Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

Transcription

1 1. Introduction This defines what constitutes a security incident specific to Yonder s Cardholder Data Environment (CDE) and outlines the incident response phases. For the purpose of this Plan, an incident is an event in which Card Holder Data (CHD) in any format -- physical or digital media has been or is believed to be lost, stolen or accessed by an individual unauthorised to do so. This Plan is dependent upon all staff being compliant with PCI DSS and all applicable Yonder IT Security policies. This will be reviewed and tested annually by the Compliance Manager to account for changes to\updates in the environment and\or industry trends. 2. Incident Identification Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of security incidents that an employee might recognise in their day to day activities include, but are not limited to: Theft, damage, or unauthorised access (e.g., papers missing from their desk, broken locks, missing log files, alert from a system, evidence of a break-in or unscheduled/unauthorised physical entry) Fraud Inaccurate information within databases, logs, files or records 3. Reporting an Incident The Compliance Manager and or Head of IT should be notified immediately of any suspected or real security incidents involving cardholder data: Contact the Compliance Manager to report any suspected or actual incidents. No one should communicate with anyone outside of their supervisor(s) about any details or generalities surrounding any suspected or actual incident. All communications with law enforcement or the public will be coordinated by the CEO. Document any information you know while waiting for the Compliance Manager to respond to the incident. If known, this must include date, time, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner. 4. Incident Response

2 All security incidents involving payment card cardholder data must be immediately reported to a member of the PCI incident response team upon suspicion of a suspected or confirmed breach of payment card information either electronic or hardcopy. Responses can include or proceed through the following stages: identification, severity classification, containment, eradication, recovery and root cause analysis resulting in improvement of security controls. Contain, Eradicate, Recover and perform Root Cause Analysis. 5. Incident Response Team IT Services Head of IT Compliance Compliance Manager Operations Charles Morgan Group Operations Director Sales & Marketing Nancy Parker Business Development Director Board Graham Ede CEO 6. Suspected electronic breach

3 In the case of electronic exposure of payment card cardholder information: DO NOT SHUT DOWN the suspected machine. (Machine refers to PC, Terminal or other electronic payment device). IMMEDIATELY CONTAIN AND LIMIT THE EXPOSURE by disconnecting the physical network cable from the network jack or from the back of the machine. Document all steps taken. Include the date, time, location(s), person/persons involved and action taken for each step. Physically label the machine to not be touched by anyone except as directed by IT. DO NOT ACCESS or alter suspected or confirmed compromised machines or systems. For example: o DO NOT log in at all to the machine to change passwords, do not log in as ROOT, and do not log in remotely. o If actively logged in during suspected compromise, do not log out; do not open any more files or software services. 7. Suspected hard copy breach In the case of hardcopy exposure or loss of credit card cardholder information: Document all steps taken. Include the: 1. Date 2. Time 3. location(s) 4. Reasons for suspicion 5. Person/persons involved and action taken 6. Any interaction with external organisations such as law enforcement and the reason for the interaction. 8. PCI Response team actions

4 Ensure compromised device or system is isolated and not being used for further payments. Work with the necessary teams/ individuals to gather, review and analyse all centrally maintained system, firewall, file integrity and intrusion detection/protection system logs where appropriate to the compromise. Assist department in analysis of locally maintained system and other logs, as needed. Conduct appropriate forensic analysis of compromised system. Contact through Global Payments, the necessary card companies and inform them of the breach. Inform Information Commissioner s Office where appropriate. Make forensic and log analysis available to appropriate law enforcement or card industry security personnel. Assist law enforcement and card industry security personnel in investigative process. Appendix A: Card Brand Reporting

5 VISA Europe Follow the VISA link what to do if compromised pdf Immediately contain and limit the exposure and minimise data loss. Prevent the further loss of data by stopping taking Visa card transactions and divert payments to a known secure channel such as telephone. Immediately report the suspected or confirmed security breach directly to your acquirer (merchant bank). If you do not know the name and/or contact information for your acquirer (merchant bank), notify the Visa Europe Data Compromise Team: +44 (0) or datacompromise@visa.com MasterCard Follow MasterCard document: MASTERCARD ACCOUNT DATA COMPROMISE USER GUIDE.PDF Discover Card Specific Steps: 1. Within 24 hours of an account compromise event, notify Discover Fraud Prevention at (800) Prepare a detailed written statement of fact about the account compromise including the contributing circumstances 3. Prepare a list of all known compromised account numbers 4. Obtain additional specific requirements from Discover Card