Who is service this for?
PFI Investigations are designed for merchants and service providers that have suffered a breach of cardholder data and have been instructed that they must undertake an investigation using an approved PFI Vendor. This includes customers who have been contacted by their acquiring bank and required to perform a ‘PFI’ investigation. All entities that meet one or more of the criteria below will require a PFI investigation in the event of a cardholder / payment data breach:
- Merchant Level 1-3
- Are a Service Provider
- Have more than 3 electronic environments. *
- Transact more than 20,000 cards annually or more than 10,000 within the suspected compromise period
- Process transactions using a Virtual Terminal or EPDQ
*An electronic environment in this instance is a single server, workstation or laptop computer.
If your business is a Level 4, has 3 or less electronic environments and does not process via virtual terminal or EPDQ then you may be eligible for the (Visa Europe only) PFI-Lite Service.
What is involved?
Once the PFI investigation is initiated a number of phases are involved, these are detailed below. In addition to these phases, IntaForensics will assist with the removal of Sensitive Authentication Data (SAD) which must be confirmed within 30 days of a merchant’s bank receiving a breach notification.
- Information Gathering & Data Harvesting – this phase seeks to gather all pertinent information related to the compromise and acquire evidential copies of machines that may have been involved/attacked. IntaForensics staff trained in PFI investigations will conduct interviews and utilise forensic tools to gather information and forensic data.
- Triage – All gathered data is analysed for common hallmarks of malicious activity. Results are examined by hand and used to determine if the data requires full investigation.
- Investigation – Full investigation of forensic artefacts located during triage. If no artefacts are found during triage the investigation phase is used to perform a deep analysis of each machine to determine if any compromise has occurred. The investigation phase seeks to answer the following questions (where possible):
- The method of compromise
- Threat Actors involved
- Cardholder Data that was at risk or stolen
- Timeframes involved
- Remediation actions required
- Reporting – A summary of the investigation, in an industry set format is sent to your Acquiring Bank and all relevant card schemes.
For a merchant who has suffered a data breach, IntaForensics aim to provide more than simply a regulatory service. In addition to assisting with the compliance steps above, IntaForensics PFI Investigators will also provide the following enhanced services:
- Advisory Reporting – a report providing advice on systems security based on what has been observed and found during the compliance investigation. This will highlight ways to minimise risk in future
- Client Portal – throughout our engagement with an organisation we will provide a client portal to communicate and keep stakeholders up to date with progress and observations during the whole process.
How do I get started?
Time is of the essence! Please contact us immediately on +44 (0) 2477 717 780 and IntaForensics will arrange a review call with one of our PFI team to ensure your requirements are properly met.
This in turn will determine:
- If the investigation is suitable for a remote engagement or would be better addressed with an on-site visit
- The scope of the investigation
- The investment profile
We have a number of documents that will assist in the information gathering phase and can be shared with your third parties (such as hosting providers, developers, etc.)