Computer Security Incident Response Plan

Credit Information Incident Playbook

November 2016

Draft

Content Sources

VISA − What To Do If Compromised, Visa

Supplemental Requirements: Version 5.0 (Global) Effective August 2016 Visa Public https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-compromised.pdf

MasterCard − Account Data Compromise User Guide, 04

February 2016

Table of Contents

Playbook Objective Statement

Resources and Contacts

Objectives

Playbook Goal − This playbook is designed to respond in

the event of a successful credit information breach

Detection and Response − Enable staff to report phishing attempts

− Create a reporting portal: phishing@ndcbf.org

CSIRP Perspectives

Include the illustration on how a card is processed

Definitions − Cardholder: Non-consumer or consumer customer to whom a

payment card is issued to or any individual authorized to use the payment card.

− Merchant: For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.

− Acquirer: Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution”. Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. See also Payment Processor.

CSIRP Perspectives

Include the illustration on how a card is processed

Definitions − Issuer: Entity that issues payment cards or performs, facilitates,

or supports issuing services including but not limited to issuing banks and issuing processors. Also referred to as “issuing bank” or “issuing financial institution.”

− Card Network;

PCI DSS v 3.2 Guidelines for Cardholder Data Elements

1 Sensitive authentication data must not be stored after authorization (even if encrypted) 2 Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere 3 The three-or four-digit value printed on the front or back of a payment card 4 Personal Identification Number entered by cardholder during a transaction, and/or encrypted

PIN block present within the transaction message

PCI DSS v 3.2 Guidelines for Cardholder Data Elements

Data Element Storage Permitted Render Stored Data

Unreadable per Requirement 3.4

Cardholder Data

Primary Account Number (PAN) Yes Yes

Cardholder Name Yes No

Service Code Yes No

Expiration Date Yes No

Sensitive Authentication

Data1

Full Track Data2 No Cannot Store per Requirement 3.2

CAB2/CVC2/CVV2/CID3 No Cannot Store per

Requirement 3.2

PIN/PIN Block4 No Cannot Store per Requirement 3.2

1 Sensitive authentication data must not be stored after authorization (even if encrypted) 2 Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere 3 The three-or four-digit value printed on the front or back of a payment card 4 Personal Identification Number entered by cardholder during a transaction, and/or encrypted

PIN block present within the transaction message

Indicators of a Credit Information Data Breach

• Credit Card Company (VISA, Mastercard, American Express, Discover) notification to NDCBF as a Common Point of Purchase Identification (CPP) − CPP is the result of a process used by banks to

determine the source of the card breach. They use this process to determine whether all of the cards hacked had been used at the same merchant over the same time period.

Customer complaints of fraudulent activity on payment cards

Bank reports of fraud after legitimate use Abnormal activity/behavior of Point of Sale

(POS) Law enforcement notification

MasterCard

• To comply with MasterCard Security Rules and Procedures section 10.2.2, the customer must contact MasterCard immediately when they become aware of a Potential ADC Event or an ADC Event.

Source: MasterCard Overview of the Reporting of an ADC Event or Potential ADC Event

MasterCard

• A security vulnerability in a payment processing environment may not immediately be known; however, there may be indicators of a security breach, unauthorized activity, or possible signs of misuse within the payment environment that may indicate an ADC Event or Potential ADC Event. ADC Events can include, but are not limited to, the following: • Internet connections originating from non–business-

related IP addresses4; inbound Internet connections originating from countries without a business relationship to the potentially compromised entity; outbound Internet connections to non–business-related IP addresses; countries, or both

• Log-in activity from unknown or inactive user IDs, or excessive or unusual login activity from user IDs

• Multiple instances of remote access tools present on systems in an "always on" mode

MasterCard

• Presence (in network systems or environments) of malware, suspicious files, or executables and programs, or presence of unusual activity or volume in same

• SQL injection or other suspicious activity on Web-facing systems

• POS terminals and ATM devices showing signs of tampering

• Key-logger found • Card-skimming devices found • Lost, stolen, or misplaced sales receipt • Lost, stolen, or misplaced payment card data • Lost, stolen, or misplaced computers, laptops, hard

drives, or other devices that contain • MasterCard payment card data • Files containing MasterCard account data mistakenly

transmitted to an unauthorized party • Suspicious e-mail or File Transfer Protocol (FTP)

activity occurring on network systems.

VISA – Required Steps for Potentially Compromised Entities

Preserve Evidence (page 1 of 2) • To identify the root cause and facilitate

investigations, it is important to ensure the integrity of the system components and environment by preserving all evidence.

