposed accounts to Visa
- A compromised merchant is required to provide compromised Visa accounts to Visa and in most cases all Card Brands. This allows the Card Brands to place the compromised account on a watch list in hopes of identifying fraudulent activity, and in many cases notifying the cardholder (often accompanied by issuance of a new card).
- Merchants can coordinate with their acquiring bank to provide the compromised account numbers in a secure manner.
Complying with Payment Card Industry Data Security Standard (PCI DSS) Requirements
- Following a breach, compromised entities must validate or re-validate to demonstrate full PCI compliance.
Ensure your Incident Response Team’s training and testing includes payment brand notification steps as detailed in this guide, and for all other card brands as listed below:
If you are a Merchant, make sure you have your Acquirer’s point of contact information included in your contact list.
It’s stressful enough to have to live through a breach, not to mention the loss of business or brand value caused by the breach going public. The better prepared you are to respond to a breach, the less potential impact to your organization.
Let us know what you’re doing to protect yourself in the comments below – we’d love to hear from you!
Learn more about Online Business Systems Risk, Security and Privacy practice click here.