It’s nearly impossible not to panic as you imagine the headlines and the damage this can do to your business and reputation. Unfortunately, this scenario happens a lot more frequently than most people think.
Let’s step back and develop a checklist of how you should react to a compromise of credit card data. The most important thing to remember is to immediately stop the breach, if possible, or isolate the problem. The best defense is to be well-prepared. Here’s what should have been accomplished before the compromise occurred as well as what actions to take immediately following the breach:
- You must be Payment Card Industry (PCI) Data Security Standard compliant. This would include having quarterly vulnerability scans done.
- Immediately put into action your preexisting containment plan.
- Notify law enforcement.
- Notify your merchant financial institution and/or processor.
The information you should have available includes:
- Why you suspect you have been compromised.
- Any documentation indicating the potential size of the compromise.
- Names of people with access to the information.
- The name of your processor and merchant bank, and the appropriate identifying information.
- The physical location and equipment where the suspected breach occurred.
Here are the immediate steps for overcoming a credit card breach:
Multiple regulations rule the appropriate response to a breach. These include federal regulation and rules associated with the PCI Data Security Standard. The most important aspect, as mentioned before, is to be PCI compliant.
Compliance addresses multiple areas of assessment and vulnerability scans. However, it’s critical that under no circumstances are certain pieces of data stored or present in your environment. Two specific questions must be answered: May the specific data be stored? And, if it is allowed to be stored, how must it be protected?
A specific PCI section (3.4) defines the requirements for protection of allowable stored data and indicates testing procedures that must be accomplished. Boiled down, it means you must render any primary account number (PAN) unreadable anywhere it is stored (including data on portable digital media, backup media, in logs and data received from or stored by wireless networks) by using any of the following approaches:
- Strong one-way hash functions
- Index tokens and pads (which must be securely stored)
The following is the list of the various elements associated with PANs and their storage:
So what does this mean to you? First and foremost, awareness is critical. Never store (or allow staff to keep) any of the following information:
- Magnetic stripes on credit cards
- Three-digit codes on the backs of Visa or MasterCards
- Four-digit codes on the front of American Express Cards
- Personal identification numbers (PINs)
If you retain the cardholder name, service code or the expiration date of the payment card, make sure you protect that information. There is no specific requirement under PCI as to the methodology used for protection, just that compliance should be in place. Finally, be sure to follow PAN requirements as stated above.
In today’s environment, the theft of credit card numbers is a multi-jurisdictional issue. The crime is more broadly classified with the theft or unauthorized use of personal data. On the federal level, the FBI and Secret Service lay claim to these areas. On the local level, start with the police department and await guidance.
If a breach occurs, notify your merchant service provider immediately. The merchant service provider will instruct you on additional system-reporting requirements based on the circumstances involved. Some of these requirements include public disclosure.
In addition, isolate the affected computer from the network by unplugging its cable. Do not turn the affected machine off, log onto it or change any passwords. Change any wireless network passwords, including the router(s). Change all network user and administrator passwords. Preserve the evidence, making sure to keep an accurate record of all actions taken, by whom and the time and date of the action.
Visa Fraud Control
In the event of either a suspected or actual breach, the Fraud Control Group offers specific inputs. The group works with the compromised entity to obtain all potentially compromised account numbers and providing that info to the issuing banks. It begins monitoring the activity on the affected accounts and works with appropriate law enforcement on the entity’s behalf. Visa has further identified the top-five data-security vulnerabilities:
- Storage of track data and other sensitive data
- Missing or outdated security patches
- Vendor-supplied default settings and passwords
- SQL injection
- Unnecessary and vulnerable services on servers.
If any of the above five apply to your environment, they should be immediately rectified. Remember the key to compliance and understanding your own vulnerabilities is the local environment. Do not depend on providers to protect you.
Ross Federgreen is a co-founder of CSRSI, which provides an integrated approach to the analysis, design, implementation, deployment and management of electronic transaction services and systems. Since 1999, the company has helped more than 350 public and private institutions reduce the cost of acquiring money and minimize liability exposure related to payment transactions and customer data. For more information, call 866.462.7774, ext. 23; e-mail firstname.lastname@example.org; visit www.csrsi.com.