Incident Response: Suspected Cardholder Data Compromise

An incident may include suspected fraud, compromised card data, tampering with card reading equipment, etc.  If you are unsure if your circumstances qualify as an 'incident' under this definition, please contact Dan Christensen (dan.christensen@usu.edu) for further guidance.

Departments that suspect or have confirmed an account data compromise must take prompt action to prevent additional exposure of payment card data. The following steps must be taken:

• Immediately notify Dan Christensen at dan.christensen@usu.edu or (435) 797-1055.
• Immediately contain and limit the exposure and preserve evidence. (see information referring to evidence below)
• Document any steps taken until contacted by the PCI Compliance Officer. Include the date, time, person(s) involved and action taken for each step.
• Assist the PCI Compliance Officer, USU IT Security and System Engineers team, Chief Compliance Officer, Office of General Counsel, and any other personnel as they investigate the incident.

Notification Procedures

If you suspect a compromise of credit card data, notify Dan Christensen.  He will help you work with the following contacts as needed:

Preserve Evidence

The following guidelines are courtesy of Visa's "What To Do If Compromised" publication.

To identify the root cause and facilitate investigations, it is important to ensure the integrity of the system components and environment by preserving all evidence.

• Do not access of alter compromised system(s) (e.g., do not log on to the compromised system(s) and change passwords; do not log in with administrative credentials). Visa strongly recommends that the compromised system(s) be taken offline immediately and not be used to process payments or interface with payment processing systems.
• Do not turn off, restart, or reboot the compromised system(s). Instead, isolate the compromised system(s) from the rest of the network by unplugging the network cable(s) or through other means.
• Identify and document all suspected compromised components (e.g., PCs, servers, terminals, logs, security events, databases, PED overlays, etc.)
• Document containment and remediation actions taken, including dates/times (preferably in UTC), individuals involved, and detailed actions performed.
• Preserve al evidence and logs (e.g., original evidence such a s forensic image of systems and malware, security events, web logs, database logs, firewall logs, etc.)

Information Security

USU's Information Security and System Engineers will follow their protocols for data security breaches, which is governed by University’s Information Security Policy #558.

Department Operations After a Report of Compromise

The Department may continue business operations, excluding credit card acceptance, until notified by the PCI Compliance Officer that they may resume credit card processing activities.

• In the event the breach occurs at a department with multiple credit card processing methods (ecommerce, registers, etc.), the credit card processing activity for each method must be suspended until the notification is received from the PCI Compliance Officer that a method may be resumed.
• If the breach is not isolated to a single department's processing environment, all credit card processing activity across campus is subject to suspension until PCI Compliance Officer notifies each department that it is acceptable to resume operations.