The PCI Security Standards Council in collaboration with a team of PCI Forensics Investigators (PFIs) released guidelines to help organizations implement breach response plans. Its Responding to a Data Breach: A How-to Guide for Incident Management document was unveiled during a PCI SSC-hosted North America Community Meeting in Canada. Additional data security awareness meetings were slated for Japan and France.
According to the PCI SSC, the average cost of a data breach to merchants is now $3.8 million, collectively, per incident. In reflecting on the global state of data security awareness, PCI SSC International Director Jeremy King noted that in the United Kingdom, the government closely monitors data breach incident levels through an annual business survey that tracks all types of data breached.
"This isn't just financial, this is any data breach," King said. "They found that in the last two surveys over 90 percent of organizations had a data breach of some form or other." He said that given the fact that in over 95 percent of data breach incidents an external party was the first to alert the compromised organization that a breach had occurred, data security guidance has reached a time-critical point.
But the council is optimistic that will change. "The silver lining to high-profile breaches that have occurred is that there is a new sense of urgency that is translating into security vigilance from the top down, forcing businesses to prioritize and make data security business as usual," said Stephen Orfei, General Manager of the PCI SSC. "Prevention, detection and responses are always going to be the three legs of data protection."
Unfortunately, a significant number of merchants believe a breach won't happen to them. Many in this category are most vulnerable to attack, since basic security measures, including an incident response plan, are not being implemented.
"Each year Verizon and Trustwave publish separate data breach reports," King said. "Consistently, they have found over the years that organizations that are breached have not been PCI compliant, but it's not that they were a little bit not compliant, they were massively not compliant. There are some huge holes there. There are simple things they are still not getting right."
For example, he noted that lack of good password security remains a problem as does clicking on phishing emails that allow malware to be downloaded. He noted that cybercriminals continue to use basic attack methodologies because unprotected business environments are not difficult to find, and lack of employee training and response strategies compound matters.
However, for small merchants cost can be an issue. "In Europe, some of the card brands offer a limited breach response service, because they know that small merchants can't afford full forensics investigation breach support, so it becomes a relationship between the acquirer, the merchant and the brand to try and revolve this," King said. "If you're a small merchant working in the e-commerce space, you've really got to do this properly."
He said that with a good incident response plan, merchants know exactly what to do, how to respond and who to notify. If a breach should occur outside of business hours, key personnel understand the chain of command and what factors determine whether to open for business the next day. Businesses are advised to establish relationships with forensics investigators beforehand to reduce response time and prevent errors in the aftermath should a breach occur.
An incident response plan should also include instructions on how to limit data exposure and preserve evidence, which may require isolating a system rather than turning it off completely. In addition to a PFI contact, the plan should list current business partners, including payment card brands, acquirers and other entities requiring notification. The PCI SSC recommends that specific provisions be written into contracts with third parties on how evidence will be accessed and reviewed in the event of a data breach.
For more information on PFIs and a list of PCI-certified PFI professionals, visit www.pcisecuritystandards.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next