Playbook: Breach Response
On this page
Business-Critical
If you suspect card data has been exposed, the next 72 hours determine whether this is a manageable incident or a business-ending disaster. Act immediately.
TL;DR
- Hour 0-4: Contain the breach, preserve evidence, call your processor (not email)
- Hour 4-24: Engage PCI Forensic Investigator (PFI), notify acquirer formally
- Day 1-3: Card brand notification (through acquirer), legal review, breach scope assessment
- Week 1-4: Full investigation, remediation, re-certification
- Silence is not an option. Card brands require notification within 24 hours of discovery.
72-hour response guide for suspected or confirmed card data breaches.
The clock starts when you suspect a breach, not when you confirm it.
Workflow Overview
| Phase | Key Actions |
|---|---|
| Contain | Stop the bleeding, preserve evidence, contact processor |
| Notify | Engage PFI, formal notifications to acquirer and brands |
| Investigate | Scope assessment, forensic analysis, affected card identification |
| Remediate | Fix vulnerabilities, re-certify, handle fines and liabilities |
Prerequisites
Before a breach happens, know:
- Your processor's emergency contact number
- Your acquirer's breach notification requirements
- Whether you have cyber liability insurance (and the policy number)
- Who at your company has authority to engage external vendors
When to Use This Playbook
Activate breach response when you observe:
| Signal | Urgency |
|---|---|
| Confirmed malware on payment systems | Immediate |
| Anomalous outbound data transfers from POS/e-commerce | Immediate |
| Card brand notification of fraud cluster | Immediate |
| Suspicious files in payment environment | High |
| Unusual database queries on card data | High |
| Third-party breach affecting your data | High |
| Ransomware attack on any systems | High |
When in doubt, assume breach and start the clock.
Hour 0-4: Contain
Stop the Bleeding (First 30 Minutes)
□ Isolate affected systems (don't turn off - preserve evidence)
□ Disconnect payment systems from network (if actively exfiltrating)
□ Block suspicious IPs/connections at firewall
□ Change all administrative passwords (payment systems, databases)
□ Disable compromised user accounts
Do Not
- Don't wipe systems - you'll destroy forensic evidence
- Don't reboot servers - volatile memory contains evidence
- Don't "fix" the issue yourself - you may need a PFI
- Don't discuss breach on email/Slack - assume attacker has access
Preserve Evidence (Hour 1)
□ Take memory dumps of affected systems (if capable)
□ Capture full disk images before any changes
□ Export firewall and network logs (last 90 days minimum)
□ Export database query logs
□ Screenshot any suspicious activity
□ Document timeline: when discovered, by whom, initial observations
Call Your Processor (Hour 1-2)
Call, don't email. Email is too slow and may be compromised.
What to say:
"We have a suspected data security incident affecting our payment environment. We're in containment mode and need to initiate your breach response process."
Ask:
- Who is my incident response contact?
- What's the formal notification process?
- Do you have a preferred PCI Forensic Investigator (PFI)?
- What are my immediate obligations?
Assemble Response Team (Hour 2-4)
| Role | Responsibility |
|---|---|
| Incident Commander | Single decision maker, coordinates response |
| IT/Security Lead | Technical containment and evidence preservation |
| Legal | Notification requirements, liability, communications |
| Finance | Reserve funds for PFI, fines, customer notification |
| Communications | Internal and external messaging (if required) |
| Vendor Contact | Point person for processor, PFI, insurance |
Hour 4-24: Notify
Engage a PCI Forensic Investigator (PFI)
A PFI is required for most breaches. They're certified by the PCI SSC to investigate payment card breaches.
When PFI is required:
- Card brand or acquirer requests it
- More than 10,000 cards potentially exposed
- Malware found on payment systems
- Common Point of Purchase (CPP) identified
How to find a PFI:
- Ask your processor/acquirer for their preferred list
- Check PCI SSC's list of approved PFIs
- Your cyber insurance may have a panel of approved investigators
Expect to pay: $15,000-$100,000+ depending on scope and urgency.
