What to do if a PCI Data Breach Occurs
What to do if a PCI Data Breach Occurs
Finding out that you have been breached can throw your entire organization into crisis mode. The subsequent response may seem chaotic, scary, and overwhelming; but dealing with a breach—and being prepared to deal with a breach—can go a long way in ensuring your organization survives the aftermath.
Breaches happen whether you’re prepared or not and whether you’re PCI compliant or not. In fact, during a typical 8 hour workday, 1,850,832 data records are lost or stolen. Rather than treating the issue as an if, universities should be preparing for when. Coming to terms with the fact that you are a prime target for a breach is the first step. From there, you can begin to craft a response team and protocol that minimizes negative fallout, including financial, legal, or reputational damage.
According to the Ponemon Institute, data breaches within the education industry in the U.S. cost $245 per record lost—a number that exceeds the worldwide average by $45 or 22.5%. Preparing for the worst means creating containment and remediation protocol that can be activated when a breach occurs.
If a breach occurs, the first thing to focus on is containment. It’s essential that you do not turn off or power down computers, terminals, or other network equipment. This can destroy digital forensic evidence that will be needed to fix the breach and to address and resolve issues to prevent future attacks. Instead, disconnect routers, terminals, modems or any other equipment that touches (uses, stores, transmits, accesses) sensitive customer information from both the internet and the network.
Finding the Root of the Problem
Uncover how your organization may have been compromised:
Direct hack of the internal network
Malware attack or viruses via infected websites or email
The use of default login credentials on a system or network
Through a vendor, online shopping cart provider, or web host that has remote access to your network and was breached
This can get complex as you may have to reverse map out the point of breach through several campus units and merchants. While the first review involves looking at outside sources of the hack, it’s also important to analyze employees and business units. The humans behind the computers are prone to error and carelessness. In some unfortunate cases, they are prone to deliberate nefarious acts, so all avenues should be considered. Evaluate whether staff may have accidentally or intentionally disclosed credentials or information about a merchant processing account with unauthorized parties. Look into potential failures to follow protocol, policies, and procedures on handling sensitive payment information.
Identifying the Scope of the Problem
By honing in on the source of the breach, you can not only put a stop to it but more accurately determine how long information was at risk. At this point, an impact analysis should be completed to identify the complete scope of compromised data, including how much and what kind of information may have been compromised. Information to consider includes:
Payment data (card account numbers)
Payment card security numbers (CVV2, PIN, etc)
Payment card expiration dates
Contact information (physical addresses, email addresses, social security numbers, passport numbers, tax information, etc.)
Also identify the exposure time frame, though note that in may be longer than originally thought. Often credit card companies and banks will send notifications about a potential breach, though this timeframe is based on limited information.
In terms of remediation, there are several steps your university should walk through. During this time, it’s important not to “hide” the fact that a breach has occurred. Have a PR response primed and ready, as any perceived dishonesty will only serve to further any reputational damage. Additionally, hiding or withholding evidence of a breach can result in hefty fines from regulators.
Digital evidence of a breach must be preserved to determine the source and cause of a compromise, as well as what was stolen. Earlier, we mentioned that you should not turn off any systems, but to isolate them from the network. Additionally, you should:
Not log on to compromised systems (or access or update systems in any way)
Document any and all components involved in the compromise (servers, databases, PCs, terminals, etc.)
Document all actions taken to contain and remediate the breach and be sure to include dates, times, participating individuals, and details around the actions performed
Preserve any logs (database logs, firewall logs, web logs, etc.) as well as any other evidence available
Enacting a Notification Plan
When a breach occurs, your university should have a notification plan in place to alert all relevant parties that a compromise has taken place. This plan should consider, at a minimum, the following parties:
IT/IS departments and any incident response teams
Acquiring bank/merchant bank
Merchant services provider
Third party providers (web hosting, POS vendors, other payment services providers)
Relevant manufacturers (e.g. if the breach stemmed from a compromised POS terminal, contact the manufacturer)
Legal counsel to determine whether additional notifications are mandated (e.g. local or Federal law enforcement agencies, affected parties, etc.)
Completing a Forensic Investigation
Depending on what information was compromised and how, you may be required to complete an independent investigation through a PCI Forensic Investigator (PFI). A PFI audit usually must be engaged within a certain time frame and their report must be submitted within specific parameters as well.
Safety in Numbers
Security and PCI compliance require ongoing vigilance. The breadth of responsibilities can sometimes be overwhelming for universities that consist of multiple campuses, business units, and merchants.
Achieving the full breadth of data protection often calls for the help of a trusted partner that is experienced in helping higher education institutions remain PCI compliant and secure. Thankfully, Arrow Payments can be that partner. Get in touch to see how we can help keep you secure.