PCI Free Blog

What Do I Do After My Data Security Has Been Breached? – Part IV

After you have notified the appropriate card associations and provided all of the breach event documentation and suspected or confirmed compromised account numbers.  And after you have performed your own preliminary investigation the results of which have been provided to the appropriate Visa Risk Management group for your region, we start to dig a little deeper as the contributing factors of the data breach event.  Hopefully your business was registered as PCI compliant through your processor or QSA (qualified security assessor) company.  Now your processor may decide that it’s necessary to perform in independent forensic investigation by an approved Payment Card Industry Forensic Investigator or PFI.  You can use the link below to view a list of approved forensic investigators.


estigator.php (note: this is not a link.  You must copy and paste the url into your web browser search window.)

If you receive a notification from Visa that an independent forensic investigation must be performed, then you will need to choose your PFI within five business days.  You must also make sure that you have engaged the services of an approved PFI or at least have a signed contract with an approved PFI within ten business days.  Visa stipulates that the independent forensic investigation must be performed on site within five business days from the contractual agreement signing date.  Visa also states that while it is the responsibility of the compromised merchant to employ the services of an approved PFI, they also have the right to conduct their own independent forensic investigation if judged an appropriate action.  The expense of such all such investigative costs with be assessed to the merchant in addition to applicable fines.  Most merchants who are PCI compliant at the time of the data breach event will get some type of compensation if their processor offers breach insurance with a valid PCI compliance registration.

Next week we’ll go over more of the details of the independent forensic investigations.  If you’re not already PCI compliant, see our homepage to learn how you can achieve PCI compliance for free!

This entry was posted in PCI Compliance, PCI DSS and PA-DSS. Bookmark the permalink.

Leave a Reply