• Do not access or alter compromised system(s) (e.g., do not log on to the compromised system(s) and change passwords; do not log in with administrative credentials). Visa strongly recommends that the compromised system(s) be taken offline immediately and not be used to process payments or interface with payment processing systems.

• Do not turn off, restart, or reboot the compromised system(s). Instead, isolate the compromised systems(s) from the rest of the network by unplugging the network cable(s) or through other means.

VISA – Required Steps for Potentially Compromised Entities

• Preserve Evidence (page 2 of 2) • Identify and document all suspected compromised

components (e.g. PCs, servers, terminals, logs, security events, databases, PED overlay’s etc.).

• Document containment and remediation actions taken, including dates/times (preferably in UTC), individuals involved, and detailed actions performed.

• Preserve all evidence and logs (e.g. original evidence such as forensic image of systems and malware, security events, web logs, database logs, firewall logs, etc.).

VISA – Required Steps for Potentially Compromised Entities

• Provide VISA Initial Investigation Report • Within three (3) business days of a suspected or

confirmed account data compromise, provide the Visa Initial Investigation Report to the acquiring bank (is this Ministrybrands) or directly to Visa.

• A preliminary investigation is not the same as a PFI preliminary report. The initial investigation will assist Visa in understanding the compromised entity’s network environment and potential scope of the incident.

VISA – Required Steps for Potentially Compromised Entities

• Execute Notification Plan (page 1 of 2) • Immediately notify all relevant parties, including

your:

• Internal incident response team and information security group

• Merchant bank (also known as your acquirer or acquiring bank)

• If you do not know the name and/or contact information for your merchant bank, contact the Visa Risk team for assistance:

• U.S. – +1 (650) 432-2978 or USFraudControl@visa.com

• Canada – +1 (416) 860-3872 or CanadaInvestigations@visa.com

• Latin America & Caribbean – +1 (305) 328-1593 or LACFraudInvestigations@visa.com

• Asia Pacific (AP) and Central and Eastern Europe, Middle East and Africa (CEMEA) – VIFraudControl@visa.com

• Manufacturer of the impacted payment device if you have determined that the incident involves the compromise of a PIN Entry Device (PED), specifically if it is a PCI PTS-approved device.

VISA – Required Steps for Potentially Compromised Entities

• Execute Notification Plan (page 2 of 2) • Legal department to determine if laws mandating

customer notification are applicable.

• Within 48 hours, provide Visa with status of compliance with PCI DSS and, if applicable, PCI Payment Application Data Security Standard (PA-DSS) and PCI PIN Security requirements at the time of the incident.

• It is strongly recommended that you also immediately notify: • The appropriate law enforcement agency in the

event of an account data compromise.

• Federal law enforcement if the compromise is in the United States. The United States Secret Service Electronic Crimes Task Forces (ECTF) focuses on investigating financial crimes and can assist with incident response and mitigation of an account data compromise.

• Visit www.secretservice.gov/investigation for ECTF field office contact information.

VISA – Required Steps for Potentially Compromised Entities

• Perform Forensic Investigation (page 1 of 6) • Visa may require a compromised entity to engage a

Payment Card Industry Forensic Investigator (PFI) to perform an independent forensic investigation.

• The following factors, among others, may lead Visa to require the compromised entity to conduct a PFI investigation:

• Fraud loss tied to Common Point of Purchase (CPP) reports • Self-reported data security breach affecting payment cards • Number of sources reporting entity as potentially

compromised • Law enforcement or other credible source reports of a data

security breach affecting payment cards • An entity that has not contained the initial or previous

incident (this may be determined through additional CPP reports, data analysis, or other means).

• Service Provider, Agent, Integrator, Reseller, etc., with remote access to multiple locations

VISA – Required Steps for Potentially Compromised Entities

• Perform Forensic Investigation (page 2 of 6) • A Visa Member or compromised entity must engage

a PFI to perform a forensic investigation. Visa will NOT accept forensic reports from non-approved forensic companies. It is the Visa Member’s responsibility to ensure its merchant or agent engages a PFI to perform a PFI forensic investigation.

• Visa has the right to directly engage a PFI to perform a forensic investigation as it deems appropriate, and will assess all investigative costs to the appropriate Visa Member. Investigative costs may be in addition to any applicable non-compliance assessments by Visa.

VISA – Required Steps for Potentially Compromised Entities

• Perform Forensic Investigation (page 3 of 6) • Upon discovery of an account data compromise, or

receipt of an independent forensic investigation notification from Visa, a Member must:

• Ensure that the PFI is engaged (or the contract is signed) within five (5) business days

• Ensure initial work is underway and provide the initial forensic (i.e., preliminary) report to Visa within ten (10) business days from when the PFI is engaged (or the contract is signed)

• Provide a final forensic report to Visa within ten (10) business days of completion of the review

• PFI’s must release all forensic investigations reports and findings to Visa.