Formal Acquirer Notification (Hour 8-12)
Your acquirer (the bank that provides your merchant account) must be notified formally:
□ Written notification (email + certified letter)
□ Include: Date discovered, initial scope estimate, containment steps taken
□ Request: Confirmation of receipt, next steps, timeline requirements
□ Ask: Card brand notification requirements and process
Card Brand Notifications (Hour 12-24)
Card brands have strict notification requirements. Your acquirer typically handles card brand communication, but you must provide information:
| Network | Notification Window | Key Requirements |
|---|---|---|
| Visa | Within 24 hours of discovery | Account Data Compromise (ADC) process |
| Mastercard | Within 24 hours | Account Data Compromise (ADC) process |
| Amex | Within 24 hours | Direct notification (separate from Visa/MC) |
| Discover | Within 48 hours | Separate process from other networks |
Document Everything
□ Create incident log (timestamped actions and decisions)
□ Record all phone calls (date, time, who, summary)
□ Save all emails related to incident
□ Document any evidence collected
□ Track hours spent (for insurance claims)
Day 1-3: Investigate
PFI Initial Assessment
The PFI will:
□ Deploy forensic tools on affected systems
□ Analyze malware (if present)
□ Determine entry point and attack timeline
□ Identify systems with card data access
□ Estimate date range of exposure
□ Begin card number identification
Scope Assessment
You need to determine:
| Question | Impact |
|---|---|
| How many cards exposed? | Determines reissuance liability |
| What data elements? | PAN only vs. PAN + CVV vs. track data |
| Date range of exposure? | Card brand operational costs |
| How did attacker get in? | Remediation requirements |
| Is attack ongoing? | Containment priority |
Legal and Regulatory Review
□ Identify applicable breach notification laws (by state/country)
□ Determine customer notification timeline requirements
□ Review contracts with partners/vendors for notification requirements
□ Assess regulatory reporting obligations (if any)
□ Review cyber insurance policy coverage and notification requirements
Internal Communication
What to tell employees:
- Incident is under investigation
- Do not discuss externally
- Direct all inquiries to designated spokesperson
- Cooperate fully with investigators
- Preserve all potential evidence
Week 1-4: Remediate
Fix the Vulnerabilities
Based on PFI findings, you'll need to address root causes:
| Finding | Typical Remediation |
|---|---|
| Malware on POS | Clean rebuild, endpoint protection, network segmentation |
| Unpatched systems | Patch management program, vulnerability scanning |
| Weak credentials | Password policy, MFA implementation |
| No network segmentation | Segment payment systems, firewall rules |
| Third-party compromise | Vendor security review, access restrictions |
Re-Certification
After remediation, you may need:
□ PCI DSS re-assessment (if Level 1 or required by acquirer)
□ New SAQ completion (for smaller merchants)
□ Vulnerability scan by Approved Scanning Vendor (ASV)
□ Penetration test (if required)
□ Remediation validation by PFI
Handle Fines and Liabilities
Potential costs:
| Cost Category | Typical Range |
|---|---|
| PFI investigation | $15,000-$100,000+ |
| Card reissuance | $3-$10 per card reissued |
| Operational costs | Variable (fraud monitoring by networks) |
| Non-compliance fines | $5,000-$100,000+ |
| Customer notification | $1-$5 per customer |
| Credit monitoring | $10-$30 per affected customer/year |
| Legal fees | Variable |
| Increased processing rates | Potential 0.5-2% increase |
Customer Notification (If Required)
If notification is required by law or contract:
□ Draft notification letter (legal review)
□ Prepare FAQ for customer inquiries
□ Set up dedicated phone line or email
□ Offer credit monitoring if appropriate
□ Document all notifications sent
Post-Incident: Recovery
Return to Normal Processing
□ Get written clearance from acquirer
□ Confirm PFI has closed investigation
□ Resume full processing (may be phased)
□ Monitor for any attack resumption
□ Verify reserves/holds are released on schedule
Lessons Learned
Within 30 days of resolution:
□ Conduct post-incident review
□ Document what worked and what didn't
□ Identify control gaps that allowed breach
□ Create action plan for improvements
□ Update incident response procedures
□ Train staff on new controls
Long-Term Improvements
Based on breach learnings:
| Area | Typical Improvements |
|---|---|
| Detection | Log monitoring, SIEM, intrusion detection |
| Prevention | Network segmentation, endpoint protection, access controls |
| Response | Updated playbooks, regular drills, vendor relationships |
| Compliance | Regular assessments, continuous compliance monitoring |
Cost Planning Template
Use this to estimate breach costs:
Breach Cost Estimate
--------------------
Investigation:
PFI engagement: $_________
Internal labor (hours x rate): $_________
External legal: $_________
Card Brand Assessments:
Cards exposed: _________
Estimated reissuance: $_________ (cards x $5 avg)
Operational costs: $_________ (from network)
Fines:
Non-compliance fines: $_________
Late notification fines: $_________
Customer Costs:
Customers affected: _________
Notification costs: $_________
Credit monitoring: $_________
Customer compensation: $_________
Recovery:
Remediation: $_________
Re-certification: $_________
Increased rates: $_________/year
TOTAL ESTIMATED COST: $_________
When to Get a Lawyer
Engage legal counsel immediately if:
- Breach may affect more than 10,000 records
- You operate in multiple states/countries (notification law complexity)
- Attackers are demanding ransom
- You have cyber insurance (policy may require designated counsel)
- Regulatory obligations apply (HIPAA, SOX, etc.)
- Third-party data was affected
- You're facing potential litigation
Quick Reference: Key Deadlines
| Deadline | Requirement |
|---|---|
| Immediate | Contain and preserve evidence |
| 24 hours | Notify acquirer and card brands |
| State-specific | Customer notification (varies by state: 30-90 days typical) |
| 30 days | Begin PFI investigation |
| 90 days | Complete remediation (typical) |
| Varies | Re-certification (depends on level and scope) |
Emergency Contacts Template
Fill in for your organization:
| Role | Name | Phone | |
|---|---|---|---|
| Incident Commander | |||
| IT/Security Lead | |||
| Legal | |||
| Processor Emergency Line | |||
| Acquirer Contact | |||
| Cyber Insurance Broker | |||
| PFI (pre-selected) |
Test to Run
Breach response drill (quarterly):
Run a tabletop exercise:
- Scenario: "We found unknown files on our payment server, and customers are reporting fraudulent charges."
- Walk through first 4 hours of this playbook
- Identify gaps: Who didn't know their role? What contact info was missing?
- Update playbook and contacts based on findings
Success criteria: Team can execute first 4 hours without confusion about roles or contacts.
Related
- PCI DSS Compliance - Baseline security requirements
- MATCH / TMF List - What happens if processing is terminated
- Processor Management - Working with processors
- Terminal Security - Preventing POS breaches
- Survive a Fraud Attack - Fraud attack response
- Network Programs - Brand compliance programs
- Holds and Reserves - Cash flow during incidents