PCI SSC Issues New Guidance On Responding to Data Breaches | Practical Law

PCI SSC Issues New Guidance On Responding to Data Breaches | Practical Law

The PCI Security Standards Council (PCI SSC) announced the publication of Responding to a Data Breach: A How-to Guide for Incident Management, which was developed in collaboration with the Payment Card Industry Forensic Investigator (PFI) community and provides merchants and service providers with recommendations on how to prepare for and react quickly to a data breach.

PCI SSC Issues New Guidance On Responding to Data Breaches

Practical Law Legal Update 7-619-2042 (Approx. 3 pages)

PCI SSC Issues New Guidance On Responding to Data Breaches

by Practical Law Intellectual Property & Technology
Published on 02 Oct 2015USA (National/Federal)
The PCI Security Standards Council (PCI SSC) announced the publication of Responding to a Data Breach: A How-to Guide for Incident Management, which was developed in collaboration with the Payment Card Industry Forensic Investigator (PFI) community and provides merchants and service providers with recommendations on how to prepare for and react quickly to a data breach.
On September 29, 2015, the PCI Security Standards Council (PCI SSC) issued a press release announcing the publication of Responding to a Data Breach: A How-to Guide for Incident Management, which was developed in collaboration with the Payment Card Industry Forensic Investigators (PFI) community. The publication is intended to provide merchants and service providers with recommendations on how to be prepared and react quickly when a breach is suspected, including suggestions on what to do to contain damage and facilitate an effective investigation.
The publication provides recommendations in three key areas:
  • Preparing for the worst by:
    • implementing an incident response plan;
    • limiting data exposure;
    • notifying business partners and necessary parties immediately;
    • managing incident-responses with third-party service providers; and
    • engaging an independent PFI to assist.
  • Considering various issues related to engaging a PFI, including:
    • determining the specific rules of various payment brands and acquirers for when a PFI must be engaged;
    • engaging an appropriate PFI; and
    • understanding an PFI investigation.
  • Working with a PFI to facilitate the investigation, including providing access to evidence, facilities and relevant people.
The publication notes that PFIs will not perform a full Payment Card Industry Data Security Standard (PCI DSS) assessment and a lack of findings by the PFI is not evidence of PCI DSS compliance by the company.