The document discusses preparing for a PCI forensic investigation following a payment card data breach. It provides lessons learned from over 100 card compromise investigations, including what merchants can expect from the process, who the key stakeholders are, and common trends seen in breaches. Merchants are advised to have an incident response plan in place, know their responsibilities, work with qualified forensic experts and lawyers, and notify all necessary parties immediately in case of a breach.

5. Breaches effect all merchant levels

6. Level 4 Merchants

7. Multi-Site Franchises

8. Big Corporations

9. Incident Response Plans should basically the same for all merchant levels

11. How did we get here?

14. Let’s talk a little about breaches

18. In this case, the similarity is a single business where all of the stolen credit cards had been used before the cards had been involved in fraudulent activity. This could potentially be the sign of an employee skimming card numbers, or a breach in a database. There are always going to be coincidences involving data on a large scale, but because of the scale, it’s very difficult to end up with false positive fraud once a margin of error is established.

20. “Hello, you’ve been breached” Now what? Now what? Now what? Now what?

24. From Breach to Fraud - Typical Timeline

26. Post notification, know what your expected to do, what you need to do, and the difference

32. Know the key stakeholders

33. ..and know them intimately Merchant POS Software/hardware Merchant Bank Card Association Payment Gateway Acquiring Bank Processor

39. Breach Fines (the ugly truth) (the ugly truth)

41. Monthly Prohibited Data Storage Violation Fines Months Months 1-3 Months 4-6 Months 7 and up Merchant Level 1 $10,000 $50,000 $100,000 Merchant Level 2 $5,000 $25,000 $50,000 $5,000 $25,000 $50,000 $5,000 $25,000 $50,000 $5,000 $25,000 $50,000 $5,000 $25,000 $50,000 $5,000 $25,000 $50,000 $5,000 $25,000 $50,000 Fines for Merchant Data Compromise Up to $600,000 for non-compliance with PCI DSS requirements.Issuer Recovery Cost of Fraud. Charges that occurred on all exposed cards from the compromised location.The cost of the forensic investigation.The cost to replace exposed credit cards. Up to $600,000 for non-compliance with PCI DSS requirements.Issuer Recovery Cost of Fraud. Charges that occurred on all exposed cards from the compromised location.The cost of the forensic investigation.The cost to replace exposed credit cards.

44. Other issues to deal with

45. Make sure you know a qualified lawyer and call them immediately A good lawyer can make all the difference in the penalty phase

49. Where does the responsibility lay?

52. In an interesting development, a handful of issuing banks impacted by the Heartland breach have filed a class action lawsuit against two acquiring banks related to Heartland Payment Systems. According to this article , the issuing banks are unhappy with Heartland's proposed settlement with Visa. This appears and to be an attempted end-run around the proposed $60 million settlement with Visa. It also may demonstrate that issuing banks are not satisfied with the dispute resolution mechanisms under the Visa Operating Regulations (the Account Data Compromise Recovery process estimated the loss at $140 million, yet the settlement was for only $60 million), and their ability to be made whole under those mechanisms. From 01/21/2010 www.infolawgroup.com

54. TrustWave Hospitality: 38%*Financial services: 19%Retail: 14%Food and beverage:13% Verizon CyberTrust Retail: 31% Financial services: 30% Food and beverage:14% Hospitality:6% Other: 17% Symantec Education: 27% Government: 20% Health care:15% Financial :14% .............

56. Definite trends can be seen when viewed outside the confines of each of the forensics company