PCI DSS Incident Response Plan
This Incident Response Plan defines what constitutes a security incident specific to the USCG cardholder data environment (CDE) and outlines the incident response phases. The following is subject to our universal terms of service.
For the purpose of this Plan, an incident is an event in which cardholder data in any format -- physical or digital media (truncated card numbers are not card holder data) -- has been or is believed to be lost, stolen, or accessed by an individual unauthorized to do so. This Incident Response Plan is dependent upon the merchant and/or CDE Resource and Data Owners being compliant with the Payment Card Industry Data Security Standard (PCI DSS) and all applicable USCG IT Security policies.
Please note that USCG does not transmit, handle, or store cardholder data. USCG utilizes a secure third-party mechant (Braintree) to transmit and store all cardholder data. USCG's web provider vendor, w3 Global Solutions, maintains a Certificate of PCI DSS Merchant Compliance from Security Metrics.
This Incident Response Plan will be reviewed and tested annually by the PCI Governance Group to account for changes to\updates in the environment and\or industry trends.
II. Incident Response Roles and Responsibilities
A. Business Unit
The Business Unit must establish policies and\or procedures for card handlers, including back office personnel, and IT administrative staff that address incident reporting both internally and to membership of the PCI Incident Response Team.
In the event of a breach or suspected breach of credit card information, the Business Unit will be responsible for:
- Documentation specific to the incident
- Activities and actions required for escalation
- Notification and response
- Any fines, judgments, and legal fees and expenses associated with the event
- Corrective actions to remediate causes for the breach
- Actions to bring affected systems, environments, and entities into compliance with the PCI DSS
- All costs associated with the above
B. Card Handlers and Back Office Personnel
USCG staff is responsible for following the incident discovery, reporting, and response procedures identified in Section III below and as directed by the USCG PCI Incident Response Team.
C. USCG Legal Counsel
USCG Legal Counsel will be responsible for determining any obligation to report a breach for compliance with applicable Data Breach Laws.
D. The USCG PCI Incident Response Team
The USCG PCI Incident Response Team will consist of, at a minimum, members from the financial department, members from legal department, the PCI Compliance Officer, and a member from the website vendor.
All PCI related incidents are to be reported to and managed by the USCG PCI Incident Response Team. The PCI Response Team will review all incidents to determine if a breach has occurred and will assist the affected parties in mitigating future exposure of cardholder data and the associated risks. In addition, the PCI Response Team will make a determination regarding whether USCG policies and/or processes need to be revised or created, to avoid a similar incident in the future and whether additional safeguards are required. The PCI Response Team will determine whether breach notification to the card brands and\or the card holders is required or warranted and will approve and direct any notification and/or reporting required.
III. Incident Response Phases
A. Incident Discovery
Anytime a customer or USCG staff member reasonably believes USCG customer credit card information may be at risk, the employee should report it in accordance with the established policies and/or procedures. The following are examples of events or observations that should be reported.
- The loss or theft of any form of media or hardware used as a point of interaction with credit card data. (Thefts should also be reported to the proper law enforcement agency at the time of the incident, and the Merchant and/or USCG must maintain a record of the report in accordance with USCG record retention policies.)
- Any signs of tampering with software/hardware used as a point of interaction with credit card data.
- Virus or malware detection on any system that stores, transmits, processes, or accesses credit card data.
- Any system event or alert indicating a possible compromise or unauthorized access to a system that stores, transmits, processes, or accesses credit card data.
- Any violation of PCI policy or standards
B. Event Assessment
A member of the USCG PCI Response team shall document when an incident is reported, by whom, and what is being reported. All documentation related to the incident must be maintained on secure USCG resources.
A reported incident will be assessed by the PCI Response Team. The PCI Response Team will make a determination regarding whether the event put cardholder data at risk and should be elevated to a possible breach. An event involving loss or theft of media containing full card numbers (whether encrypted or not) will automatically be elevated to possible breach status. If the PCI Response Team determines that no cardholder data was put at risk by the reported incident, the PCI Response Team will close the incident, but it may also require the Business Unit or Merchant involved to put corrective measures in place. If the PCI Response Team determines that cardholder data was put at risk by the reported incident, the PCI Response Team will elevate the incident to a possible breach status.
C. Breach Assessment
Once an incident has been elevated, isolation or containment processes for the affected cardholder data environment will be determined and implemented by the Merchant/Business Unit responsible for the resource, and the PCI Response Team will begin a formal investigation. After the investigation, the PCI Response Team will make a probability of breach determination and following reporting obligations. The PCI Response Team will make a decision as to whether to bring in a PCI Forensics Investigator to perform a complete forensics investigation, and impact determination as defined by the Payment Card Industry Security Standards Council (PCI SSC). The PCI Response Team, working with the Merchant/Business unit, will identify the potential number of affected card numbers.
All notices and reports to the State, payment card processor, global payment brands, and acquiring banks; law enforcement and cardholders will be submitted to the PCI Response Team for review and approval prior to distribution.
E. Post Breach Determination Activities
The Merchant/Business Unit affected will perform and document a root cause remediation, with the assistance from PCI Response Team. The PCI Response Team will conduct a recovery and compliance verification of the Merchant/Business Unit. The PCI Response Team will conduct a post incident meeting to review the incident and determine what, if any, corrective adjustments to the CDE and related policies and procedures are needed to help prevent a similar event, as well as whether any adjustment to the Incident Response Plan itself is needed. If adjustments are needed, the PCI Response Team will establish a corrective action plan and assign it to the entity responsible for the area needing adjustment. The PCI Response Team will document the assessment and resolution and will close the incident.