Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

Centralised resource aims to simplify selection process for organisations requiring forensic investigation services

Centralised resource aims to simplify selection process for organisations requiring forensic investigation services

 

The industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS) has announced availability of the PCI Forensic Investigator (PFI) programme to align industry requirements for identifying and approving forensic investigators to ensure the consistency and quality of these services to compromised entities.

 

With a consolidated list of approved PCI Forensic Investigators (PFI), organisations requiring forensic investigative services can now consult a single resource managed by The PCI Security Standards Council (PCI SSC) and recognised by each payment card brand.

 

In the event that cardholder data is compromised, the merchant, service provider, financial institution or other entity responsible for the data may be required by payment card brands to engage a forensic investigator to determine how and where the payment card data was obtained by unauthorised third parties.

 

Consolidation to ease merchant burden

 

Before the introduction of the PFI programme last Friday, requirements regarding eligibility, selection and performance of forensic investigators had been determined and maintained separately by each payment card brand. The PCI Council said this made the PFI selection process complex for affected parties, especially where multiple acquirers, issuers and/or payment card brands were involved.

 

Now, under the PFI programme, affected organisations can work with one approved forensic investigator to produce a single report that will be accepted by all payment card brands.

 

The PCI PFI programme replaces existing requirements and lists managed individually by payment card brands, which will be retired on 28 February 2011. At that time, affected payment card brands will require that compromised entities engage only those approved by the Council as PCI Forensic Investigators. Each of the payment card brands will continue to develop, manage and enforce their individual programmes regarding when and how forensic investigations may be required.

 

“With the PCI PFI programme, we’re making it easier for those requiring forensic investigative services to meet industry requirements and address security vulnerabilities within their organisations as quickly as possible,” said Bob Russo, general manager, PCI Security Standards Council.

 

Standardising best forensic practices

 

The PCI SSC has also created a quality assurance process as part of the PFI programme to actively evaluate the level of service being provided to the community by PCI Forensic Investigators. This process allows for feedback from both the payment card brands and for entities making use of PFI services.

 

“What’s significant is that PCI forensic investigators are no longer approved by individual payment card brands, but by the PCI Security Standards Council,” commented Jonathan Lampe CISSP, Ipswitch vice president for product management and representative on the PCI Community Council.

 

“The cost of post-breach forensic investigation is significant and borne by merchants and processors. Auditability is key, regardless of who certifies the investigators,” Lampe added. “In addition to using PCI compatible technologies, processors need to make sure that they limit the costs of investigating any incident by making sure their technologies both generate and preserve the metadata needed for forensic investigators to do their job."