• Note: Visa has the right to reject a PFI report if it does not meet the PFI requirements established in the PFI Program Guide. PFIs are required to address with Visa, the acquirer, and the compromised entity any discrepancies before finalizing the report.

VISA – Required Steps for Potentially Compromised Entities

• Perform Forensic Investigation (page 4 of 6) • For more information on forensic investigation

guidelines, please refer to the PCI Forensic Investigator (PFI) Program Guide, located in the PCI SSC document library: www.pcisecuritystandards.org/document_library (Filter by: PFI)

• List of approved PCI Forensic Investigators: https://www.pcisecuritystandards.org/assessors_and_solutions/pci_forensic_investigators

• If there is a suspected PIN compromise, the PFI must perform a PIN security and key management investigation and a PCI PIN security assessment.

• If the PFI engagement is not done according to the requirements stipulated above, it will be deemed a violation of the Visa Rules

VISA – Required Steps for Potentially Compromised Entities

• Perform Forensic Investigation (page 5 of 6) • If advised that a forensic investigation is required,

the following timeline must be followed. • Upon discovery of an account data compromise, or

receipt of an independent forensic investigation notification, an entity must:

• Engage a PFI (or sign a contract) within five (5) business days • Provide Visa with the initial forensic (i.e. preliminary) report

within ten (10) business days from when the PFI is engaged (or the contract is signed)

• Provide Visa with a final forensic report within ten (10) business days of completion of the review

• The PFI cannot be an organization that is affiliated with the compromised entity or has provided services to the compromised entity such as previous PFI investigation, Qualified Security Assessor (QSA), advisor, consultant, monitoring or network security support, etc.

VISA – Required Steps for Potentially Compromised Entities

• Perform Forensic Investigation (page 6 of 6) • Visa will not accept forensic reports from non-

approved PFI forensic organizations. PFIs are required to provide forensic reports and investigative findings directly to Visa.

• A list of approved PFI organizations is available at: • www.pcisecuritystandards.org/assessors_and_solutions/pci_f

orensic_investigators

VISA – Required Steps for Potentially Compromised Entities

• Provide All Exposed Accounts (page 1 of 2) • All compromised Visa accounts (known or

suspected) must be uploaded to Visa’s Compromised Account Management System (CAMS) within five (5) business days from the first to occur of the following events: (a) the date Visa requests account numbers, (b) a Window of Exposure (WOE) is determined, or (c) discovery of compromised account data is identified.

• Entities should work with their acquiring bank to upload accounts

VISA – Required Steps for Potentially Compromised Entities

• Provide All Exposed Accounts (page 2 of 2) • All parties that upload at risk accounts, must

include: • Entity name • Window of Exposure • Data elements at risk (e.g. Primary Account Number (PAN),

Track 1 and / or Track 2, CVV2, PIN, Expiration Date, etc.) • Bank Identification Number (BIN) (if applicable) • Merchant Category Code (MCC) (if applicable) • Law Enforcement Investigator Name and Incident Number (if

applicable) • Investigator name (if applicable) • Incident number (if applicable) • For more information or assistance, contact Visa at:

CAMS@Visa.com

VISA – Required Steps for Potentially Compromised Entities

• PCI DSS Compliance • Compromised entities must achieve full PCI

compliance by validating to the PCI DSS, PCI PA-DSS and, if applicable, PCI PIN Security Requirements Compliance validation per the Visa Rules.

• Note: In the event a compromised entity had a PCI DSS audit performed by a QSA and subsequently suffered an account data compromise, Visa will require that the entity engage a different QSA to perform the ensuing PCI DSS audit required after all remediation items have been completed.

• Please visit www.pcisecuritystandards.org for more information on PCI DSS and the PCI PIN Entry Device Testing Program.

• For more information on PCI PIN Security Requirements, please visit www.visa.com/pinsecurity.

Bank of the West

• Commercial Credit Card Services • (866) 683-9893 • comlcard@bankofthewest.com

• For disputed items • Call and they will put a hold on the account and

issue new credit card • Have 60 days to clear disputed items

Revise this page Post-Incident Analysis and Forensics

Lessons Learned Recurrence Prevention Forensics and Legal Issues _________ Open a new ticket Add the IoCs to the new ticket Link the old ticket together with the

new ticket Resolve the 5K Technical Services

ticket

Process Delivery Systems

Contact: Henry Draughon Process Delivery Systems (972) 980-9041 hdraughon@processdeliverysystems.com www.processdeliverysystems.com

CSIRP Perspectives