The Credit Card Security Incident Response Procedures supplement the eCommerce Policy. Documentation of an incident response plan is a requirement of the Payment Card Industry (PCI) Data Security Standards (DSS).
An incident is defined as a suspected or confirmed data compromise. A data compromise is any situation where there has been unauthorized access to a system or network where prohibited, confidential or restricted data is collected, processed, stored or transmitted; Payment Card data is prohibited data. A data compromise can also involve the suspected or confirmed loss or theft of any material or records that contain cardholder data.
- In the event of a breach in card data security, the merchant must take the following steps:
- Immediately contain and limit the exposure of cardholder data and alert the Business Affairs Asst. VP/Controller or Bursar, and the CISO. A response team will be assembled and conduct a thorough investigation of the suspected loss or theft of account information.
- Do not access or alter compromised systems (e.g., do not log on or change passwords; do not log in as ROOT).
- Do not turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the network cable).
- Preserve logs and electronic evidence.
- Log all actions taken.
- If using a wireless network, change SSID on machines that may be using this connection (with the exception of any systems believed to be compromised).
- Be on high alert and monitor all systems with cardholder data.
- Provide Business Affairs and the CISO with a detailed report containing account information at risk and the source and timeframe of the compromise.
- Complete an Incident Report as soon as possible within three business days and provide to the Asst. VP/Controller of Business Affairs and the CISO. Oregon State Treasury (OST) will be notified as will the payment processor (Elavon). OST, US Bank, Elavon, and/or Visa, MasterCard, Discover will determine and notify Business Affairs if an independent forensic investigation, compliance questionnaire, and vulnerability scan are required.
- Business Affairs’ protocol for response is:
- If an incident occurs during normal business hours (8:00AM to 5:00PM), notify the Office of the State Treasurer (OST) by using the number listed below. OST will then notify US Bank, and coordinate all communication. If the incident occurs outside of normal business hours, contact US Bank directly by using the phone number listed below.
- Internal Information Security group and Incident Response Team: Chief Information Security Officer, Asst. VP/Controller of Business Affairs, Director of Enterprise Computing Services, VP Finance and Administration, and Office of the General Counsel.
- Office of the State Treasurer (OST) at 1-503-378-4000. Notify the receptionist that an OSU Merchant has experienced a merchant card breach and ask to speak with the Merchant Bank Liaison on the Banking Team or a member of the Relationship Management Services Team.
- US Bank at 1-800-725-1243. Identify that you are a “National Account” with the State of Oregon, and provide them with the Merchant ID (MID) number. Notify the US Bank Customer Service Representative that you have experienced a merchant card breach and ask that the incident be reported to the Risk Department.