Incedent Response: Suspected Cardholder Data Compromise
An incident, for purposes of this plan, is defined as a suspected or confirmed compromise of cardholder data. At a minimum, cardholder data consists of the full card number. Cardholder data may also appear in the form of the full card number plus any of the following: cardholder name, expiration date and/or sensitive authentication data. A cardholder data compromise is any situation where intrusion into a computer system occurs and unauthorized disclosure, theft, modification, or destruction of cardholder data is suspected, or the suspected or confirmed loss or theft of any material or records that contain cardholder data.
Departments that suspect or have confirmed an account data compromise must take prompt action to prevent additional exposure of payment card data. The following steps must be taken:
- Immediately notify the appropriate University contacts. (see information referring to Contacts below)
- Immediately contain and limit the exposure and preserve evidence. (see information referring to evidence below)
- Document any steps taken until contacted by the PCI Compliance Officer. Include the date, time, person(s) involved and action taken for each step.
- Assist the PCI Compliance Officer, USU IT Security and System Engineers team, Chief Compliance Officer, Office of General Counsel, and any other personnel as they investigate the incident.
If you suspect a compromise of credit card data, notify the following contacts immediately:
Monica Trippler | PCI Compliance Officer
firstname.lastname@example.org • 435-760-3651
Blake Rich | IT Security and System Engineers Manager
email@example.com • 435-757-8880
Shanell Johnson | Treasury Services Director
firstname.lastname@example.org • 435-797-1682
Matt Lorimer | IT Security and System Engineer
email@example.com • 435-797-4242
Russ Price | Chief Compliance Officer
firstname.lastname@example.org • 435-797-8305
Mica Mckinney | Office of General Counsel
email@example.com • 435-797-1156
The following guidelines are courtesy of Visa's "What To Do If Compromised" publication.
To identify the root cause and facilitate investigations, it is important to ensure the integrity of the system components and environment by preserving all evidence.
- Do not access of alter compromised system(s) (e.g., do not log on to the compromised system(s) and change passwords; do not log in with administrative credentials). Visa strongly recommends that the compromised system(s) be taken offline immediately and not be used to process payments or interface with payment processing systems.
- Do not turn off, restart, or reboot the compromised system(s). Instead, isolate the compromised system(s) from the rest of the network by unplugging the network cable(s) or through other means.
- Identify and document all suspected compromised components (e.g., PCs, servers, terminals, logs, security events, databases, PED overlays, etc.)
- Document containment and remediation actions taken, including dates/times (preferably in UTC), individuals involved, and detailed actions performed.
- Preserve al evidence and logs (e.g., original evidence such a s forensic image of systems and malware, security events, web logs, database logs, firewall logs, etc.)
USU's Information Security and System Engineers will follow their protocols for data security breaches, which is governed by University’s Information Security Policy #558.
Department Operations After a Report of Compromise
The Department may continue business operations, excluding credit card acceptance, until notified by the PCI Compliance Officer that they may resume credit card processing activities.
- In the event the breach occurs at a department with multiple credit card processing methods (ecommerce, registers, etc.), the credit card processing activity for each method must be suspended until the notification is received from the PCI Compliance Officer that a method may be resumed.
- If the breach is not isolated to a single department's processing environment, all credit card processing activity across campus is subject to suspension until PCI Compliance Officer notifies each department that it is acceptable to resume operations.