How to Implement a Successful Incident Response Plan for PCI DSS

What do you do when you get hacked? Your organization could be in big trouble when your bank or the media hears that a third party has attacked you. With the growth of technology and connected applications, many businesses feel threatened.

PCI DSS requires companies to adhere to several specific requirements when they process, transmit or store payment card transactions. Each year companies must comply and renew their certification; however, many are still experiencing security breaches.

See Also: PCI DSS Disaster Recovery Requirements

Regardless of their situation, all these companies must be prepared to deal with a cardholder data breach. PCI DSS does not provide specific guidelines on how to handle a security breach. Each payment card brand has its policies and procedures, and in some cases, there are differences between them.

A compromised organization that fails to follow payment brands’ procedures or meet reporting deadlines could expose itself to hefty fines and lose the authority to process payment card transactions.

See Also: How are the PCI Risk Assessment Requirements Implemented?

PCI DSS requires the development and maintenance of documentation, implementation of preventive and detective security controls, and processes to identify and control any security breach attempt as soon as possible.

Preparation for an incident is particularly critical as Payment Card brands have different security compliance programs and, therefore, different approaches to dealing with a security breach.

Lack of preparation can result in additional fines by payment card brands, additional costs in deploying forensic services, and even the risk of losing the ability to process payment card transactions indefinitely.

Companies must carefully implement an incident handling process to minimize these risks, even if they are PCI DSS compliant.

Developing and implementing an incident response plan will help the company deal with a data breach efficiently, effectively, and with minimal damage. So, how do you start developing an incident response plan? Below you can find information on how to create a successful incident response plan for PCI DSS.

Is the incident response plan a PCI DSS requirement?

PCI DSS Requirement 12 outlines the actions businesses will take concerning their response plans for an incident. Below you can find the PCI DSS requirements for the incident response plan:

PCI DSS Requirement 12.10.2 – Test the incident response plan at least annually.

PCI DSS Requirement 12.10.3 – Assign a specific person who can operate 24/7 to resolve incidents.

PCI DSS Requirement 12.10.4 – Regularly train personnel with incident response responsibilities.

PCI DSS Requirement 12.10.5 – Set up intrusion detection, intrusion prevention, and file integrity monitoring alerts.

PCI DSS Requirement 12.10.6 – Apply an industry-specific mechanism to update and implement the incident response plan and organizational changes.

Often, people view PCI DSS as a compliance standard that focuses solely on preventing security breaches. However, many of its requirements form a basis for an effective emergency incident management and forensic investigation process. When properly implemented, PCI DSS compliance should provide all necessary detection controls to identify and control a security breach.

Generally, PCI DSS does not provide any guidance regarding event handling, but some requirements may apply to the preparation, description, and learning phases. Some Payment Card Brands have particular requirements for containment, destruction, and recovery phases.

How to start creating an incident response plan?

In case your organization is violated, you should have an up-to-date response plan for the accident.

You cannot afford to be caught unprepared for the consequences of a data breach. It is up to you to track down and protect your brand in the face of the potentially damaging impact of a data breach on your reputation.

Creating and implementing an incident response strategy helps your company deal with a data breach quickly and efficiently while minimizing damage.

Preparing an emergency action and response plan can be a bit daunting at first. In this article, you can learn the basics of the incident response plan, how to better establish and implement your incident response plan, and what should be included in your response plan.

1. Identify and prioritize your critical assets

Start by identifying and saving where the organization’s primary data assets are stored. You need to consider which of your resources will result in heavy losses to your organization if they are stolen or damaged.

You need to make sure you know where your organization stores critical data resources. In short, if you are stolen or damaged, it will be enough to ask yourself what will cause my company to go bankrupt or suffer heavy losses.

Once your critical asset lists are created, prioritize based on their merits and the highest risk. Make sure asset values ​​are measured. Determining your assets’ value and risk group will help explain the conservation budget and show managers what you are trying to secure and why it is essential.

2. Identify possible risks

Look at the most significant risks posed for your corporate systems. Identify the greatest potential threats to infrastructure and what threats and attacks are.

