Out-Law News 1 min. read
01 Oct 2015, 10:41 am
The PCI Security Standards Council (SSC) has issued new guidance on responding to a data breach (3-page / 1.64MB PDF). It said that putting in an incident response plan can help companies that fall victim to data breaches cut the cost of managing those breaches.
"Prevention, detection and response are always going to be the three legs of data protection," PCI SSC general manager Stephen W. Orfei said. "Better detection will certainly improve response time and the ability to mitigate attacks, but managing the impact and damage of compromise comes down to preparation, having a plan in place and the right investments in technology, training and partnerships to support it."
Payment card industry data security standards (PCI DSS) require retailers, banks and other companies involved in processing credit and debit card payments to implement an incident response plan and be prepared to respond immediately to a system breach.
The PCI SSC said that businesses handling payment card information must ensure that incident response plans are reflected in outsourcing arrangements.
"Ensure all contracts with third-party service providers, hosting providers, Integrators and resellers, and other relevant parties sufficiently address incident-response management," the guidance said. "Contracts should include specific provisions on how evidence from those environments will be accessed and reviewed, such as allowing your PFI access to the environments."
PFIs are payment card industry forensic investigators that retailers might be expected to engage to independently investigate a payment card data breach. The PCI SSC's guidance explained what functions a PFI will perform and what businesses need to do when engaging them.
"To complete a thorough and effective investigation, the PFI will require access to data, facilities, and people," the guidance said. "This may also include access to third-party service providers who store, process, or transmit cardholder data on your behalf or who can otherwise affect the security of the cardholder data environment – e.g., website hosting providers."
"When a breach occurs or is suspected, it is critical to preserve the evidence. It is very tempting to reboot all devices, clear up log files, remove any suspect software, and generally try to recover as quickly as possible. Of course, everyone wants to “stop the bleeding” and prevent any more data being compromised. However, careful preservation of evidence is vital both in finding the root cause of the breach and in identifying the perpetrators. Digital evidence is easily contaminated, and maintaining a robust chain of custody is crucial to achieving a good investigation result," it said.