Bad actors have a playbook chock-full of diverse strategies, so why limit your incident response testing to a single-endpoint failure? When it comes to meeting PCI DSS v4.0 compliance, we recommend practicing various failure scenarios to become proficient in handling incidents when things go wrong. This approach involves testing and preparing for multiple points of failure.
- PCI DSS v4.0 Requirement 12.10.2 expects the testing of the Incident Response Plan (IRP) once annually.
- PCI DSS v4.0 Requirement 12.6.3 ensures all personnel receive security awareness training upon hire and once annually.
But what happens during the rest of the year? Herein lies the difference between working to meet PCI compliance at a point in time and consistently upholding a robust security posture, reflective of ongoing awareness and behavior throughout the entire year.
Similar to how we instruct children to dial 911 in case of an emergency, we want our merchants, their staff, and other related personnel to be familiar with identifying incidents and activating the organization’s incident response plan.
Often we see organizations with a single incident response protocol that accommodates various types of incidents, ensuring clarity and consistency for employees when reporting issues and raising alarms.
But what does practicing multiple points of failure look like? Below, we explore a few scenarios we have observed or been involved in, offering tangible learning experiences that enhance overall awareness.
- Seize the opportunity for a new staff member, potentially unknown to the merchant department, to pose as an on-site technician for terminal/device repair or updates. How far can they get without arousing suspicion or someone suspecting them of social engineering? Will the front desk staff understand the procedure to contact and verify the individual with your PCI team before granting access to the device?
- Buy lunch and ask the staff when they last inspected the device for tampering or substitution. If they appear confused, prompt them to consider their response if they were to discover a skimming device on the payment terminal at the beginning of their shift.
- Call the IT help desk under the guise of a cardholder, claiming that your card information was stolen after your last purchase on campus. Observe the questions they ask you, and whether they pick up on any keywords that would trigger them to internally activate the IRP for the organization.
- During a departmental meeting about another topic, inquire about the start date of their latest employee and ensure they have undergone PCI training. It doesn’t always need to be a fire drill conversation. Instead of treating PCI DSS compliance as a standalone topic, try to integrate it into discussions on business operations just as they would talk about cash handling controls or account reconciliation.
- Leaving for a vacation? Before you leave, check in with the Incident Response Team to ensure they’re aware of who will be covering your role and responsibilities. It’s imperative that the team knows who will be absent, who will be providing coverage, and the specifics of that role.
We believe that by making many of these tasks a regular part of our routine, their responsibilities will become more familiar and commonplace.
It’s disheartening to think that sometimes the opposite may also be true – surprising individuals with how quickly an event can unfold like their device being swapped out while they’re distracted by another customer can also open their eyes to the reasons behind some of the routine tasks.
Engaging in these smaller-scale red teaming exercises allows you to identify weaknesses in both your incident response plan and your security awareness training. Wouldn’t you prefer to uncover these weaknesses internally through testing rather than discovering them post-breach, potentially resulting in your organization’s name appearing in the news?
CampusGuard is your trusted PCI partner in providing tabletop exercises to test your incident response plan. Your organization can count on CampusGuard for comprehensive, role-based PCI training courses based on your daily responsibilities and involvement in your payment card environment.
Contact us to provide impactful PCI solutions for your organization.
