Incidence Response Procedure
An “incident” is defined as a suspected or confirmed “data compromise”. A “data compromise” is any situation where there has been unauthorised access to a system or network where cardholder data (CHD) is collected, processed, stored, or transmitted. For the purposes of the Payment Card Industry Data Security Standard (PCI DSS), a “data compromise” can also involve the suspected or confirmed loss or theft of any material or records that contain CHD.
Some examples of data compromise incidents that an employee might recognise in their day-to-day activities include, but are not limited to:
- Theft, damage, or unauthorised access (e.g., papers missing from their desk, broken locks, missing log files, alert from a security guard, video evidence of a break-in or unscheduled/unauthorised physical entry)
- Inaccurate information within databases, logs, files or paper records
- Card terminals that have been tampered with or substituted
Computers that have had a suspect device installed to the USB port
1 Reporting an Incident
Employees are responsible for reporting incidents in their area to their Line Manager and the PCI DSS Incident Response Team. The PCI DSS Incident Response Team will report the incident to the Payment Security Committee and any other relevant parties. If you become aware of a suspected or real security incident relating to CHD, or a failure in procedure, then you must act immediately.
The following steps must be immediately followed when a confirmed or suspected incident arises:
- Take measures to ensure that a suspicious card terminal or computer cannot be used such as:
- Physically secure the area;
- Disconnecting the terminal’s network cable / telephone line (but DO NOT switch the device off);
- Put a note on the terminal stating that it is ‘not in use’;
- Keep a watchful eye over the device until further information is given.
- Notify the following staff of the confirmed or suspected incident by email, providing details surrounding the suspected or confirmed incident:
- Your Line Manager;
- PCI DSS Incident Response Team via the Incident Response Form .
2 Incident Response Form
The completed form should provide as many details as possible, including the date, time, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner.
Dependent on the PCI DSS Incident Response team, responses may proceed through the following stages:
- Alert all relevant parties, i.e. banking relationship manager, merchant/acquiring bank, payment device manufacturer, payment services provider, legal department, card brands, regional law enforcement agency;
- Collect and protect information associated with the intrusion (i.e. event logs);
- In the event that a forensic investigation is required, the Income Team and PCI DSS Incident Response Team will work with legal representatives and management to identify appropriate forensic specialists (forensic specialists may be suggested by the card brands);
- Eliminate the intruder's means of access and mitigate any related vulnerabilities (i.e. change passwords, apply patches, change configurations);
- Research potential risks related to or damage caused by the intrusion method used;
- Follow Ordinance C2 if appropriate;
- Report to Directorate;
- Report to the Information Commissioner (ICO).
3 Post Incident Response
Not more than one week following the incident, the PCI DSS Committee and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. Any identified areas in which the policy or security control can be made more effective or efficient, must be updated accordingly.
Discuss actions which may be appropriate following the incident including:
- Contact insurance provider;
- Purchase new equipment;
- Provide credit monitoring for individuals who may have been affected;
- Review implementation and effectiveness of security awareness training;
- Review and amend acceptable use policies, including working from home policies.
Incident Response Plan Review
It is required that this incident response plan be reviewed and tested annually and revised as needed.