PCI-DSS Requirement 12.10 mandates that organisations implement an incident response plan that is ready to be activated immediately in the event of a system breach involving cardholder data. The Incident Response module in Venvera helps you manage the full lifecycle of payment card security incidents.
Incident Response Plan Requirements
PCI-DSS requires the incident response plan to include, at minimum:
- Roles, responsibilities, and communication strategies (including notification of card brands)
- Specific incident response procedures aligned with the organisation's environment
- Business recovery and continuity procedures
- Data backup processes
- Analysis of legal requirements for reporting compromises
- Coverage for all critical system components
- Reference or inclusion of incident response procedures from card brands
Breach Notification Requirements
When a payment card data breach is confirmed, multiple parties must be notified. Venvera tracks each notification channel:
| Party | Timing | Details |
|---|---|---|
| Card Brands | Immediately upon confirmation | Each card brand (Visa, Mastercard, Amex, Discover, JCB) has its own notification process. Visa requires notification within 3 business days; Mastercard requires immediate notification via their Account Data Compromise (ADC) program |
| Acquirer / Payment Processor | Immediately | Your acquiring bank must be notified immediately as they are the primary point of contact with card brands |
| Law Enforcement | As required | Report to appropriate law enforcement agencies, particularly if criminal activity is suspected. In the US, contact the FBI and/or Secret Service for large-scale breaches |
| Affected Individuals | Per applicable law | State/national breach notification laws may require notifying affected cardholders. Timing varies by jurisdiction (e.g., 30–60 days in many US states, 72 hours under GDPR) |
PFI Engagement
After a confirmed or suspected breach, card brands typically require engagement of a PCI Forensic Investigator (PFI):
- PFIs are certified by PCI SSC to investigate payment card breaches
- They perform forensic analysis to determine the scope, cause, and duration of the compromise
- PFI engagement is mandatory for Level 1 and Level 2 merchants experiencing a breach
- The PFI report is submitted to card brands and acquirers
- Track PFI engagement status in Venvera's incident record
Containment Steps
When a cardholder data incident is detected, follow these containment procedures:
- Isolate — Immediately isolate affected systems from the network without powering them off (preserve forensic evidence)
- Preserve evidence — Capture system logs, network traffic captures, and memory dumps before remediation
- Block access — Disable compromised accounts, revoke access tokens, block malicious IP addresses
- Assess scope — Determine which systems, accounts, and data were affected
- Notify — Begin notification procedures (acquirer, card brands, law enforcement as appropriate)
- Engage PFI — Contact a PCI Forensic Investigator if required by card brands
- Remediate — Address the root cause (patch vulnerabilities, close unauthorised access, update configurations)
- Validate — Confirm remediation is effective and re-assess the environment's security
Forensic Investigation
The forensic investigation should determine:
- How the compromise occurred (attack vector, vulnerabilities exploited)
- Duration of the compromise (when it started and when it was detected)
- Number of accounts/cards potentially affected
- Types of data compromised (PAN, cardholder name, expiry, SAD)
- Whether data was actually exfiltrated or only accessed
- Root cause and contributing factors
- Recommended remediation actions
Lessons Learned
After each incident is resolved, conduct a lessons-learned review:
- Document what worked well and what needs improvement in the response process
- Update the incident response plan based on findings
- Address root causes to prevent recurrence
- Test the updated response plan annually (Requirement 12.10.2)
- Provide additional training to staff as needed