PCI Incident Reporting

Incident Reporting

All departments engaging in payment card processing are responsible for immediately reporting a suspected incident of any machine used in card processing.

Campus-wide Security Incident Reporting information can be found at http://it.cofc.edu/security/security-incident-reporting/index.php

IF THERE IS A SUSPECTED OR ACTUAL BREACH, IMMEDIATELY FOLLOW THESE STEPS:

  1. Cease use of any suspect machine.
  2. Do not turn off the machine.
  3. Immediately report an incident, using the Credit Card Security Breach Report.

The Treasurer’s Office and/or Information Security and/or Public Safety will begin an investigation into the incident. Do not resume processing until approved by the Treasurer’s Office. 

False reports will be subject to disciplinary action.

Notification Procedures in Case of Breach of Privacy

College of Charleston takes several measures to ensure the privacy of personally identifying information it collects and maintains about faculty, staff, and students.

The College of Charleston Information Technology department hosts servers that may have sensitive data in a controlled access area. Servers are secured with firewalls, virtual private networks, data access monitoring software, and passwords, as well as other methods.

Access to personally identifiable information is limited to those employees with a legitimate, job-related need to know. Employees have access only to those data elements which they actually need for designated purposes, and access is controlled through an electronic desk system and other security access systems. There is regular review of those data elements to which individual employees are allowed access.

If security is breached and personally identifying information is compromised, the College will immediately notify law enforcement officials including, as appropriate, CofC Public Safety, the FBI, the U.S. Secret Service, the U.S. Postal Inspection Service and/or other law enforcement agencies.

The College will contact everyone whose identity may have been put at risk, regardless of whether personal data appears to have been accessed or extracted. It will also notify the campus community about the security breach through electronic and others means. The notification will include the following information:

  • Exactly when and how did the breach occur, and when was the breach detected?
  • How many individuals are affected?
  • What personal information was put at risk?
  • Does the College know whether any information was stolen?
  • What procedures did the College follow with regard to the security breach?
  • How should individuals respond if they discover fraudulent use of their personal information?
  • What steps is the College taking to prevent illegal access of confidential information in the future?
  • What has the College done to notify those affected?
  • Who can respond to additional questions concerning this security breach?

The custodian of the data is responsible for notifying those affected by an electronic security breach. In the case of a non-electronic security breach, the office or department where the breach occurred will be responsible for notification.

Incident Response Team

The Incident Response Team is established to provide a quick, effective and orderly response to computer related incidents such as virus infections, hacker attempts and break-ins, improper disclosure of confidential information to others, system service interruptions, breach of personal information, and other events with serious information security implications. The Incident Response Team’s mission is to prevent a serious loss of profits, public confidence or information assets by providing an immediate, effective and skillful response to any unexpected event involving computer information systems, networks or databases. The Incident Response Team is authorized to take appropriate steps deemed necessary to contain, mitigate or resolve a computer security incident. The Team is responsible for investigating suspected intrusion attempts or other security incidents in a timely, cost-effective manner and reporting findings to management and the appropriate authorities as necessary. The Incident Response Team will subscribe to various security industry alert services to keep abreast of relevant threats, vulnerabilities or alerts from actual incidents.

Incident Response Team Members

Each of the following members will have a primary role in incident response.

Treasurer

Chief Information Security Officer

Senior Information Security Analyst

Network Manager/Senior Architect

Each of the following members may provide supporting roles during incident response.

Vice President Finance and Administration

Information Technology Service HelpDesk

CIO

Internal Audit

Incident Response Team Roles and Responsibilities:

Treasurer:

  • Notifies members of the team that the breach occurred
  • Contacts merchant on campus to verify that they have followed all instructions
  • Escalates to executive management as appropriate
  • Contacts auxiliary departments as appropriate
  • Monitors progress of the investigation
  • Ensures evidence gathering, chain of custody, and preservation is appropriate

Chief Information Security Officer

  • Determines the nature and scope of the incident
  • Contacts qualified information security specialists for advice as needed
  • Determines which Incident Response Team members play an active role in the investigation
  • Provides proper training on incident handling
  • Monitors progress of the investigation
  • Prepares a written summary of the incident and corrective action taken
  • Ensures evidence gathering, chain of custody, and preservation is appropriate

Network Manager/Senior Architect

  • Analyzes network traffic for signs of denial of service, distributed denial of service, or other external attacks
  • Runs tracing tools such as sniffers, Transmission Control Protocol (TCP) port monitors, and event loggers
  • Looks for signs of a firewall breach
  • Contacts external Internet service provider for assistance in handling the incident, if necessary
  • Takes action necessary to block traffic from suspected intruder

