On September 29, 2015, the PCI Security Standards Council (“PCI SSC”) issued a press release and accompanyingguidance to businesses for incident response management in the event of a data breach.  PCI SSC is a global forum founded by card brands American Express, Discover, JCB, MasterCard and Visa, and it is responsible for the development and management of data security standards required by the card brands’ compliance programs.  The new guidance is directed to merchants and service providers, with recommendations on (i) how to prepare in advance for an incident; and (ii) working with a Payment Card Industry Forensic Investigator (“PFI”) in the event of a cardholder data breach.

In terms of preparation, PCI SSC recommends: 

  1. Implementing an incident response plan;
  2. Preparing to limit data exposure as soon as a breach is detected (such as by isolating affected systems from the network), while preserving all evidence for a forensic investigation;
  3. Identifying business partners that will need immediate notification of a breach, including the card brands and acquirers (acquirers also are known as merchant banks, which process card transactions for merchants);
  4. Ensuring that contracts with third-party service providers sufficiently address data security and incident response management; and
  5. Having an independent PFI “on call.”

The PCI guidance also explains that an independent investigation by a qualified PFI will be required when the breach meets criteria set by card brands such as Visa and MasterCard. The PFI may not have prior relationships with the business (e.g., it cannot be the business’s  auditor); the business cannot interfere with the PFI’s investigation; and the PFI must be given access to all relevant data, facilities, and personnel. The PFI will issue a Preliminary Incident Response Report and Final Incident Response Report, and the reports will be passed on to the business’s merchant banks and card brands. The reports are intended to identify any observed deficiencies in PCI SSC’s requirements, as well as recommend steps the business can take to prioritize containment and secure cardholder data following the breach.