Who is service this for?
PFI Lite Investigations are a Visa Europe program for merchants that have suffered a breach of cardholder data and have been instructed that they must undertake an investigation using an approved PFI Vendor. This includes customers who have been contacted by their acquiring bank and required to perform a ‘PFI Lite’ investigation. Entities must meet all of the criteria below:
- Merchant level 4.
- Have no more than 3 electronic environments.*
- Transact less than 20,000 cards annually and no more than 10,000 Visa cards within the suspected compromise period.
- Do not process transactions using a Virtual Terminal or EPDQ.
*An electronic environment in this instance is a single server, workstation or laptop computer.
If your business does not meet these requirements then you should consider a full PFI.
What is involved?
Once the PFI Lite investigation is initiated a number of phases are involved, these are detailed below. Please note that the final report must be submitted within 40 working days and is dependent on elements that must be completed by the merchant.
- Information Gathering & Data Harvesting – this phase seeks to gather all pertinent information related to the compromise and acquire evidential copies of machines that may have been involved/attacked.
- Triage – All gathered data is analysed for common hallmarks of malicious activity. Results are examined by hand and used to determine if the data requires full investigation.
- Investigation – Full investigation of forensic artefacts located during triage. PFI Lite investigations are limited, however the investigation phase seeks to answer (where possible):
- The method of compromise
- Threat Actors involved
- Cardholder Data that was at risk or stolen
- Timeframes involved
- Remediation actions required
- Reporting – A summary of the investigation, in an industry set format is sent to your Acquiring Bank and Visa Europe.
Additionally, the merchant is responsible for the following (IntaForensics will provide assistance as necessary):
- Fully outsourcing all payment facilities to a 3rd Party Payment Provider
- Completing a Self-Assessment Questionnaire (SAQ)
- Conducting an Approved Vendor Scan (ASV)
For a merchant who has suffered a data breach, IntaForensics aim to provide more than simply a regulatory service. In addition to assisting with the compliance steps above, IntaForensics PFI Investigators will also provide the following enhanced services:
Advisory Reporting – a report providing advice on systems security based on what has been observed and found during the compliance investigation. This will highlight ways to minimise risk in future.
Client Portal – throughout our engagement with an organisation we will provide a client portal to communicate and keep stakeholders up to date with progress and observations during the whole process.
How do I get started?
Time is of the essence! Please contact us immediately on +44 (0) 2477 717 780 and IntaForensics will arrange a review call with one of our PFI team to ensure your requirements are properly met.
This in turn will determine:
- If the investigation is suitable for a remote engagement or would be better addressed with an on-site visit.
- The scope of the investigation.
- The investment profile.
We have a number of documents that will assist in the information gathering phase and can be shared with your third parties (such as hosting providers, developers, etc.).