What to do When your Business is Compromised


Learning that your computer systems may have been breached can be overwhelming. This guide is to help if you have been required to perform an investigation or if you have detected a breach of your own systems. 

What this means  

WHY THE BANK CALLED?
Your bank has noticed a large amount of fraud that correlates to your business’ card processing. This is called a Common Point of Purchase (CPP). Your bank has likely been contacted by one of the card brands (Visa, MasterCard, American Express, Discover or JCB).
HOW DID THIS HAPPEN?

While each Account Data Compromise (ADC) is different, statistics show that over 80% of all cases involve the Back of House Server for your card processing. This is likely a computer in your office running a version of Microsoft Windows.
 
 
 
 
WHAT NEEDS TO HAPPEN NEXT?

A Forensic Company certified by the PCI Council needs to be selected to start the investigation right away. The card brands, your bank, and you all have something in common. No one wants to see customers suffer from fraud or be concerned about where they make purchases. Conducting this investigation quickly helps preserve evidence of the attack and may:
    • Reduce fraud found by customers and their issuing banks.
    • Influence any fines demanded by your bank or the Card Brands.
    • Help officials track and identify the attacker.
1.  RIGHT NOW – REDUCE CHANGES
Until the on-site investigation begins, you should do everything you can to reduce changes to your system. While your business needs to function:
  • Don’t reboot your systems.
  • Don’t allow your tech support to dial-in remotely or make "fixes".
  • Keep a short diary of dates and times of any unusual or suspicious activities.
2.  UNDERSTAND THE RELATIONSHIP WITH YOUR BANK AND THE CARD BRANDS
The Card brands only have a direct relationship with your bank, not with your business. Any communication or potential fines will usually come via your processing bank as they have the relationship with you.
 
3.  LIMIT CONNECTIONS WITH YOUR POS RESELLER OR INTEGRATOR
Your POS reseller or integrator likely has other customers in your area that are experiencing a breach. Because of this, your best interest may not be the same as theirs. They may want to "clean-up and patch" your system to reduce their liability. You should limit or remove their ability to connect to your systems until after your on-site investigation.
 
4.  SELECT A FORENSIC INVESTIGATOR FIRM
A PFI is a Forensic Investigator approved by the PCI (Payment Card Industry) Council to perform forensic investigations. This short list helps promote objectivity, but reduces cost. All the card brands will accept the PFI’s investigative work as their own.
 
You should select a PFI that has extensive experience and can respond quickly since time is of the essence.
 
 
What attackers are looking for…
There are many different POS systems, and many different pieces of Card Holder Data. The most "lucrative" is the information in the magnetic stripe on the back of the card. This is referred to as TRACK data and is usually the target of the attacker.
A compliant POS system should not store TRACK data, but attackers will use "malware and sniffers" to capture track data from your system. In most cases, the tools are transparent and you won’t even notice them on your system.

We understand this is new to you…
                              Fortunately, it is not new to us.
As a certified PFI since 2006, Arsenal’s experience of over 400 cases is a great asset. We can help you understand WHY your bank is asking things from you, and WHAT your integrator may have done wrong. We pride ourselves in being able to advise you throughout this process, while using non-technical, plain-English explanations.
 
Call Arsenal's Forensic Hotline at 800-274-5208