What To Do When Your Organization Falls Victim to A Credit Card Data Breach

Credit card data breaches cause losses of millions of dollars for companies every year. Smaller businesses often suffer a disproportionately larger impact and can crumble under the combined costs of fines and penalties, loss of data and customers, forensic investigation charges and costs to rebuild security.

All merchants that accept credit cards - be it retailers, ecommerce sites, universities, law firms and others - are vulnerable to a breach because credit card data can be fairly valuable to hackers. The average cost of a data breach was $4.35 million in 2022.

The risks and costs associated with a data breach, especially when it involves credit card information, aren't limited to financial losses. A breach of credit card data can erode the trust of consumers, cause systems to be shut down for weeks and even months, resulting in lost business, and even bring about the end of a small or medium business.

If you identify or suspect a data breach within your organization, it is important to act quickly and limit the damage. Here are the most important steps to undertake if you find your organization has faced a breach involving credit card data.

Implementing Your Incident Response Plan

Your organization should already have an incident response plan in place, before a breach even occurs, so that when it does you can take action immediately to limit the damage. An incident response plan is a detailed guide of steps to take as soon as a data breach is detected, in order to limit losses. It usually includes identification of the threat, scoping to determine its nature and scope, containment of the threat, and remediation to mitigate against another attack.

Hiring and Working with a PFI

A PFI is a Payment Card Industry Forensic Investigator who is certified by the Payment Card Industry Security Standards Council (PCI SSC) to conduct forensic investigation of credit card breaches. In the case of a serious breach or repeated breaches, the major credit card brands may require your organization to hire a PFI company to investigate and to document compliance gaps.

PFIs undergo rigorous annual training to maintain their certifications to investigate on behalf of the credit card brands and the PCI SSC. They are highly experienced at both data breach investigations and PCI compliance. They prepare detailed reports of the root cause of breaches and document any compliance gaps that contributed to them. They work alongside breached entities to ensure the breach is contained. Further, they recommend steps to improve overall security at the organization subjected to an attack.

The PFI must submit a report to the PCI SSC and to all of the major credit card brands, which review them and provide feedback aimed at ensuring better security and tighter compliance. These investigations can take weeks and even months, and lead to merchant fines. That’s why it’s a better bet for organizations to ensure they are PCI compliant at all times, to reduce the chances of a breach and fines.

Limiting Data Exposure

Limiting access to data and systems is very important when a breach has occurred. It helps minimize the damage a hacker can do by changing information in your systems or using customers’ credit data to commit financial or identity fraud.

You must be able to isolate affected systems, without turning them off or inadvertently deleting any evidence. Revoke connections between the affected system and other systems, but make sure not to turn off or reboot any device, clear log files, login to an affected system, or delete infected software or files. This could result in loss of evidence.

Managing Third-Party Exposure

When your systems are breached, it may also affect any third-party providers who process or store your cardholder data.  Make sure they are aware of the breach and are able to implement their own incident response plan. If your PFI finds that a third party is also affected, they may broaden the scope of their investigation to include them. Make sure your third-party providers understand this and are required by contract to cooperate with the PFI as needed.

Notifying Affected Parties

When you face a credit card data breach, your organization isn’t the only entity affected. The breach may have implications for your customers, your payment card brand, merchant banks, and third-party contractors such as web hosting providers, cloud service providers or others. Under PCI DSS (Payment Card Industry Data Security Standards) guidelines, you may be required to notify certain parties, including your bank and brand partners. Make sure you are aware of these rules and can readily notify affected organizations.

Validating PCI DSS Compliance

All merchants that accept and process credit cards are required to comply with PCI DSS, a set of standards designed to keep cardholder data safe from a potential breach or leak. In the event of a breach, once the forensic investigation is complete and the breach has been contained, the investigator will issue security improvement recommendations to prevent a future breach. Depending on the size of the organization, it may also be required to provide a Report of Compliance (RoC) or Self-Assessment Questionnaire (SAQ), to prove compliance with security standards.

Selecting The Right PFI For Your Organization

PCI Forensic Investigators need to be certified by the PCI SSC, and work for a certified QSA (Qualified Security Assessor) company. Very few organizations are approved to be PFIs - there are only about 22 certified PFI companies globally, which includes ERMProtect.

In addition to qualification requirements, which require PFI companies to be QSAs of good standing and obtain certain permits and licenses, the PCI SSC also has stringent independence requirements. These requirements state that a PFI company cannot conduct an investigation into any entity for which they have performed PCI work in the past three years.

When deciding which PFI firm to employ, make sure the firm and the investigator handling your case both have current PFI certification, have not been employed by your organization in any other capacity, and have a strong reputation.

Cooperating With a PFI Investigation

It is a good idea to have a basic understanding of the PFI process, so that you can support your PFI in conducting the investigation.

One of the first things a PFI does is to determine the scope of the investigation. Once the scope is defined, it is your responsibility to isolate those systems. Your PFI may have to widen the scope of the investigation to include a third-party provider if they find they have been compromised. Your organization should provide access to any data, facilities, and systems the PFI requires, and allow them access to third-party contractors if they are within the scope of the investigation.

To preserve evidence ahead of an investigation, be sure not to shut down or access any affected systems, delete files or corrupted software, or use the compromised system at all, unless instructed by the PFI. You may isolate affected systems by revoking wireless access or unplugging the network cable.

Preventing Future Credit Card Breaches

A data breach is always a painful and expensive process, even if you manage to contain and limit damage quickly. PFI fees, fines, and re-assessing PCI compliance can all add to costs, without even taking data losses into account.

In order to prevent a breach from occurring again, you should:

• Stay compliant with PCI standards. Although this might sound very obvious, PCI DSS have been carefully created to help merchants understand what steps they can (and are required to) take to ensure the security and privacy of their customers. Simply complying with basic PCI DSS requirements such as firewall configuration, encryption, regular maintenance of security systems, and regular security testing can plug the biggest holes in your security.
• Ensure anti-malware software stays up to date. As malware grows more sophisticated, anti-malware systems must constantly adapt and improve themselves to keep up. Make sure you are running the most recent version of the anti-malware software you employ and update it regularly.
• Pay attention to hardware as well as software. Security vulnerabilities can be present in hardware as well as software. Be sure any hardware devices that are used to input, process or store credit card data - including POS (point of sale) systems, credit card readers, PCs etc., do not have any security gaps.

ABOUT ERMProtect

ERMProtect Cybersecurity Solutions is one of only about 22 firms in the world certified to conduct PFI investigations. If you need an experienced company to get to the bottom of a credit card breach, contact Judy Miller at jmiller@ermprotect.com.

Founded in 1998, ERMProtect is a leading cybersecurity firm serving more than 400 clients globally. Services include Incident Response, Digital Forensics, IT Security Assessments, PCI & Data Compliance, Penetration Testing, SOC2 Audits, and Crypto Investigations. The firm is located at 800 S. Douglas Road, Suite 940, Coral Gables, Florida 33134. For more information, go to www.ermprotect.com or email jmiller@ermprotect.com.