Practitioner

avatar
Created by
Patrick Forrest

Cards (164)

  • Cardholder Data (CHD) is allowed to be stored, but the PAN must be rendered unreadable
  • Sensitive Authentication Data (SAD) should never be stored after authorisation
  • Anywhere that CHD is stored, processed or transmitted needs to be PCI compliant
  • Payment Security Perspectives
    • The Payer
    • The Scammer
    • The Third Party
    • The Acquirer
    • The Merchant
  • The Payment Card Industry Data Security Standard (PCI DSS) is a standard that must be complied with when handling cardholder data
  • Organisations should define an Information Security Policy at the highest level to be approved by management
  • The Information Security Policy should address business strategy, regulatory/legislative/contractual obligations, assignment of responsibilities, and current/projected security threats
  • The Information Security Policy should be reviewed at least annually and updated where appropriate
  • The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU)
  • The 7 Principles of GDPR
    • Lawfulness, fairness & transparency
    • Purpose Limitation
    • Data Minimisation
    • Accuracy
    • Storage Limitation
    • Security
    • Accountability
  • Under GDPR, data controllers must report a data breach to the ICO within 72 hours of becoming aware
  • GDPR allows for fines of up to €20 million or 4% of annual global turnover, whichever is higher, for serious infringements
  • The UK National Cyber Security Centre (NCSC) has reported that 35 universities and colleges were impacted by ransomware attacks in 2021, with an average cost to recover of around £2.1 million
  • The Verizon Data Breach Investigations Report found that the human element is a key driver for 82% of breaches, with social attacks, human error and misuse being the main factors
  • Ransomware accounts for 25% of observed breaches, and four out of five breaches can be attributed to organized crime
  • Information security event
    Identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant
  • Information security incident
    Single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security
  • Good incident response is vital to mitigate and contain the wider impact of an incident, ensure consistency and control in actions, and return to business as usual as soon as possible
  • 500k data subjects affected, £183m fine from the ICO
  • We Fight Fraud – counting the cost of a cyber attack
  • Why Good Incident Response is Vital
    • Difference between resolution and data breach
    • Mitigate and contain wider impact
    • Consistency and control in actions
    • Return to BAU as soon as possible
  • Incident Response Approach

    1. Plan and Prepare
    2. Incident Reported
    3. Assess and Investigate
    4. Containment and Removal
    5. Recovery
    6. Post-Incident Review
  • Putting the pieces together
    1. Detection and Reporting
    2. Triage and Analysis
    3. Appropriate Response
    4. Post Incident Activity
  • Plan Structure
    • Core IR Plan
    • Operation Procedures
  • Planning Considerations
    • What are the realistic threats to your institution?
    • What are completely unlikely threats to your institution?
    • What is the plan trying to achieve & are the objectives documented?
    • What supporting documentation may be required to support the IR plan?
    • What are the dependencies of the plan & roles within the plan?
    • Does your plan factor in BCP during (and if needed after) the active incident response?
    • Is the plan realistic and achievable for your current operating environment?
    • Are the roles & responsibilities discussed & shared with the relevant parties?
    • How do you move from Incident Response back to BAU?
  • Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
  • Specific incident response procedures
  • Business recovery and continuity procedures
  • Data backup processes
  • Analysis of legal requirements for reporting compromises
  • Coverage and responses of all critical system components
  • Reference or inclusion of incident response procedures from the payment brands
  • Test the plan... Keep it up to date!
  • Key Reminders
    • Management
    • Accessible
    • Adaptability
    • Improvement
    • Documented
  • Suspected Cardholder Data Breach

    1. Stop taking card payments
    2. Report it immediately to the PCI Incident Response Team
    3. Write down everything including: Date/time/location, Actions taken, Observations, Reason for suspicions
    4. Work with the investigators
  • Review and test the plan, including all elements listed in Requirement 12.10.1 at least annually
  • Testing approaches
    • Desktop/Table top
    • Scenario Based
    • Full Test
    • Real Life
  • Why Test?

    • Validation
    • Training
    • Continual Improvement
    • Preparation
    • PCI DSS
  • Key Things to Consider
    • What is the objective of the test?
    • What is a realistic scenario for your institution?
    • Who needs to be involved in the workshop?
    • What supporting documentation do you need to run the day?
    • What are the implications of running a blind v disclosed scenario test?
    • Do not forget to run a washup/lessons learned session at the end to capture feedback.. Then improve your plan!
  • PCI DSS is a standard designed with the aim of protecting the customer's credit card data when it's stored, processed, or transmitted