PCI DSS Incident Response Plan

I. Introduction

This Incident Response Plan defines what constitutes a security incident specific to the USCG cardholder data environment (CDE) and outlines the incident response phases. The following is subject to our universal terms of service.

For the purpose of this Plan, an incident is an event in which cardholder data in any format -- physical or digital media (truncated card numbers are not card holder data) -- has been or is believed to be lost, stolen, or accessed by an individual unauthorized to do so. This Incident Response Plan is dependent upon the merchant and/or CDE Resource and Data Owners being compliant with the Payment Card Industry Data Security Standard (PCI DSS) and all applicable USCG IT Security policies.

Please note that USCG does not transmit, handle, or store cardholder data. USCG utilizes a secure third-party mechant (Braintree) to transmit and store all cardholder data. USCG's web provider vendor, w3 Global Solutions, maintains a Certificate of PCI DSS Merchant Compliance from Security Metrics.

This Incident Response Plan will be reviewed and tested annually by the PCI Governance Group to account for changes to\updates in the environment and\or industry trends.

II. Incident Response Roles and Responsibilities

A. Business Unit

The Business Unit must establish policies and\or procedures for card handlers, including back office personnel, and IT administrative staff that address incident reporting both internally and to membership of the PCI Incident Response Team.

In the event of a breach or suspected breach of credit card information, the Business Unit will be responsible for:

B. Card Handlers and Back Office Personnel

USCG staff is responsible for following the incident discovery, reporting, and response procedures identified in Section III below and as directed by the USCG PCI Incident Response Team.

C. USCG Legal Counsel

USCG Legal Counsel will be responsible for determining any obligation to report a breach for compliance with applicable Data Breach Laws.

D. The USCG PCI Incident Response Team

The USCG PCI Incident Response Team will consist of, at a minimum, members from the financial department, members from legal department, the PCI Compliance Officer, and a member from the website vendor.

All PCI related incidents are to be reported to and managed by the USCG PCI Incident Response Team. The PCI Response Team will review all incidents to determine if a breach has occurred and will assist the affected parties in mitigating future exposure of cardholder data and the associated risks. In addition, the PCI Response Team will make a determination regarding whether USCG policies and/or processes need to be revised or created, to avoid a similar incident in the future and whether additional safeguards are required. The PCI Response Team will determine whether breach notification to the card brands and\or the card holders is required or warranted and will approve and direct any notification and/or reporting required.

III. Incident Response Phases

A. Incident Discovery

Anytime a customer or USCG staff member reasonably believes USCG customer credit card information may be at risk, the employee should report it in accordance with the established policies and/or procedures. The following are examples of events or observations that should be reported.

B. Event Assessment

A member of the USCG PCI Response team shall document when an incident is reported, by whom, and what is being reported. All documentation related to the incident must be maintained on secure USCG resources.

A reported incident will be assessed by the PCI Response Team. The PCI Response Team will make a determination regarding whether the event put cardholder data at risk and should be elevated to a possible breach. An event involving loss or theft of media containing full card numbers (whether encrypted or not) will automatically be elevated to possible breach status. If the PCI Response Team determines that no cardholder data was put at risk by the reported incident, the PCI Response Team will close the incident, but it may also require the Business Unit or Merchant involved to put corrective measures in place. If the PCI Response Team determines that cardholder data was put at risk by the reported incident, the PCI Response Team will elevate the incident to a possible breach status.

C. Breach Assessment

Once an incident has been elevated, isolation or containment processes for the affected cardholder data environment will be determined and implemented by the Merchant/Business Unit responsible for the resource, and the PCI Response Team will begin a formal investigation. After the investigation, the PCI Response Team will make a probability of breach determination and following reporting obligations. The PCI Response Team will make a decision as to whether to bring in a PCI Forensics Investigator to perform a complete forensics investigation, and impact determination as defined by the Payment Card Industry Security Standards Council (PCI SSC). The PCI Response Team, working with the Merchant/Business unit, will identify the potential number of affected card numbers.

D. Reporting

All notices and reports to the State, payment card processor, global payment brands, and acquiring banks; law enforcement and cardholders will be submitted to the PCI Response Team for review and approval prior to distribution.

E. Post Breach Determination Activities

The Merchant/Business Unit affected will perform and document a root cause remediation, with the assistance from PCI Response Team. The PCI Response Team will conduct a recovery and compliance verification of the Merchant/Business Unit. The PCI Response Team will conduct a post incident meeting to review the incident and determine what, if any, corrective adjustments to the CDE and related policies and procedures are needed to help prevent a similar event, as well as whether any adjustment to the Incident Response Plan itself is needed. If adjustments are needed, the PCI Response Team will establish a corrective action plan and assign it to the entity responsible for the area needing adjustment. The PCI Response Team will document the assessment and resolution and will close the incident.

The BIOPROTECTUs™ System protects surfaces, includes patented, registered products to disinfect and protect surfaces.

Shop Now