Remember that the risks will be different for each company. Some organizations should focus more on maintaining physical protection. Some businesses may concentrate on protecting their apps for remote access.

A few examples of potential risks are given below:

  • Removable or external media
  • Brute force attacks
  • Web
  • Email security
  • Impersonation
  • Loss or theft

3. Establish procedures and policies

You cannot assume that your employees will know what to do in case of violation. Unless you need to follow a set of hands-on procedures, a disappointed employee may make critical mistakes that could cost your organization. Your data breach prevention policies and procedures should include the following:

  • Determining and limiting the violation
  • Recording information regarding the violation
  • Notification and communication plan
  • Defense approach
  • Employee training

You need to tailor your policies to your company. Some companies may require an intense warning and communication program, while others may need outside support to get help. However, both companies will need to focus heavily on training workers. Over time, you may also need to change your policies to suit your organization’s needs.

4. Establish an incident response team

Once a data breach is detected, you must assign a team to help organize the company’s activities. This team’s goal is to help manage resources as soon as possible after a security incident to restore operations and reduce damage.

Some of the team roles required are:

  • Team leader
  • Principal investigator
  • Communication leader
  • C-suite representative
  • IT Manager
  • Public relations
  • Documentation and timesheet leader
  • Human Resources
  • Legal representative
  • Incident response experts

Ensure your response team covers all aspects of the company and recognizes the unique locations in the plan. Your response team’s different scope will bring a unique perspective to the table with the responsibility to deal with the crisis.

5. Make sure everyone knows the plan and support it

Without proper support and services, the incident management team cannot be successful in implementing the plan. Security is not a bottom-up process. Top management must recognize that security measures, including incident response plans, must be applied from above and driven down.

When you don’t have the necessary backups and resources to implement the plan, your emergency management team won’t be very successful. That’s why you need to make sure your employees know the importance and benefits of providing an incident response plan.

Corporate companies with the concept of an incident response unit should ensure that executive members own and support the plan. Organizations with extra support and dedicated resources for incident response will ensure that the team is also safe.

For corporate organizations, executive leaders should be included in the incident response team. Management support and involvement are essential for small organizations with extra funds and services devoted to incident response.

When presenting the response strategy for an incident, focus on how your plan will help the company. For example, if you suffer a data breach and handle the incident inadequately, your business’s credibility will likely suffer irreparable brand damage.

Present the strategy with how this will help the company, financially, and the brand. When you present your goals and priorities to protect your business, it will be easier for you to secure any funds needed to develop, execute and implement the plan.

6. Train employees on the incident response plan

Just creating an incident response plan will not help with a data breach. Your staff should pay attention to the schedule and be adequately informed about what to do in case of violation.

Employees need to be aware of their role in protecting businesses. Employees must learn how to detect social engineering threats, such as phishing attacks, and efforts to protect them.

Check your response plan with tabletop exercises. By checking your response plan in a possible hacking scenario, these exercises inform your staff about their specific positions in the event of a data breach.

By reviewing the plan, you can find and correct any gaps in the program. Also, the review can help those concerned see what they can change where.

Five essential items to include in your incident response plan list

Developing an incident response plan can be a bit complicated at first. It will help reduce some of the complexity by breaking down the project into smaller pieces making it more manageable. Every business is different, and you should create a variety of training, documentation, and policies tailored to your organization’s specific needs. However, there are a few key elements that most companies will include in their incident response plans.

Creating a detailed set of response lists is an excellent way to coordinate your response plan for an incident. Response lists are a series of “to do” lists that provide information and tasks that must be performed during a data breach.

While every organization needs a variety of policies, training, and documentation, here are a few examples of a comprehensive list of responses that most organizations should include in their incident response plans:

1. Contact list for emergencies

Correct communication is essential to address a data breach effectively, so you need a comprehensive emergency contact list to save time and communicate properly. The contact list will contain information about who to contact, how to reach them, when the time is right, and what to say.

