An incident, for purposes of this plan, is defined as a suspected or confirmed compromise of cardholder data. At a minimum, cardholder data consists of the full card number. Cardholder data may also appear in the form of the full card number plus any of the following: cardholder name, expiration date and/or sensitive authentication data. A cardholder data compromise is any situation where intrusion into a computer system occurs and unauthorized disclosure, theft, modification, or destruction of cardholder data is suspected or the suspected or confirmed loss or theft of any material or records that contain cardholder data.
Departments that suspect or have confirmed an account data compromise must take prompt action to prevent additional exposure of payment card data. The following steps must be taken:
- Immediately notify the appropriate University contacts. (See information referring to Contacts below).
- Immediately contain and limit the exposure and preserve evidence. (See information referring to evidence below)
- Document any steps taken until contacted by the Coordinator. Include the date, time, person/persons involved and action taken for each step.
- Assist the Coordinator, UCSB’s Information Security team, and any other personnel as they investigate the incident.
- The Coordinator has additional reporting responsibilities, including notifying our compliance vendor (the UC’s QSA, Coalfire Systems), and the following:
- For incidents involving Visa, MasterCard or Discover network cards, contact BAMS Merchant Incident Response Team at (800) 228-5882 within 72 hours of the reported incident.
- For incidents involving American Express cards, contact American Express Enterprise Incident Response Program (EIRP) within 24 hours after the reported incident at (888) 732-3750 or email EIRP@aexp.com.
- Additional resources:
- PCI Security Standards Council - Responding to a Data Breach
- MasterCard – Security Rules and Procedures - Merchant Edition
- Visa – Responding to a Breach: Follow the steps set forth in the resource What To Do If Compromised Guide
- American Express – Responding to a Breach: Follow the steps set forth in section two of AMEX Data Security Operating Policy – U.S.
If you suspect a compromise of credit card data, notify the following contacts immediately:
Sam Horowitz, Chief Information Security Officer
email@example.com | (805) 893-5005
Kimberly Ray, Associate Director of Controls
firstname.lastname@example.org | (805) 893-7667
Matt Coy, Campus Credit Card Coordinator
email@example.com | (805) 893-3959
In addition, see UCSB’s Information Security website information at https://www.it.ucsb.edu/security for guidance.
The following guidelines are courtesy of Visa’s “What To Do If Compromised” publication (https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-compromised.pdf).
To identify the root cause and facilitate investigations, it is important to ensure the integrity of the system components and environment by preserving all evidence.
- Do not access or alter compromised system(s) (e.g., do not log on to the compromised system(s) and change passwords; do not log in with administrative credentials). Visa strongly recommends that the compromised system(s) be taken offline immediately and not be used to process payments or interface with payment processing systems.
- Do not turn off, restart, or reboot the compromised system(s). Instead, isolate the compromised systems(s) from the rest of the network by unplugging the network cable(s) or through other means.
- Identify and document all suspected compromised components (e.g. PCs, servers, terminals, logs, security events, databases, PED overlays etc.).
- Document containment and remediation actions taken, including dates/times (preferably in UTC), individuals involved, and detailed actions performed.
- Preserve all evidence and logs (e.g. original evidence such as forensic image of systems and malware, security events, web logs, database logs, firewall logs, etc.).
UCSB’s Information Security will follow their protocols for data security breaches, which is governed by the University of California’s “UC Privacy and Data Security Incident Response Plan Standard” (https://security.ucop.edu/policies/incident-response.html).
Department Operations After a Report of Compromise
The Department may continue business operations, excluding credit card acceptance, until notified by the Coordinator that they may resume credit card processing activities.
- In the event the breach occurs at a department with multiple credit card processing methods (ecommerce, registers, etc.), the credit card processing activity for each method must be suspended until the notification is received from the Coordinator that a method may be resumed.
- If the breach is not isolated to a single department's processing environment, all credit card processing activity across campus is subject to suspension until Coordinator notifies each department that it is acceptable to resume operations.