Credit Card Breaches – Payment Card Investigations
We have all read recent news stories about companies that have been breached and had credit card information stolen. By following the Payment Card Industry Data Security Standard (PCI-DSS) requirements, companies could have prevented most of the breaches relating to cardholder data (CHD). So rather than focus on what to do before you experience a breach, this article deals with the aftermath of a breach event.
Before we begin discussing the investigation process once you have been breached, let’s discuss who is affected and why.
We know that if you process, store or transmit CHD, you must be fully compliant regardless of the amount of transactions in a given year. However, the amount of effort to prove compliance to PCI-DSS is greatly impacted by whether you are a Service Provider or Merchant, the amount of transactions and whether or not you store CHD.
A bad day
You receive a letter from your favorite payment brand, which states that your organization has experienced a breach of CHD. A copy of the letter has also been forwarded to your merchant bank; as a courtesy. Typically you have a week to respond to their request to have a PCI Forensic Investigator (PFI) determine how the breach occurred. Notice that you are pretty much guilty until proven innocent, and to select your vendor of choice, you are directed to the PCI PFI list.
The PFI company’s intent is not to prove your innocence, but rather to determine if there is any evidence of vulnerability that allowed the breach to happen.
How do the payment brands know before you do?
Simple, it’s their job! They have nerds that do correlation and analysis on all credit card purchases and determine if cards compromised can be triangulated back to a particular merchant . . . in this case, you. It might be only twenty or thirty cards, but they suspect that something bigger may be happening, and within a 95 percent confidence interval know that a breakdown of controls has occurred.
Let’s be honest, how many of you can actually say you are 100 percent compliant to PCI-DSS right now? So what happens? You contact a few companies off the PFI list and select a company you believe has the best qualifications given your company size, resources and overall knowledge of PCI. Keep in mind; the PCI council has already vetted all the companies on the list to ensure that they comply with the stringent requirements of the payment brands for conducting an investigation.
What will the PFI Investigator Do?
7 Steps of Investigation
1. PCI Gap, Data Flow and Network Architecture
The PFI Company will ask for various documents before the investigation begins, like network diagrams, penetration test results, ASV scans and current SAQ or Report on Compliance (RoC). By the way, your current QSA that attests to your RoC cannot perform the investigation; this would be a conflict of interest.
The PFI investigator will conduct a PCI Gap of your current environment to the PCI-DSS requirements. In order to facilitate this gap, the investigator will perform a data flow for all CHD systems. This includes external providers that you may use throughout the payment processing. The investigator will map the data flows to the underlying infrastructure, ultimately creating a detailed map of the PCI environment and associated controls.
Remember, the investigator cannot rely on information from your QSA or company resources exclusively. The investigator must conduct an independent analysis and be assured that the scope of the environment is completely known and understood.
Key point: Many times clients think that it is the QSAs job to “find” the PCI data, and that companies can hide or take systems out of scope without the QSA knowing. While there is some truth to this, if the investigator finds that the company has excluded (knowingly or unknowingly) systems from the PCI environment, the investigator will immediately inform the client of the violations and document for future follow-up by the payment brands.
2. Collect Evidence
Once the environment is known, the investigator will start to collect evidence from the systems/devices that are suspected to be involved in the breach. There are a variety of ways that evidence can be collected, but any method employed must follow the PFI requirements. Typically, the investigator will use acquisition tools to create a bit by bit capture of the entire operating system. Yes, this includes mobile applications and Point of Sale terminals.
3. Preliminary Report
The investigator is responsible for keeping the payment brands informed of all proceedings in the investigation and preparing formal reports, including a preliminary report. The purpose of the preliminary report is to notify the payment brands of any major nonconformity to PCI-DSS and to provide an opinion as to how CHD was compromised. The company may or may not see this report.
Of course once the evidence is collected, detailed analysis must be conducted. While most of this is done offsite at the investigator’s lab, some involvement from the company might be needed. The investigation includes both manual and automated tools to perform detailed analysis.
5. Containment Strategy
Once the proceeding steps are performed, the investigator will develop a containment strategy. The containment strategy outlines all the required controls needed to mitigate the current breach, in addition to any PCI-DSS controls that were found to be deficient. The implementation of the containment strategy can be done by the company, or another firm; however, a detailed project plan will need to be developed and supplied to the payment brands for review and acceptance.
6. Containment Verification Services
Once all the recommendations have been implemented, the PFI investigator must perform various assessment services to ensure that everything has been done in accordance to the containment strategy. Typical services include ASV scans, penetration testing, wireless assessments and host interrogation reviews.
7. Final Report Issuance
Once the verification services are completed and the company is PCI compliant, a final report will be issued to the payment brands for review. This concludes the PFI investigation.
Is That It?
Not quite. Throughout the process, additional credit cards may have been compromised or more could have been reported stolen. The merchant bank may impose fines and other penalties on the company, including making the company conform to PCI-DSS as a level 1 merchant.
If you have ever been through PCI compliance, you know that it is not cheap. However, it beats the alternative of not being compliant and experiencing a breach. Given the size and complexity of your organization, costs can be high, especially when you include penalties and fines. While everything depends on the company, the typical PFI investigation will take three months, with costs ranging from $50 – $250k.
I wrote this blog to respond to an overwhelming number of companies that have inquired into the process, time and overall cost of a CHD breach. SecureState is a registered PFI company, and conducts various investigations on behalf of the PCI council. All information contained in this article is for the purposes of awareness and education. If you have experienced a breach, contact a PFI company immediately.