The following units should be included in the contact list for emergencies:

  • Response team
  • Executive team
  • Legal team
  • Forensic medicine company
  • Public relations
  • Affected persons
  • Law enforcement agencies
  • Commercial processor

The contact list will provide information on how to reach out and what to say with such people. Pre-prepared emails and discussion points can help explain problems more clearly and help mitigate the event’s negative consequences early.

You need to define how and when you will alert emergency responders. Some states have legal time limits dictating when an organization will notify potentially affected cardholders and law enforcement. You should be aware of the laws in your state and be guided by making mandatory reports in your response plan for an incident.

Your incident response team should plan clear statements that appeal to various groups, including a statement of ownership, press release, customer message, and internal staff message. To start with, your ready emails and talking points should be pre-planned after a data breach.

Pre-identify at your company the person responsible for timely reporting and meeting your state’s explicit requirements.

2. System backup and recovery operations list

System backup and recovery processes list will help you solve the technical side of a data breach. The collection of system backup and recovery procedures will help you tackle a data breach’s technical aspects. A few items to include in the list are:

  • The process of disconnecting from the Internet.
  • System configuration documentation such as device descriptions, operating systems, IP addresses.
  • Processes for transferring, moving, and retaining evidence.

Steps to check system backup and verify that systems that are not compromised or suspected of being compromised will not affect it

The system backup and recovery operations list guide gives you quick steps to protect captured data and quickly manage the breach and protect your systems by backing up. The list is crucial to helping your company lose a lot of data in the event of a breach and get back to work as soon as possible.

3. Forensic analysis list

The forensic analysis list guide is for in-house forensic investigations. Your team needs to know the activity areas to search and access network protection and event logs.

A list of forensic research is given to organizations that use in-house forensic investigation tools. Your forensics team will need to know where to look for suspicious activities and access control of the network, and logs of incidents.

Some of the resources your team might need include:

  • Data collection tools
  • Write blockers
  • Cleaned/erased USB hard drives
  • Cabling for connections
  • Forensic analysis tools

When your company does not have access to an experienced in-house forensic expert, you may want to consider involving a forensic firm with pre-completed contracts.

4. Jumpbag list

The jump bag list is a get and goes response list. It is a list of incremental steps your staff must take immediately while responding quickly to a violation. The items on the list coordinate the strategy and avoid panic-related mistakes. A few things to add to the list are:

  • Log of event handler to document the event
  • Incident response team contact list
  • USB hard drives and write blockers
  • USB multi-hub
  • Flashlight, pens, notebooks
  • All plans mentioned in this article
  • DVD and USB with bootable versions of your operating system
  • Computer Toolkit
  • Forensic tools

5. Security policy review list

Your list of security policy reviews addresses your response to a violation and its aftermath. This list helps you analyze the breach. The security policy review list enables you to know what you can learn and change later.

The consequences and responses to the violation are discussed in the security policy review list. It helps you evaluate the company’s failure and what you need to learn from the dire situation. The following items should be listed in this list:

  • When by whom and by what method the violation was found.
  • Incident coverage / compromised systems.
  • Data at risk.
  • Changes to research or operations made during recovery.
  • Areas where the intervention plan is effective.
  • Areas requiring improvement.

You need to look at where security measures have failed and how they can be improved. The purpose of the list is to record the event as a whole, what was done, what worked, what was not done, and what was learned.

An incident management plan is useful only if it is well developed and employees comply. To assist employees, periodically monitor their responses through real-life simulations or applications known as tabletop exercises.

Tabletop activities allow employees to learn about emergency response positions and apply them when nothing is in danger, which can help you find gaps in your response plan and improve your program.

There are a few more points to remember when preparing your answer to an incident:

  • Educate employees on data protection: Help your employees see their position in protecting company protection by better identifying phishing emails, social engineering efforts, and the like. Training on data protection helps prevent data breaches and keeps the employee focused on safety.
  • Document everything: Documenting the plan is essential for setting procedures and staying on the same page.
  • Test your employees: Hire ethical social engineers to evaluate and train employees. Social engineering tests help employees apply what they have learned and be prepared for the real thing.

