By Natasja Bolton, Senior Acquirer Support QSA
In order to help your merchant businesses with the definition and documentation of their Incident Response Plan, Sysnet has created a template document – Download the Security Incident Response Plan Template.
All merchants self-assessing their Payment Card Industry Data Security Standard (PCI DSS) compliance now need to have an incident response plan – a plan to be implemented in the event of a security incident or data breach.
For the majority of these merchants, the PCI DSS incident response plan requirement is to simply ‘create one’ (PCI DSS Requirement 12.10.1.a). In working to meet this requirement however, many merchants may not fully think through what creating an incident response plan really means for their business.
They may therefore, not be fully prepared for the incidents and events that could occur and which could have a detrimental impact on their business.
Having an incident response plan means that the business has thought about and planned ahead for all types of incidents and security events. This could include things that could have an impact on their ability to operate, serve their customers and deliver services.
An incident response plan helps businesses to respond to incidents in a timely and effective manner, to maintain business continuity and thereby minimise the impact on their customers and their business.
Sysnet believe that merchants should use the PCI DSS obligation to have an incident response plan in place as their starting point to properly consider their business preparedness and resilience in the face of data breach or disaster. All merchants, regardless of the SAQ they are required to complete, should be refering to all of the PCI DSS controls in Requirement 12.10.
Following this guidance will help them develop a comprehensive plan for incident response and business continuity. The PCI DSS requirements ask businesses to define roles, responsibilities and contacts, to plan for all potential incident types that could affect their business critical systems, and to consider legal requirements for reporting compromises.
Indeed, recent EU legislation makes consideration of legal requirements for breach notification more than just a North American or South African concern. The EU’s General Data Protection Regulation (GDPR) was adopted in May this year and requires organisations handling the personal data of EU citizens to meet tougher data security rules and to comply with new data breach notification requirements.
While the GDPR is not yet effective (coming into force in May 2018) it will apply equally across all EU member countries and will require compliance from any organisation worldwide that handles Europeans’ personal data (including records of customer details and payment details).
Laws requiring notification of data breaches to the affected individuals aren’t new. They began in California in 2003 but since then the majority of US states have adopted notification laws of varying strengths and a Federal law is under consideration.
South Africa’s 2013 ‘Protection of Personal Information Act’ includes a requirement for notification of the affected data subject in the event of a breach. In Canada, the recent ‘Digital Privacy Act’ adopted a number of privacy law changes including breach reporting and notification, although feasibility studies are still underway to determine how data breach notification should work.
Many other countries are considering mandatory data breach notification as part of their reviews of data privacy laws. For the latest information, Sysnet recommends reviewing the country-by-country guidance on global law firm DLA Piper’s Data Protection Laws of the World or ICLG’s Data Protection Comparison site.
What this goes to show is that legal requirements are continually evolving and therefore; not only do businesses need to create an incident response plan, they also need to regularly review that plan (per PCI DSS Requirement 12.10.2) in order to make sure it is up to date.
In order to help your merchant businesses with the definition and documentation of their Incident Response Plan, Sysnet has created a template document – Download the Security Incident Response Plan Template. Businesses can walk-though and update this template to suit their organisation.
In going through each section the business needs to consider who in their business fulfils incident response roles and responsibilities, who their key contacts are for reporting and responding to incidents, and the steps they will need to take in response to an incident. All critical factors in making sure that the business is prepared for incidents that could impact their business activities and expose the personal data they hold.
If you are a merchant that requires technical or PCI DSS help, please click here