Incident Response and PCI Compliance

Sunday, March 25, 2012

Chris Kimmel


We here at SecureState receive a lot of calls from companies seeking a penetration test. The majority of the time this is due to PCI requirements. 

Let’s face it though—there are a lot of companies that offer them.  While not all of them are actual penetration tests (see here), there are a lot of options to choose from. 

So what do you base your decision on?  One question you should be asking your penetration testing company is, “Do you also test my incident response?”  Incident response is an important piece of PCI compliance. 

As stated by section 12.9 of the PCI DSS v2, a company must implement an Incident Response Plan (IRP) and be prepared to immediately respond to an incident.

Incident Response: What Does it Take?

An IRP should be implemented in the event of a system breach, and ensure the following are defined and verified:

  • Roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of the payment brands
  • Specific incident response procedure
  • Business recovery and continuity procedures
  • Data backup processes
  • Analysis of legal requirements for reporting compromises
  • Coverage and response of all critical system component
  • Reference or inclusion of incident response procedures from the payment brands.

We have found that responding to incidents without a defined IRP increases costs and overall time for remediation.  Because of this, we have created the following chart to detail the difference between having a defined IRP and not having one (click image to enlarge):


I Don’t Have Anything… Now What?

At this point you may be thinking to yourself, “I don’t currently have any of this in place.”  An incident response group can assist your organization in mitigating risks from computer security incidents by providing guidelines on how to respond to incidents effectively and efficiently.

Alright, I Have A Plan… Now What?

The rest of you at this point may be thinking, “I have a plan in place and it includes all of this.”  Many times companies will just leave it at that, believing they are compliant with PCI DSS v2 standards.  The truth is, however, that this IRP needs to be tested annually. 

Below are the actual PCI DSS requirements regarding Incident Response:

12.9.2 - Test the plan at least annually

12.9.3 - Designate specific personnel to be available on a 24/7 basis to respond to alerts

12.9.4 - Provide appropriate training to staff with security breach response responsibilities

12.9.5 - Include alerts from intrusion-detection, intrusion-prevention, and file-integrity monitoring systems

12.9.6 - Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.

In addition to following these guidelines, they must also be verified. Test your company’s IRP during the actual penetration test. This way you can receive hands on training with regards to responding to an incident, and an advisor should be there to review the actions you take.  

After the completion of the test, the advisor should be available to provide training and discuss the lessons learned.  Next time you go through the process of trying to determine which company to use to verify your compliance, ask the right questions to ensure that all required PCI DSS guidelines are being met.

Cross-posted from Secure State

Possibly Related Articles:
Information Security
PCI DSS Compliance Security Strategies Incident Response Penetration Testing Network Security Assessments Policies and Procedures
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.