If you don’t already have a response plan for an incident, having it should be a top priority. Second, you should periodically review your strategy. Without daily desktop simulations and simulation training, workers can make poor choices that will worsen the impact.

A data breach can be the most challenging situation an organization has to deal with, but it doesn’t have to be the company’s end. By implementing a response plan for an incident, you can avoid significant brand losses.

It is difficult to be exposed to any data leakage. The harmful consequences of the violation will be more severe if you do not prepare in advance. Once you have an emergency plan, your staff and company will be ready to deal with it if the worst happens.

It is essential to quickly find the violation, determine where it came from, and determine what affected it.

What are the 6 Stages of the Incident Response Plan?

The incident response plan is a documented, written 6-step plan that helps IT professionals and employees identify and deal with a cybersecurity incident such as a data breach or cyber attack.

See Also: What are the PCI DSS Business Continuity Requirements?

Correct creation and implementation of an emergency management plan require daily updates and preparation.

An incident response plan must be implemented in a series of steps to resolve a suspected data breach. There are different areas of need to be considered in every process.

The stages of incident response are as follows:

  • Preparation
  • Identification
  • Enclosure
  • Annihilation
  • Recovery
  • Lessons learned

Let’s take a closer look at each step and point out what you need to tackle.

1. Incident Response Plan Preparation Phase

The preparedness phase is your incident response preparedness work and will eventually be the most crucial step in protecting your company. The purpose of the preparation phase is to get the company’s team and resources ready to handle a security incident.

Part of the preparatory phase includes:

  • Ensure that personnel is adequately qualified in incident response roles and tasks in the event of data breaches.
  • Performing simulated data breaches regularly to create incident response simulation scenarios and test the response plan for an incident.
  • Ensure all elements of the incident response plan are pre-approved and financed.

Your incident response plan should outline and well define each employee’s roles and responsibilities in detail. Next, the program should be checked to ensure that employees are performing incident response steps as taught. The more prepared employees are, the less likely they will be to make significant mistakes.

Part of the preparation consists of developing and maintaining appropriate documentation. The following documents are essential during an incident:

  • Cardholder data asset inventory: Inventory is not a requirement; however, it will not only help define the scope of your cardholder data but will also help identify locations where cardholder data should be protected in transit or in the event of no use.
  • Network diagrams with links to all cardholder data: Diagrams are essential during an event. They provide incident handlers, forensic investigators, and law enforcement with a quick and clear picture of the cardholder environment.
  • Documentation and business rationale for allowed services, protocols, and ports: During a breach, the configuration of all firewalls and routers protecting the cardholder environment will be reviewed. Each firewall rule or router permissions is questionable, and there must be a business justification. If supporting documentation is not available in time, it can complicate the containment phase and disrupt other business areas.
  • Configuration standards and change control documentation for all system components: If there are no configuration standards for system components or provide insufficient documentation, it makes identification, restriction, and elimination much more difficult. During the event, configuration questions require fast and precise answers.
  • Documentation of all key management processes for encrypting cardholder data: If the PCI DSS is strictly adhered to, everywhere where cardholder data is stored should be made unreadable. If the method used is encryption, it may be the last layer of defense before an attacker accesses cardholder data in cleartext. Forensic investigators, auditors, and law enforcement will need documentation on how encryption keys are managed. This includes the generation, distribution, storage, destruction, revocation, and replacement of encryption keys. Information will be needed to verify if encryption keys have been compromised.
  • Audit logs: In general, all records will be critical to understanding how attackers have breached the cardholder data environment. A PCI DSS compliant company should solve the “puzzle” of breach by examining the logs at different layers. Logs must be transferred from the system where the logs were created to a secure server to prevent them from being modified or deleted during an intrusion.
  • Video camera data: In some cases where physical security is a factor, video camera data can be decisive for forensic investigation.
  • Media inventories: Identification of media content will be critical if a backup tape is lost.
  • Incident Response Plan: Incident Response Plan should answer most procedural questions during an incident. Reacting hastily under pressure only leads to mistakes. The plan should provide a roadmap, templates, pre-determined responses, and procedures for dealing with the incident.

