Last week we started going over the proper procedures for what to do when the unthinkable happens. Specifically that an actual breach occurs that compromises sensitive stored data. Keep in mind that if you are already PCI compliant, you have ensured that the damage, if any is actually determined, will be minimal. The first steps to take once a breach has been realized are on the previous blog. Once you’ve isolated the affected systems and made an assessment as to exactly what has been compromised, the next thing you need to do is notify all parties that it is necessary to put on alert. The pertinent parties should include:
- Your company’s in-house incident response and information security teams (if you don’t have staff assigned to these duties, determine who will handle it as described in PCI DSS requirements 12.1 through 12.8.4)
- Your processing company or bank if you process through your bank
- You can contact the Visa incident response manager if you don’t know how to contact your processing service.
- If you are a financial institution contact the appropriate Visa office in the list above.
After contacting parties on the preceding list, next you should notify the appropriate law enforcement agency. If you need assistance figuring out which agencies to notify, the Visa incident response manager can help you.
You should now contact your legal department if you have one, or your business attorney to figure out what notification laws and other legal issues apply to your situation. Make sure your legal representation knows the above contact information for the appropriate Visa incident response management office.
You must provide a list of all compromised accounts for all cards to your merchant service provider. All potentially compromised accounts must be transmitted as per instructions from your processing service. The card associations will handle the distribution of compromised accounts to the appropriate issuers so they can alert their account holders. More to come in a week.