PCI DSS Forensic Investigations
In today’s technology driven world, the acceptance of card payments is regarded as a fundamental aspect of any business. The theft of payment card data is a highly lucrative enterprise with criminals investing considerable time, energy and resources into locating, stealing and illegally utilising payment cards to commit widespread and costly fraud.
Merchants and payment service providers have a duty to maintain cardholder data securely. Failure to do so can result in significant financial penalties if they are a victim of a data compromise or are found to be non-compliant with the PCI DSS standard. Organisations which hold cardholder data are also subject to the authority of the Information Commissioner’s Office (ICO) who can impose substantial fines for breaches of data protection legislation.
The sooner an organisation responds to a potential breach, the lower the likely penalties and sanctions will be. It therefore makes sense to deal with a company which has substantial resources to deploy quickly to identify the causes and methods by which cardholder data has been compromised. Speed of deployment and analysis is vital and can save substantial sums for organisations. Where such breaches have occurred, the merchant or payment service provider identified as the Common Point of Purchase (CPP) will be mandated to conduct a PFI Investigation or an Acquirer-led Independent Investigation. This is to immediately contain, investigate and remediate the incident and eliminate the risk of fraudulent access to cardholder data.
PCI Forensic Investigators (PFIs) are licensed by the PCI Security Standards Council. IntaForensics are a PFI Company and licensed to conduct investigations throughout Europe.
PFI Forensic InvestigationWho is this Service For?
PFI Investigations are designed for merchants and service providers that have suffered a breach of cardholder data and have been instructed, by their acquiring bank, to undertake an investigation using an approved PFI Vendor. This process is regulated by the PCI Council and the card brands. These are designed for merchants who are level 1 or 2, or who have specifically been requested to have a PFI.
Independent InvestigationWho is this Service For?
Independent Investigations are designed for merchants that have suffered a breach of cardholder data and have been instructed that they must undertake an investigation. This process is managed by your acquiring bank and is designed for merchants who are level 3 or 4.
The PFI Investigation Process
A thorough scoping exercise is conducted to establish the full scope of the investigation. This will include Cardholder Data Environment (CDE) and any connections where payment card data is stored processed or transmitted.
Forensic acquisition of relevant evidence and data for investigation. This may be done either onesite or remotely. This data will undergo processing, triage and review.
Advice will be provided regarding containment of the incident and evidence of successful containment require to assure the major card schemes that identified vulnerabilities have been addressed.
A comprehensive final report will be prepared and submitted to all stakeholders, this includes the affected entity, their acquiring bank and the major card schemes.
As regular customers of IntaForensics, I highly recommend the company for the services delivered by Damian Walton and his team. I couldn’t praise their Cyber Essentials services and support highly enough.
Ryan James, Managing Director - nFocus
Visa has recently retired its PFI Lite service, invoking significant changes to the PFI investigation services that we provide at […]Read More