2. Identification Stage

Identification is the method by which you decide whether it was violated by looking for anomalies resulting from normal operations and activities. A violation or incident may have occurred in several different places.

PCI DSS does not provide specific instructions to follow when a security breach is detected. However, payment brands have particular requirements that companies should know in advance. Confirmation of a security breach is the start time to comply with various requirements, such as notification timelines owned by payment card brands and the use of certified incident response companies.

Your company can use internal resources to identify and control a security breach, but using a third party specializing in incident response is highly recommended.

Typically, a company discovers it has been violated in one of four ways:

  • The breach is detected internally, such as checking device logs for intrusion detection, alerting actions, network anomalies, or malware alerts for anti-virus scans.
  • Your bank will notify you if there is a potential breach based on company credit card fraud reports.
  • Law enforcement discovers the breach while investigating the sale of stolen card data.
  • When a customer says, it was the last place your company used their pre-fraudulent card.

MasterCard and Visa may ask your company to use the services of an incident response evaluator that has been accepted by their respective companies, mainly if your organization is a financial institution. American Express will ask you to use a third-party forensic investigator.

If you do not choose one of the approved evaluators, your company may incur additional charges if payment card brands do not accept your forensic report. They may ask your company to hire one of the approved companies to verify the findings and recommendations provided by an unapproved incident response company.

Visa has specific requirements to preserve evidence and facilitate investigation:

  • Do not access or modify compromised systems.
  • Do not turn off the dangerous machine. Instead, separate the systems at risk from the network.
  • Protect logs and electronic evidence.
  • Log all actions taken.
  • If you are using a wireless network, change the Service Set Identifier (SSID) on the wireless access point (WAP) and other systems using this connection.
  • Be on “high” level alert and monitor all systems, including cardholder data.

3. Containment Phase

When a violation is first detected, your first wish may be to delete anything securely so you can get rid of it. This hurts you in the long run because you will lose vital information to assess where the attack happened and create a strategy to prevent it from happening again.

Instead, contain the breach, so you don’t spread it and cause further damage to your company. If possible, disconnect the affected devices from the Internet.

It is also essential to have a robust backup program to help recover business operations. Thus, any corrupted data will not be lost forever, and you will have a chance to recover your data.

It’s also an excellent time to upgrade and patch your systems, check your remote access protocols, change all credentials and administrative access for users, and harden all passwords.

When a company becomes aware of a potential breach, it’s understandable it wants to fix it quickly. However, you can inadvertently damage important forensic data without taking appropriate precautions and involving the right people.

Forensic investigators use this data to evaluate how and why the incident happened and create a strategy to avoid similar potential attacks.

When you encounter an intrusion, remember the following:

  • Don’t panic.
  • Do not make hasty decisions.
  • Do not wipe or reinstall your systems.

4. Eradication Phase

Once you get the incident under control, the breach’s root cause must be identified and eliminated. This means that all malware must be safely removed, devices must be powered, re-patched, and updated.

Once the incident is covered, you must identify and remove applications, processes, or technologies contributing to the violation. If your team is doing the cleanup or using a third party to do this, you should give them detailed information about the situation.

If any signs of malware or security problems remain on your systems, you can still lose valuable data and increase your liability.

Once the breach has been brought under control, elimination and recovery must be carried out carefully. Your company should endeavor to eliminate all pieces of malware distributed by the attacker.

Failure to do the elimination and recovery could allow an attacker to recover remote access using installed backdoors or Trojan horse applications during the initial intrusion.

American Express, Discover, and Visa require you to notify them immediately after confirming a security breach. MasterCard requires the information to be reported within 24 hours.

Visa requires you to file a forensic report within three business days of the reported settlement. MasterCard states that the report must be ready within 72 hours of information.

