How to choose a QIRA
Mark Carney, FishNet Security
Let's assume you are the corporate CSO of a major, international retail chain. You arrive at the office, pour yourself a cup of coffee and sit down at your desk. Suddenly, you get the call that nightmare call: The corporate network has been breached and potentially millions of cardholders' data has been stolen. Pandemonium erupts. Everyone turns to you for direction. What should you do next?
One of the first steps to take is to communicate the details of the crisis up the chain of command — enabling your CEO and public affairs team to quickly assure your customers publicly that your organization has taken all the necessary precautions to protect them against damages that might occur. Equally important is to take all necessary actions to contain the situation. Proper communication with the card brands and associated merchant banks is critical, as they must be updated on the situation and informed of your remediation activities.
After or even during the containment process, you may be required to call in a Qualified Incident Response Assessor (QIRA) to conduct a thorough investigation and forensic analysis. QIRAs were born out of the need to support Visa and the other card brands -- instituted to leverage their combined industry experience, PCI knowledge and forensic examination skills for collaboration purposes, with the intent to prevent or reduce future card breach incidents. They are the special investigation units of the Payment Card Industry. It's their job to make sure that all of the holes have been plugged, to pinpoint where and how the breach occurred and provide direction so that further problems can be avoided.
The investigation is a process you will want to accomplish accurately, yet as quickly as possible. There are only a few QIRAs in the world and you should consider several things when choosing which one to call. Here is a top five list of things to consider when deciding on a QIRA:
- Call in a QIRA you have a “trust relationship” with: Do not make a decision by throwing darts at a list. Chances are you are already working with a company that has a QIRA team (see next point).
- If you haven't already done it, form a relationship with a QIRA before you have a breach so that when one occurs you'll be prepared to act. A list of Visa-Approved QIRA's can be found here.
- Make sure the QIRA team you call has successfully met Visa's requirements to perform investigations and is experienced in PCI DSS incident response and remediation, and that it has a history in dealing with the card brands and merchant banks.
- Ensure that the QIRA team has an effective communication process in place to keep everyone informed. The response process is all about information gathering and reporting. You should not need to go searching for the details you need; you want the information to flow to you from the QIRA team on a timely basis.
- Make sure the QIRA team is what it claims to be and that it can deliver what it says it will provide. QIRA teams are certified and approved by Visa, and must be responsive and available. When your CEO, general counsel or others who “need to know” are turning to you for information, you don't want to keep them on hold.
As long as the internet is integral to business and payment cards are used to complete transactions there will be those who will seek to profit from stolen data. Be sure your organization is proactive and remains prepared to respond.