Senior Information Security Analyst

  • Monitors business applications and services for signs of attack
  • Reviews audit logs of mission-critical servers for signs of suspicious activity
  • Contacts the Information Technology Helpdesk with any information relating to a suspected breach
  • Collects pertinent information regarding the incident at the request of the Chief Information Security Officer
  • Examines system logs of critical systems for unusual activity

Other Duties to Assign As Necessary

  • Ensures all service packs and patches are current on mission-critical computers
  • Ensures backups are in place for all critical systems

Internal Auditor

  •  Periodically reviews policies and procedures for compliance with information security standards, PCI-DSS policies and Risk Assessment

Payment Card Incident Response

The Treasurer’s Office will coordinate all responses to suspected or confirmed payment card security incidents, with the assistance of IT Information Security and, if need, the Office of Public Safety.

Payment card security incidents are defined as malicious attempts to access a payment system, successful attacks to compromise personally identifiable information (PII), or any unauthorized access to a payment system, including internal access outside of an employee’s job duties (even if accidental). Upon notification of a payment card security incident, the Treasurer’s Office and IT Information Security will begin an immediate investigation into the reason for and scope of the incident. All processing for that payment acceptance channel may be suspended until after the investigation is completed, and it is deemed safe to resume processing transactions.

The purpose of this policy is to establish procedures to evaluate, contain and report any attempt to compromise any approved College processing method. All incidents will be reported using the Credit Card Security Breach Report. False reporting of an incident is considered unlawful and appropriate disciplinary action will be taken.

Definitions

All terms mentioned in this policy are defined in College of Charleston PCI-DSS Policy and Procedures.

 

All campus users of payment card information are required to know and fully understand all terms associated with this set of policies and procedures related to payment card processing, security and incident reporting.

Department/Merchant Responsibility

In the event of a payment card data security breach, the affected department/merchant is required to immediately notify the Treasurer’s Office using the Credit Card Security Breach Report and emailing the form to treasurer@cofc.edu, regardless of time of day. Training for designated incident response personnel within each payment card processing department will be conducted annually by the Treasurer’s Office.

The affected department MUST discontinue processing transactions and disconnect all affected systems from the university network; DO NOT SHUT DOWN ANY EQUIPMENT.  All staff MUST remain logged off of the affected systems. The department MUST NOT resume normal business operations until notified by the Treasurer’s Office. This requirement is enforced for ALL College of Charleston departments/merchants, regardless of the payment system used.

If the breach is contained to one department/merchant, the Treasurer’s Office will assist that department with any required Payment Card Industry Data Security Standard (PCI DSS) post-incident reporting. If the department is found to be responsible for any compromise, the department can be penalized up to the immediate revoking of their processing privileges. Any financial loss incurred by the College resulting from inadequate controls or lack of adherence to PCI DSS, other industry security requirements and the College’s PCI policies may be charged to the department at the time of the breach.

Departments MUST have their own disaster recovery, business continuity, and risk assessment policies and procedures in place. Those policies must be approved by the Treasurer’s Office and IT Information Security prior to implementation. The Treasurer’s Office can assist departments in drafting and revising procedures as industry or processing environment changes occur. Departmental staff should immediately notify the Treasurer’s Office of a suspected compromise, and the Treasurer’s Office and IT Information Security will coordinate any and all investigations into an incident that results in a data breach to that system. If an incident occurs, all audit logging for the external processing system is to remain functional during and after an incident.

The Treasurer’s Office Responsibility

The PCI DSS requires that College of Charleston MUST complete the following if a payment card data security breach is detected:

  • Immediately contain the exposure of the breach.
  • Immediately notify the necessary institutional parties.
  • Prepare the Incident Response Report and file with the merchant bank within three business days.
  • Prepare a list of compromised accounts and file with the merchant bank within ten business days.

The Treasurer’s Office will assess the situation and will immediately begin notifying necessary parties of the incident as appropriate. PCI DSS requires that the affected system be made unavailable until a forensic investigation is completed. The College will make the determination whether the circumstances surrounding the incident require notification of law enforcement.  

  • The Treasurer will notify the Vice President of Fiscal Services, the CIO, and the Executive Vice President for Business Affairs.
  • The Treasurer will notify the College’s acquiring banks.

Annual testing of the College incident response plan is required to ensure all parties understand responsibilities for their area. The Treasurer’s Office will guide departments through the testing procedures. Departments with an active system usage waiver will also have their system tested as part of College’s annual incident response plan testing.