If you are like me I had recently become numb to the barrage of information on PCI compliance from various trade publications, seminars, conferences, credit card processing companies and other sources that were continually pushing the importance of becoming PCI compliant. From application providers insisting on upgrades to their systems to network service providers looking to tighten the security on firewalls and segmenting the networks everyone was pushing their services in the name of PCI compliance. As a result most people have become blasé to the ramifications of not being compliant.  Then it happens—the dreaded call from the bank.  “We believe that your systems have been breached and we have multiple sources indicating that the credit cards being transacted at your property are being compromised.” The response is usually how could this have happened? You think you run a secure and tight ship and the systems are PCI compliant and up to date.

When this information is first presented it hits you like a ton of bricks. What do we do now? Interestingly enough one of your first meetings will be with a security representative from either the acquiring bank or American Express. They will usually outline the key issues facing your property and get you on the right track. You will learn that the breach could have occurred as a result of either an electronic network compromise or through a manual breach in an internal operational policy or procedure. As a result, you will need to tackle the issue from two fronts. One targeting the network and electronic credit card data and the second was targeting operational policies and procedures. They will also provide you with some data of the cards that they believe were compromised at the property. From this the first thing that you do is try to identify where the cards were used and which merchant ID numbers were affected. They will also advise you to obtain the following assistance right away.

1)  Hire a certified Forensic Assessment Firm
Once you are known to have been compromised, most card brands and acquiring banks will insist that you immediately contact an officially authorized forensic assessment company that has been officially certified by the card brands, Visa (QIRA), MasterCard (QFI), to have them assist with the identification of where your network has possibly been breached. The number one focus here is to stop the bleeding.  You will soon find out that while these firms can be very effective,  their services come at a price. Working with a good forensics resource will help to identify the potential breach sooner rather than later. As such, you will need to interview a few firms and make a selection in a fairly short space in time in order that they may begin their scans and assessments.  (The one thing that you learn is that until you identify the source of the problem [and perform the necessary remediation work]; your guest’s credit cards will continue to be compromised on a daily and real-time basis.) When interviewing the forensic firm, try to ensure that you hire someone with hospitality experience and more importantly one who has experience with remediation work. One thing that you will find out is that while forensic firms will assist with the identification of a potential breach, they usually do not facilitate the remediation due to a conflict of interest. As such, you cannot rely on the forensic firm to resolve/remediate your problems. Also hiring a forensic firm does not necessarily mean that they will be able to locate and identify how the network was breached. The forensic firms will compile a complete report for the card brands and acquiring bank to provide them with a detailed analysis of the network and potential remediation work that will be necessary to bring the property’s network into compliance.

2)  Hire a certified Qualified Security Assessor (QSA)
Along with a forensic assessment firm, the QSA will assist with performing an in-depth assessment of the overall PCI compliance of the property. They will look at not only the network aspect of things, but will analyze and follow through with the properties overall operational policies and procedures to ensure that all aspects of credit card and data security are being adhered to. In addition, they will provide a GAP analysis of where the property currently stands with regards to its overall PCI compliance and in many cases offer advice for potential remediation of areas of concern.  In many cases, the acquiring bank and card brands will also insist that these assessments be made, especially if the property’s merchant level changes as a result of the breach from say a level 4 to a Level 1.

In speaking with Jeff Tutton, president of Intersec Worldwide (an authorized  PCI – QSA firm), he said, “It is important that you identify and select a QSA and forensic auditor that has real-world remediation experience and is not simply a check-box auditor.”  The remediation aspect of a breach is probably the most important aspect of addressing the fallout from a network breach and working with knowledgeable and technically experienced assessors can make a huge difference to stop the bleeding and more compromise of data. To use an oil spill analogy, a compromise of your credit card data through a breach of your network can be likened to the recent oil spill in the Gulf, until the source of the leak is located  and plugged, your guest and customer credit card information will continue to be compromised at a potentially enormous rate and the overall health of your business will continue to be at risk.