And now we’re back to the installments on what to do when your data security has been breached. The PCI DSS has specific procedures to follow for handling data breaches in accordance with PCI compliance. Continuing with our discussion of the investigations performed by a PFI or payment card industry forensic investigator, we had just gotten to how to deal with the possible compromise of encryption keys or PIN (personal identification number) codes. Templates for the PFI preliminary forensic reports and final forensic reports as well as PIN security reports are available at: https://www.pcisecuritystandards.org/security_standards/documents.php?document=PFI_Program_Guide#PFI_Program_Guide (remember this is not a link, just the url for the documents. You can copy and paste this url into your browser search window. Use an underscore (_) to fill in any spaces). As previously mentioned, the preliminary forensic investigation report must be provided to the card associations within five business days of the onsite inspection. If the preliminary report is delayed, the PFI or the breached merchant can work with the appropriate region. A final forensic investigation report must be provided to the card associations within ten business days of the in person site inspection. The card associations have the right to review the forensic investigation report and reject it if it fails to meet PCI DSS standards.
If there is suspicion that there has been a PIN code compromise you must provide a PIN security report within ten business days of the in person site inspection. Make sure the report includes a review of any PIN related cryptographic keys. This will assist the card associations determine whether any of these keys have been compromised too.
Next you must provide a list of account numbers considered at risk due to the data breach to the appropriate card association within 10 business days of the initial onsite review of the merchant’s location. Check to be sure that the incident has been contained and that you put into practice any security recommendations made by the PFI. If there has been any non-PCI compliance with any PCI PIN security requirements, this also needs to be reported.
We should be able to wrap up our series on handling a data security breach. Remember that a data breach can occur to any merchant at any time. Your best defense against a data compromise is to closely adhere to the goals set forth in the PCI DSS and maintain your PCI compliance at all times. See our home page to find out how to make your business PCI compliant for free.