October 20, 2015

PCI Security Standards Council Issues “How-To” Guide For Responding To A Data Breach

King & Spalding

+ Follow Contact

Send

Embed

On September 29, 2015, the PCI Security Standards Council (“PCI SSC”) issued a press release and accompanying guidance to businesses for incident response management in the event of a data breach. PCI SSC is a global forum founded by card brands American Express, Discover, JCB, MasterCard and Visa, and it is responsible for the development and management of data security standards required by the card brands’ compliance programs. The new guidance is directed to merchants and service providers, with recommendations on (i) how to prepare in advance for an incident; and (ii) working with a Payment Card Industry Forensic Investigator (“PFI”) in the event of a cardholder data breach.

In terms of preparation, PCI SSC recommends:

Implementing an incident response plan;
Preparing to limit data exposure as soon as a breach is detected (such as by isolating affected systems from the network), while preserving all evidence for a forensic investigation;
Identifying business partners that will need immediate notification of a breach, including the card brands and acquirers (acquirers also are known as merchant banks, which process card transactions for merchants);
Ensuring that contracts with third-party service providers sufficiently address data security and incident response management; and
Having an independent PFI “on call.”

The PCI guidance also explains that an independent investigation by a qualified PFI will be required when the breach meets criteria set by card brands such as Visa and MasterCard. The PFI may not have prior relationships with the business (e.g., it cannot be the business’s auditor); the business cannot interfere with the PFI’s investigation; and the PFI must be given access to all relevant data, facilities, and personnel. The PFI will issue a Preliminary Incident Response Report and Final Incident Response Report, and the reports will be passed on to the business’s merchant banks and card brands. The reports are intended to identify any observed deficiencies in PCI SSC’s requirements, as well as recommend steps the business can take to prioritize containment and secure cardholder data following the breach.

Reporter, Mark H. Francis, New York, +1 212 556 2117, mfrancis@kslaw.com.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

Written by:

King & Spalding

Contact + Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

American Express

+ Follow

Bank Service Providers

+ Follow

Cyber Incident Reporting

+ Follow

Cyberforensics

+ Follow

Cybersecurity

+ Follow

Data Breach

+ Follow

Data Breach Plans

+ Follow

Data Privacy

+ Follow

Data Protection

+ Follow

Data Security

+ Follow

Discover Bank

+ Follow

MasterCard

+ Follow

Merchants

+ Follow

PCI

+ Follow

Popular

+ Follow

Security Standards

+ Follow

Visa Inc

+ Follow

General Business

+ Follow

Consumer Protection

+ Follow

Finance & Banking

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

King & Spalding on:

PCI Security Standards Council Issues “How-To” Guide For Responding To A Data Breach

Related Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

King & Spalding on:

"My best business intelligence, in one easy email…"