All you need to know about PCI Forensic Investigations
PCI, PFI, PCI DSS, PCI SSC, these are all terms you will hear and need to know about when operating within the Payment Card Industry. We understand that it’s a lot to read into, which is why we’ve compiled a simple run-through of all the basics you’ll need to know.
What is a PFI?
PFI stands for PCI Forensic Investigator(s). A PFI, as the name suggests, investigates breaches of payment card data; stretching from small businesses all the way to international law enforcement efforts.
Qualified by the PCI SSC (which we’ll get into later), only a few select companies are enabled to lead forensic investigations.
What is PCI?
The Payment Card Industry. All organizations, big or small, that store, process or transmit cardholder data (typically credit and debit cards) are part of the PCI. If you’ve ever bought something online, a good or service, it’s likely, after typing in your card details, a payment card processor would be given the job of processing your transaction safely and securely.
Keywords: safely and securely.
Because of how lucrative hacking can be, and how unsafe many payment systems were, it became very evident (during the rapid growth of the internet) that security standards would need to be drafted. So, in 2006, the PCI SSC was founded.
What is the PCI SSC?
Founded by Visa, Discover Financial Services, JCB International, American Express, and Mastercard, The Payment Card Industry Security Standards Council is an organisation of private, independent card vendors, which manages the Payment Card Industry Data Security Standard (PCI DSS).
What is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS) is a body of security standards that includes 12 requirements, and additional sub-requirements, that businesses must meet in order to be considered compliant. In brief, these are:
- Install and maintain a firewall configuration.
- Changing default passwords for systems and other security parameters.
- Protect stored cardholder data with either encryption, hashing, masking, or truncation.
- Encrypting transmission of cardholder data (i.e. use an SSL certificate).
- Keep anti-virus software updated and protect all systems from malware.
- Develop and maintain secure systems and applications; preventing vulnerabilities and employing security patches as soon as available.
- Restrict access to cardholder data to authorised employees.
- Identify, authenticate, and assess who has access to system components.
- Restrict physical access to cardholder data.
- Track and monitor anything with access to cardholder data and network resources.
- Test security systems and processes regularly.
- Maintain an information security policy for all employees, typically through a Non-Disclosure Agreement.
Of course, the requirements go into much more detail, and have many sub-requirements that may or may not apply to your business. Meeting these requirements are very important. If you are deemed non-compliant under the PCI DSS, and are victim to a data breach, you could suffer significant financial penalties from the card brands; on top of all the penalties from local or national laws. Please read more on these, in full, here.
What are PCI Forensic Investigators? What do they do?
Well… Foregenix is one. Investigators themselves must work for a Qualified Security Assessor Company, both of whom are certified by the PCI SSC.
Primarily, PFIs (PCI Forensic Investigators) perform investigations within the financial industry, after a data breach (whether major or minor). Using well defined investigative methodologies, their objective is to figure out what happened, how it happened, what was stolen, who stole it and to make sure the breach is no longer taking place.
PFIs often work closely with law enforcement. It is fairly common for countries to mandate laws when it comes to online security and, as such, PFIs are very useful in helping to solve cyber crimes. Foregenix itself employs a wide range of Ex-Law Enforcement experts.
What is the PFI Process?
A PCI Forensic Investigation aims to stop the breach as quickly as possible to prevent further damage, while getting the required investigation completed. The process can vary from company to company, and situation to situation but the requirements and strategy are the pretty much the same. Additionally there may be region specific "supplements" within the realm of PFI forensic investigations. These mainly relate to situations that (at a point in time) may appear to be smaller incidents or incidents with limited supporting evidence of intrusion or card data exposure.
- Determine the scope of the affected environment
- Collect evidence
- Create a preliminary report
- Conduct forensic analyses
- Build a containment strategy
- Verify the containment
- Produce a final report
What is PFI Lite?
Exclusively a Visa Europe initiative, PFI Lite is a scaled down version of the PCI Forensic Investigation; for sites that process under 10,000 Visa transactions every year. It’s a scaled down investigation for smaller businesses designed to quickly stop the breach and get the small eCommerce business onto a secure payment process.
Similar to before, we take it in steps. We first ensure the breach is contained; this is our first priority as we don’t want any more data being stolen. If not already utilised, we then support the migration to a hosted payment page (if you want to find out more about them, take a look at our blog).
After that, we analyse the attack to find out how long the exposure lasted. Using our FGX-Web technology, we then monitor the site for a period of time after the investigation is concluded to ensure the victim website does not experience a re-breach.
Once we are certain the site is secure, we support the client in completing a SAQ (Self Assessment Questionnaire), which is required for PCI Compliance. And then we produce a report for submission to Visa Europe.
As I said, there is a lot more to it than this, what with all the laws, regulations and agreements that must be taken into account. Having said that, we specialise in helping organisations through the PFI process and we have a fantastically talented team and specialised technology available to assist - we help hacked organisations to regain control of their business systems quickly, efficiently and with minimal business interruption.
If you have any questions or wish to get in touch, contact us.