What to Look for in a PCI Forensic Investigator

VikingCloud is now a PCI Forensic Investigator (PFI). Learn about selecting a PFI with your interests in mind.

‍

What is a PFI?

A PCI Forensic Investigator (PFI) investigates suspected security issues and data breaches involving payment card data. Entities under investigation can range from small businesses all the way to international enterprises. Only a few companies are qualified and certified by the Payment Card Industry Security Standards Council (PCI SSC) to handle these forensic investigations.

‍

More About the PCI SSC

The PCI SSC is an organization that was founded in 2006 by American Express, Discover, JCB International, Mastercard and Visa Inc. The organization consists of an executive committee representing the card brands and a board of advisors representing payments industry stakeholders such as payment processors, acquiring banks, merchants and security vendors. The PCI SSC manages various standards for payment security including the Payment Card Industry Data Security Standard (PCI DSS). Compliance with the PCI DSS is a crucial obligation underpinning all PFI investigations.

‍

Relationship between the PCI DSS and PCI forensic investigations

The PCI DSS is an information security standard for organizations that handle payment card transactions consisting of a set of 12 security controls requirements, each with their own additional sub-requirements, that businesses must meet to protect cardholder data and be compliant. And just as any organization that stores, processes or transmits cardholder data must comply with the PCI DSS, they must also adhere to guidelines for engaging a PFI to investigate a possible security issue involving payment cardholder data.

‍

Who is qualified to be a PFI?

Only the PCI SSC can certify PCI Forensic Investigators, and only a handful of organizations have achieved this certification. VikingCloud is proud to have been certified as a PCI Forensic Investigator. Both VikingCloud and our individual investigators are certified to perform PCI Forensic Investigations, and our team is ready to help.

Most PFI engagements are within the financial industry after a data breach involving cardholder data. VikingCloud employs a well-defined and industry-leading investigative methodology to determine the who, what, where, when, and how of a security issue or data breach. This is all crucial information to determine that a breach is no longer occurring and doesn't happen again.

‍

When to Engage a PFI?

Most organizations don't engage a PFI until there is a known security incident. Most organizations don't self-identify their security issue. And unfortunately, it often takes an actual event to spur organizations into action.

Entities that end up under investigation typically find out about their issue because they are notified by their acquiring bank, which is notified by the affected payment brands that an incident involving payment card has occurred. Payment security compromises can stem from skimming and fraud involving individual cards or payment card data may be extracted through methods that allow for the exfiltration of large databases containing info from many cards, which is more common recently. Either way, card details are compromised, attackers sell the data to be duplicated and used multiple times which is how multiple transactions using the same data may be identified as fraudulent.

You should pay attention to payment security breaches as learning events. Comparing the history of incidents for organizations of similar size and industries can help you understand the likelihood and potential impact to your organization. Further, attacks commonly involving large amounts of data means you should avoid wishful thinking and plan for incident response, build a budget and engage a PFI before getting the uncomfortable call from your acquiring bank.

‍

Selecting the correct PFI

There are several factors that companies should consider when selecting a PFI company. First and foremost, the PFI company must be qualified and certified with the PCI SSC. This is a very easy check on the PCI SSC's website here. From there you will also want to verify that the company is qualified to operate in the same region as the incident.

Once you have verified the company's qualifications and certifications, you will want to make sure they have experience with incident response activities. VikingCloud has a long and successful track record in the payment card industry, experience with all types of forensic investigations and has helped many organizations harden their systems and incident response procedures against potential attacks. This allows us to not only rely on our training but also our experience to assist you with your security issue or data compromise.

Another important factor to consider is that the PFI company cannot be your existing QSA or Approved Scanning Vendor (ASV) as they could be investigating their own work. This policy is put in place by the PCI SSC and payment card brands to ensure independence. PFI's are required to uphold these strict independence requirements because an impartial and unbiased view is crucial during an investigation.

Last and certainly not least, you must select a PFI company that will help you avoid the common pitfalls within a PFI investigation.

‍

Avoiding Common PFI Pitfalls

The pitfalls of a PFI investigation can start even before a data breach occurs or PFI investigation begins. Here at VikingCloud, we assist you with putting the necessary policies and procedures in place so that you can be prepared if a data breach occurs. We provide everything from planning and best practices to tabletop exercises that will assist you and your company to be able to handle the early stages of a data breach and successfully complete a PFI investigation.

If the unthinkable happens and a PFI investigation is needed, VikingCloud's assistance and focus on avoiding the pitfalls shifts to the PFI investigation. There are two common pitfalls that can hinder a PFI investigation and possibly lead to a strained relationship with the affected payment card brands and your acquirer.

• Inaccurate Information and Evidence
• Insufficient Communication

‍

Providing Accurate Information

The first one we see is when the information reported to the payment card brands and acquirers doesn't match with the evidence collected or doesn't include the appropriate level of detail. This misstep could be from inaccurately determining the scope of the investigation and the relevant sources of evidence or more simple reporting mistakes like inaccuracy in reported numbers and dates.

‍

Delivering Timely Communication

The second pitfall we come across is insufficient participation in discussions with affected participating payment brands and acquirers. The entity under investigation could be doing everything correctly containing the incident, and figuring out the who, what, where, when, and how but if that information is not effectively conveyed to the payment card brands and acquirers in a timely manner it can lead to a strained relationship.

Here at VikingCloud we pride ourselves in that our PFI methodology not only addresses the core requirements, but we go above and beyond to provide assurance we can help you avoid these pitfalls and that not only our relationship with the payment card brands is outstanding but so is yours.

‍

Contact the VikingCloud team for more information about PCI Forensic Investigators or visit https://www.vikingcloud.com/security-testing/digital-forensics-and-incident-response.

‍