PCI Security Standards Council Issues “How-To” Guide For Responding To A Data Breach

King & Spalding

On September 29, 2015, the PCI Security Standards Council (“PCI SSC”) issued a press release and accompanying guidance to businesses for incident response management in the event of a data breach.  PCI SSC is a global forum founded by card brands American Express, Discover, JCB, MasterCard and Visa, and it is responsible for the development and management of data security standards required by the card brands’ compliance programs.  The new guidance is directed to merchants and service providers, with recommendations on (i) how to prepare in advance for an incident; and (ii) working with a Payment Card Industry Forensic Investigator (“PFI”) in the event of a cardholder data breach.

In terms of preparation, PCI SSC recommends: 

  1. Implementing an incident response plan;
  2. Preparing to limit data exposure as soon as a breach is detected (such as by isolating affected systems from the network), while preserving all evidence for a forensic investigation;
  3. Identifying business partners that will need immediate notification of a breach, including the card brands and acquirers (acquirers also are known as merchant banks, which process card transactions for merchants);
  4. Ensuring that contracts with third-party service providers sufficiently address data security and incident response management; and
  5. Having an independent PFI “on call.”

The PCI guidance also explains that an independent investigation by a qualified PFI will be required when the breach meets criteria set by card brands such as Visa and MasterCard. The PFI may not have prior relationships with the business (e.g., it cannot be the business’s  auditor); the business cannot interfere with the PFI’s investigation; and the PFI must be given access to all relevant data, facilities, and personnel. The PFI will issue a Preliminary Incident Response Report and Final Incident Response Report, and the reports will be passed on to the business’s merchant banks and card brands. The reports are intended to identify any observed deficiencies in PCI SSC’s requirements, as well as recommend steps the business can take to prioritize containment and secure cardholder data following the breach.

Reporter, Mark H. Francis, New York, +1 212 556 2117, mfrancis@kslaw.com.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.