In today’s technology driven world, the acceptance of card payments is regarded as a fundamental aspect of any business. The theft of payment card data is a highly lucrative enterprise with criminals investing considerable time, energy and resources into locating, stealing and illegally utilising payment cards to commit widespread and costly fraud.
Under the PCI DSS (Payment Card Industry Data Security Standard), merchants and payment service providers have a duty to maintain cardholder data securely. Failure to do so can result in significant fines if they are a victim of a data compromise or are found to be non-compliant with the PCI standard. Organisations which hold cardholder data are also subject to the authority of the Information Commissioner’s Office (ICO) which is able to impose substantial fines for breaches of the Data Protection Act (DPA).
The faster an Organisation responds to a potential breach, the lower the likely fines and sanctions will be. It therefore makes sense to deal with a company which has substantial resources to deploy quickly to identify the causes and methods by which cardholder data has been compromised. Speed of deployment and analysis is vital and will save substantial sums for organisations. Where such breaches have occurred, the merchant or payment service provider may be responsible (being the “common point of purchase”) and must conduct a forensic investigation, in order to immediately take steps to become or regain PCI compliance and eliminate the risk of fraudulent access to cardholder data.
PCI Forensic Investigators (PFIs) are required to be licensed by the PCI Security Standards Council. IntaForensics are a Qualified Security Assessor Company and licensed for PFI investigations throughout Europe.
The PFI Process
PCI Forensic Investigation
Who is this service for?
PFI Investigations are designed for merchants and service providers that have suffered a breach of cardholder data and have been instructed that they must undertake an investigation using an approved PFI Vendor. This includes customers who have been contacted by their acquiring bank and required to perform a ‘PFI’ investigation. All entities that meet one or more of the criteria below will require a PFI investigation in the event of a cardholder / payment data breach:
- Merchant Level 1-3
- Are a Service Provider
- Have more than 3 electronic environments.*
- Transact more than 20,000 cards annually or more than 10,000 within the suspected compromise period
- Process transactions using a Virtual Terminal or EPDQ
Who is this service for?
PFI Lite Investigations are a Visa Europe program for merchants that have suffered a breach of cardholder data and have been instructed that they must undertake an investigation using an approved PFI Vendor. This includes customers who have been contacted by their acquiring bank and required to perform a ‘PFI Lite’ investigation. Entities must meet all of the criteria below:
- Merchant level 4.
- Have no more than 3 electronic environments.*
- Transact less than 20,000 cards annually and no more than 10,000 Visa cards within the suspected compromise period.
- Do not process transactions using a Virtual Terminal or EPDQ.
IntaForensics are experts in the investigation of payment card related data breaches as well as an accredited laboratory under the ISO 17025:2005 standard within our Nuneaton Laboratory HQ as required by the Forensic Science Regulator in the UK. This is unique in the industry.
Our team have been actively involved in conducting payment card investigations for Acquiring banks and credit card brands since 2007. All of our staff are National Security Cleared to SC standard, as well as security vetted by law enforcement to NPPV-3 and the DBS service. Our staff are fully trained in forensic incident response procedures and investigation techniques and are able to help our clients react to, recover from and remediate against future cyber data breaches. Part of our service is to assist clients to communicate with the parties they need to inform and provide added value, plain English reporting on incidents.
Our team have extensive experience of conducting forensic and cyber incident response investigations for a wide range of organisations across all business sectors. In addition, we also provide services to and work in conjunction with law-enforcement agencies, the ICO and law firms within the legal/litigation and criminal defence sector.
IntaForensics’ highly experienced and dedicated PFI team are available to respond immediately on behalf of any entity who may have been subject to a data breach resulting in the loss (or suspected loss) of cardholder data. Following a set methodology and using tried and trusted techniques, our specialised PFI investigators utilise their skills and knowledge to work with you in containing, investigating and remediating any data breach incident. Our experience conducting PCI related forensic investigations is built upon our Team’s unique blend of prior experience, including working within a major card Brand, and our close working relationships with acquiring banks ensures that we are fully aware of their requirements ensuring that all PCI Program criterion and deadlines are met.
Damian joined IntaForensics from Visa Europe where he was Head of their Data Compromise Management Team. He had responsibility for the overall management of data compromise incidents involving Visa payment card data, identification of emerging threats and the provision of quality intelligence. Damian worked closely with a number of Visa Europe and Visa Inc. teams, issuing and acquiring members and the PFI/QSA community to assist and support investigations into data breach attacks. He was responsible for creating and implementing strategies to ensure compliance with PCI DSS requirements and, where necessary, applying appropriate sanctions for breaches of Visa Europe’s Operating Regulations. With over three decades of Law Enforcement experience, predominantly in investigative and supervisory roles, Damian is regularly invited to deliver keynote presentations at industry events. As head of Northamptonshire Police Hi-Tech Crime Unit he was a practitioner of forensic examinations, network investigations and covert internet investigations.
Andrew Bassi is our Principal Forensic Investigator (Core PFI). With over 8 years of experience in the specialised field of PFI investigations as well as being a qualified QSA, Andrew has conducted a vast amount of PFI investigations and is a well-known and highly respected expert. Prior to working in Digital Forensics, Andrew gained invaluable experience as a senior IT Administrator with SunGard. It was here he gained an understanding of the systems used to protect IT assets within large organisations and the effort involved in running these systems. Andrew was responsible for IT security across UK sites and gained invaluable experience maintaining the SunGard Firewall systems and internal scanning / patching systems. Andrew was the youngest member of the SunGard Incident Response Team (SIRT) and actively fed into the content of the Incident Response Plan and procedures.
Andrew manages a team of PFI investigators who between them possess many years of digital forensic investigation experience having joined IntaForensics from a diverse range of backgrounds including academia, law enforcement, Government Agencies and the corporate world.
Talk to our PFI Team Now!Enquire now
You now understand the importance of Cyber Essentials Certification. Now its time to get approval. Take the hassle out of Business Cases and download our template now.Download Now
Working in or own an SME? Just starting your journey to effective Cyber Security? Start your journey the right way with our Quick Guide for SMEs.
One of the most important parts in effective Cyber Security is educating staff but there isn’t always time. Why not download our guide to Email Security? Download Now