All you need to know about PCI Forensic Investigations

What is a PFI?

PFI stands for PCI Forensic Investigator(s). A PFI, as the name suggests, investigates breaches of payment card data; stretching from small businesses all the way to international law enforcement efforts.

Qualified by the PCI SSC (which we’ll get into later), only a few select companies are enabled to lead forensic investigations.

What is PCI?

The Payment Card Industry. All organizations, big or small, that store, process or transmit cardholder data (typically credit and debit cards) are part of the PCI. If you’ve ever bought something online, a good or service, it’s likely, after typing in your card details, a payment card processor would be given the job of processing your transaction safely and securely. 

Keywords: safely and securely.

Because of how lucrative hacking can be, and how unsafe many payment systems were, it became very evident (during the rapid growth of the internet) that security standards would need to be drafted. So, in 2006, the PCI SSC was founded.

What is the PCI SSC?

Founded by Visa, Discover Financial Services, JCB International, American Express, and Mastercard, The Payment Card Industry Security Standards Council is an organisation of private, independent card vendors, which manages the Payment Card Industry Data Security Standard (PCI DSS).

What is PCI DSS?

Payment Card Industry Data Security Standard (PCI DSS) is a body of security standards that includes 12 requirements, and additional sub-requirements, that businesses must meet in order to be considered compliant. In brief, these are:

• Install and maintain a firewall configuration.
• Changing default passwords for systems and other security parameters.
• Protect stored cardholder data with either encryption, hashing, masking, or truncation.
• Encrypting transmission of cardholder data (i.e. use an SSL certificate).
• Keep anti-virus software updated and protect all systems from malware.
• Develop and maintain secure systems and applications; preventing vulnerabilities and employing security patches as soon as available.
• Restrict access to cardholder data to authorised employees.
• Identify, authenticate, and assess who has access to system components.
• Restrict physical access to cardholder data.
• Track and monitor anything with access to cardholder data and network resources.
• Test security systems and processes regularly.
• Maintain an information security policy for all employees, typically through a Non-Disclosure Agreement.

Of course, the requirements go into much more detail, and have many sub-requirements that may or may not apply to your business. Meeting these requirements are very important. If you are deemed non-compliant under the PCI DSS, and are victim to a data breach, you could suffer significant financial penalties from the card brands; on top of all the penalties from local or national laws. Please read more on these, in full, here.

What are PCI Forensic Investigators? What do they do?

Well… Foregenix is one. Investigators themselves must work for a Qualified Security Assessor Company, both of whom are certified by the PCI SSC.

Primarily, PFIs (PCI Forensic Investigators) perform investigations within the financial industry, after a data breach (whether major or minor). Using well defined investigative methodologies, their objective is to figure out what happened, how it happened, what was stolen, who stole it and to make sure the breach is no longer taking place.

PFIs often work closely with law enforcement. It is fairly common for countries to mandate laws when it comes to online security and, as such, PFIs are very useful in helping to solve cyber crimes. Foregenix itself employs a wide range of Ex-Law Enforcement experts.

What is the PFI Process?

A PCI Forensic Investigation aims to stop the breach as quickly as possible to prevent further damage, while getting the required investigation completed. The process can vary from company to company, and situation to situation but the requirements and strategy are the pretty much the same. Additionally there may be region specific "supplements" within the realm of PFI forensic investigations. These mainly relate to situations that (at a point in time) may appear to be smaller incidents or incidents with limited supporting evidence of intrusion or card data exposure.

• Determine the scope of the affected environment
• Collect evidence
• Create a preliminary report
• Conduct forensic analyses
• Build a containment strategy
• Verify the containment
• Produce a final report

Conclusion

As I said, there is a lot more to it than this, what with all the laws, regulations and agreements that must be taken into account. Having said that, we specialise in helping organisations through the PFI process and we have a fantastically talented team and specialised technology available to assist - we help hacked organisations to regain control of their business systems quickly, efficiently and with minimal business interruption.

If you have any questions or wish to get in touch, contact us.