October 18, 2011

What to do if You Think You May Have Been Breached

Imagine you have just discovered something amiss in your system and signs point toward a potential data breach. Do you have a plan of action in place? Do you have people on hand who know how to deal with such a problem? If not, have you found an expert you can contact?

“When the time for action comes, the time for preparation has passed.” An oft-repeated quote in emergency preparedness circles holds true in the world of payment card security as well.
This is why all of the questions we just posed (and many more) should be addressed in your Incident Response Plan (mandated by PCI DSS Requirement 12.9). When developing or updating this plan, we recommend you make sure the following elements are included:

  1. Disconnect (but do not power down)
    1. Disconnect from the network and from the Internet any devices you suspect have been compromised. (Literally unplug the network cables from the devices.)
    2. Be sure you do not power down these devices until they have been fully investigated. (Malware could be removed from memory, making it more difficult for investigators to track down the bad guys.)
  2. Notify
    1. Do not attempt to hide the fact that you have been breached. The problem may spread with time, and you may be liable for trying to cover it up.
    2. By card brand regulations, your merchant bank owns the ultimate risk for the breach, so their security and/or compliance officer should be ready and willing to provide you with guidance and expertise.
    3. If your bank is unwilling to assist, contact Shift4 and we’ll help you explain to the bank their responsibility to assist you (and liability if they refuse to do so).
    4. You may need to contact local (or federal) law enforcement agencies to conduct an investigation.
    5. Also, in many states you are required to notify any potential breach victims and/or constituents of your state. Consult with your legal counsel to determine your responsibilities and set an appropriate course of action.
  3. Investigate
    1. Depending on the severity of the breach, your bank or a card brand may require a PFI (PCI Forensics Investigator) to complete a forensic investigation of your organization. You should know that PFIs are not permitted to fix any problems they find during the investigation, but should provide you with a list of items to be addressed by your staff or your IT contractor.
    2. If a forensic audit by a PFI is not deemed necessary, your bank may require you to complete some sort of investigation and report. If you have qualified staff on hand, you should complete a full investigation to determine what happened.
    3. Retention of a third party to perform a forensic investigation presents another set of risks on its own and is not recommended. If you have no other choice, you should seek guidance from your bank.
  4. Remediate (Fix)
    1. If your internal IT staff is performing the investigation, they should fix problems as they find them.
    2. If the problem has been identified by a PFI or other external source, you should immediately begin fixing the issue(s).
    3. It’s not enough to just fix the problem; you should also look at the underlying risks and threat agents that exploited the vulnerability(ies) in the first place, and ensure that vulnerabilities have been remedied to prevent their recurrence.

For reasons of liability, Shift4’s support representatives are not permitted to provide additional advice concerning a suspected breach.

If you haven’t reviewed your incident response plan recently, now may be a good time to do so. Ensure your policies are up-to-date and that you have contact information for any external sources of assistance you may need. Visa’s “What to do if Compromised” document contains a number of useful hints that we recommend you incorporate into your plan.

Remember, “when the time for action comes, the time for preparation has passed.”