PCI, PFI, PCI DSS, PCI SSC, these are all terms you will hear and need to know about when operating within the Payment Card Industry. We understand that it’s a lot to read into, which is why we’ve compiled a simple run-through of all the basics you’ll need to know.
PFI stands for PCI Forensic Investigator(s). A PFI, as the name suggests, investigates breaches of payment card data; stretching from small businesses all the way to international law enforcement efforts.
Qualified by the PCI SSC (which we’ll get into later), only a few select companies are enabled to lead forensic investigations.
The Payment Card Industry. All organizations, big or small, that store, process or transmit cardholder data (typically credit and debit cards) are part of the PCI. If you’ve ever bought something online, a good or service, it’s likely, after typing in your card details, a payment card processor would be given the job of processing your transaction safely and securely.
Keywords: safely and securely.
Because of how lucrative hacking can be, and how unsafe many payment systems were, it became very evident (during the rapid growth of the internet) that security standards would need to be drafted. So, in 2006, the PCI SSC was founded.
Founded by Visa, Discover Financial Services, JCB International, American Express, and Mastercard, The Payment Card Industry Security Standards Council is an organisation of private, independent card vendors, which manages the Payment Card Industry Data Security Standard (PCI DSS).
Payment Card Industry Data Security Standard (PCI DSS) is a body of security standards that includes 12 requirements, and additional sub-requirements, that businesses must meet in order to be considered compliant. In brief, these are:
Of course, the requirements go into much more detail, and have many sub-requirements that may or may not apply to your business. Meeting these requirements are very important. If you are deemed non-compliant under the PCI DSS, and are victim to a data breach, you could suffer significant financial penalties from the card brands; on top of all the penalties from local or national laws. Please read more on these, in full, here.
Well… Foregenix is one. Investigators themselves must work for a Qualified Security Assessor Company, both of whom are certified by the PCI SSC.
Primarily, PFIs (PCI Forensic Investigators) perform investigations within the financial industry, after a data breach (whether major or minor). Using well defined investigative methodologies, their objective is to figure out what happened, how it happened, what was stolen, who stole it and to make sure the breach is no longer taking place.
PFIs often work closely with law enforcement. It is fairly common for countries to mandate laws when it comes to online security and, as such, PFIs are very useful in helping to solve cyber crimes. Foregenix itself employs a wide range of Ex-Law Enforcement experts.
A PCI Forensic Investigation aims to stop the breach as quickly as possible to prevent further damage, while getting the required investigation completed. The process can vary from company to company, and situation to situation but the requirements and strategy are the pretty much the same. Additionally there may be region specific "supplements" within the realm of PFI forensic investigations. These mainly relate to situations that (at a point in time) may appear to be smaller incidents or incidents with limited supporting evidence of intrusion or card data exposure.
As I said, there is a lot more to it than this, what with all the laws, regulations and agreements that must be taken into account. Having said that, we specialise in helping organisations through the PFI process and we have a fantastically talented team and specialised technology available to assist - we help hacked organisations to regain control of their business systems quickly, efficiently and with minimal business interruption.
If you have any questions or wish to get in touch, contact us.