In case of a breach, payment card brands will want to know how many cards of their brands may have been seized. Your company should be ready to provide this information. Within ten business days, Visa will ask you to provide a list of all captured cards. MasterCard has specific formats for the list as well as the requirement to report compromised cards.

The audit report is critical as it will be used to establish your company’s PCI DSS compliance and pinpoint whether your company is responsible and to what extent.

Payment card brands are likely to require an additional PCI DSS Assessment to detect specific incompatibilities and for your company to develop a detailed remediation plan.

Some companies may feel that not reporting an incident is in their best interests. However, in the absence of self-reporting, these companies could eventually be identified as the source of cardholder data compromise.

Payment card companies use a process to identify the source of a violation as precisely as possible. Refunds and fraudulent transactions are reported to payment card companies that use the information to identify merchants or service providers that may have been compromised.

Failure to report the incident may affect your company with additional fines and expose your company to legal liabilities. On the other hand, reporting the incident can help your company show that the security controls in force are working.

5. Recovery Phase

The recovery step is how affected systems and equipment are restored and returned to the business environment. It is essential to get your systems and business operations up and running again without worrying about any further breaches during this time.

Once you find and eliminate the cause of the breach, you need to make sure that all systems are repaired, patched, updated, and checked before you consider releasing previously compromised systems back to your production environment.

6. Lessons Learned

Once the investigation is complete, hold a post-action session with all the incident response team members and review what you learned from the data breach. This is where you can review and record everything related to the violation and learn lessons.

Identify what went well in your response plan and where some gaps are. Learning from both fake and real events will help strengthen structures against potential attacks.

Once the security breach is addressed, your company will need to improve its security strategy, incident response plan, and monitoring processes. PCI DSS requires companies to develop processes to change and improve the incident response plan based on lessons learned from the incident.

A thorough analysis of how the incident was detected, reported, addressed, and included should be done. The incident response plan should be updated according to the analysis results to improve monitoring alerts analysis, response times, and optimizing incident response procedures.

No organization wants to be subject to a data breach, but it is essential to prepare for any violation. Prepare for violations, know what to do when it happens, and then do your best.

After the forensic review, interview all incident response team members, discuss what you learned from the data breach, and review incidents in preparation for the next attack. Identify what went well and what was not in your response strategy. Then update your response plan for the incident.

Unfortunately, there is no perfect security. PCI DSS certified companies must be prepared to handle security incidents. Unlike PCI DSS, Payment Card Companies do not have standard procedures or policies regarding incident response, breach notification, and forensic analysis.

By following the Payment Card Companies recommendations, companies will minimize the risk of additional financial impact in the event of a security breach. Understanding how difficult it is to deal with a security breach will undoubtedly increase security awareness within a company.

Surkay Baykara
Surkay Baykara
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

Common Cyber Threats in Ecommerce and How to Mitigate Them

In this article, we will delve into the issue of cybersecurity in ecommerce, describing the types of cyber threats that ecommerce businesses are confronted with and what can be done to avoid these threats.

Managing Cyber Risk in the Age of Cloud Computing

The cloud delivers game-changing capabilities but also surfaces new cyber risks requiring an evolved security perspective. However, as more sensitive data and critical systems move to the cloud, businesses must adapt their cybersecurity strategies to effectively manage emerging risks.

The Controversy and Importance of Ethical Hacking

Ethical hackers are essentially people who can use the same techniques as cyber criminals, but they do not use them to steal information.

Related posts

Latest posts

Common Cyber Threats in Ecommerce and How to Mitigate Them

In this article, we will delve into the issue of cybersecurity in ecommerce, describing the types of cyber threats that ecommerce businesses are confronted with and what can be done to avoid these threats.

Managing Cyber Risk in the Age of Cloud Computing

The cloud delivers game-changing capabilities but also surfaces new cyber risks requiring an evolved security perspective. However, as more sensitive data and critical systems move to the cloud, businesses must adapt their cybersecurity strategies to effectively manage emerging risks.

The Controversy and Importance of Ethical Hacking

Ethical hackers are essentially people who can use the same techniques as cyber criminals, but they do not use them to steal information.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!