The Payment Card Industry Data Security Standard (PCI-DSS) requires organizations that accept credit card payments to:
- “Create an incident response plan to be implemented in the event of a system breach”
- “Review and test the plan” (minimally on an annual basis)
- “Provide appropriate training to staff with security breach responsibilities”
- “Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments”
Most organizations that accept credit card payments aren’t in the business of cybersecurity. The idea of a data breach is difficult to grasp.
What are the ways that it could happen? How can you guard against it? How would you know if a breach happened? What would you do about it if you knew a breach had occurred? What would be the consequences to your business?
Required Cybersecurity Controls
The PCI-DSS requires that your organization implement a specific set of cybersecurity controls, based on how your organization deals with credit card information. These cybersecurity controls are intended to prevent a security breach that would put credit card information at risk, and allow you to detect a breach should it occur.
But data breaches happen every day, and often go undetected for extended periods of time, even when the required cybersecurity controls are in place.
In many cases, organizations are completely unaware that a data breach may have occurred until their merchant bank or payment processor contacts them to inform them that fraud was reported for a large number of credit cards that were recently used to transact with their business.
Your Organization’s Vital Incident Response Test
The incident response test required by the PCI-DSS, if conducted properly, provides your organization with:
1. Invaluable preparation to respond to a suspected or confirmed breach
2. An effective means of continually improving your organization’s cybersecurity program to prevent a breach from occurring in the first place
In the context of PCI certification, and general cybersecurity best practices, an “incident response test” is essentially a tabletop exercise: a meeting where a few potential breach scenarios are discussed in some detail with the relevant members of your organization, and potentially third-party service providers who would be involved in the case of a breach.
What Would You Do If …
The exercise of discussing potential breach scenarios is vital because you don’t want the first time your organization asks “what should I do if …” to be during an actual breach. These scenarios must be discussed among the team before a breach occurs, at a ’safe distance’ from an actual event so that the members of your team can think clearly.
Questions come up during such exercises that change your perspective and allow your organization to significantly improve your incident response capability with relatively small investments of time and money:
- Who are you required to notify? Banks, processors, business partners, customers?
- Are you sure that you have the correct contact information?
- What would you tell them?
- Where would you find the information you need from the systems to find out what happened?
- Would you understand what you were looking at?
- How would you determine the extent of the breach, or even make certain that there was a breach?
- Do you have the tools that you would need to even try any of this?
- If the response to such a breach is outside of your capabilities, who would you call? Do you have an arrangement in place to get the help when you need it?
These can be scary questions of course, but it’s better to ask them now, and to have thought them through to a reasonable degree ahead of time so that you can be prepared to act decisively and responsibly, even if that just means knowing who to call.
This is the intent of the incident response planning and testing requirements of the PCI-DSS: to prepare your organization as best as possible to minimize the damage of a security breach, thereby (hopefully) minimizing the amount of credit card information put at risk.
Taking Proactive Steps
The real value of a cyber incident response exercise is when the questions start to move in a proactive direction:
- How would you detect such a breach?
- How can you alter your security monitoring processes to detect such breach activity faster?
- Now how can you adjust existing security controls, or implement new ones, to better prevent such a breach from occurring in the first place?
These are the types of questions that result in the continued improvement of your cybersecurity program, and take you past just ‘checking the box’ for your PCI-DSS certification, to a place where you are actually protecting your information.
Even if you work with a company like Constellation Payments for payment processing/merchant services that reduces your PCI scope, your organization should conduct an incident response test to ensure that the proper safeguards are in place at the organization/employee level.
I hope this article gives you a good starting point to develop your own incident response test. If you have any questions on performing an incident response test at your organization, or questions around cybersecurity, feel free to reach out to me at firstname.lastname@example.org.
Dominic Genzano is the CEO and co-founder of STIGroup, an Information Security Consulting firm that provides a full suite of Information Security services. In his role, Dominic leads the continued development of the CyberSecurity services strategy. As an established cybersecurity industry expert, and a principal consultant of STIGroup, he has led significant security initiatives for major private corporations and public sector entities. Dominic can be reached at email@example.com.