How to choose a QIRA

Share this article:
Mark Carney, FishNet Security
Mark Carney, FishNet Security
As long as there are hackers, organized criminals and a black market for payment cardholder data, breaches will happen. There is no reason to rehash a laundry list of all of the damages organizations suffer from when a breach occurs. Instead, let's take a look at what takes place when an organization is breached and the steps necessary to recover.

Let's assume you are the corporate CSO of a major, international retail chain. You arrive at the office, pour yourself a cup of coffee and sit down at your desk. Suddenly, you get the call that nightmare call: The corporate network has been breached and potentially millions of cardholders' data has been stolen. Pandemonium erupts. Everyone turns to you for direction. What should you do next?

One of the first steps to take is to communicate the details of the crisis up the chain of command — enabling your CEO and public affairs team to quickly assure your customers publicly that your organization has taken all the necessary precautions to protect them against damages that might occur. Equally important is to take all necessary actions to contain the situation. Proper communication with the card brands and associated merchant banks is critical, as they must be updated on the situation and informed of your remediation activities.

After or even during the containment process, you may be required to call in a Qualified Incident Response Assessor (QIRA) to conduct a thorough investigation and forensic analysis. QIRAs were born out of the need to support Visa and the other card brands -- instituted to leverage their combined industry experience, PCI knowledge and forensic examination skills for collaboration purposes, with the intent to prevent or reduce future card breach incidents. They are the special investigation units of the Payment Card Industry. It's their job to make sure that all of the holes have been plugged, to pinpoint where and how the breach occurred and provide direction so that further problems can be avoided.

The investigation is a process you will want to accomplish accurately, yet as quickly as possible. There are only a few QIRAs in the world and you should consider several things when choosing which one to call. Here is a top five list of things to consider when deciding on a QIRA:
  • Call in a QIRA you have a “trust relationship” with: Do not make a decision by throwing darts at a list.  Chances are you are already working with a company that has a QIRA team (see next point).
  • If you haven't already done it, form a relationship with a QIRA before you have a breach so that when one occurs you'll be prepared to act. A list of Visa-Approved QIRA's can be found here
  • Make sure the QIRA team you call has successfully met Visa's requirements to perform investigations and is experienced in PCI DSS incident response and remediation, and that it has a history in dealing with the card brands and merchant banks.  
  • Ensure that the QIRA team has an effective communication process in place to keep everyone informed. The response process is all about information gathering and reporting. You should not need to go searching for the details you need; you want the information to flow to you from the QIRA team on a timely basis.
  • Make sure the QIRA team is what it claims to be and that it can deliver what it says it will provide. QIRA teams are certified and approved by Visa, and must be responsive and available. When your CEO, general counsel or others who “need to know” are turning to you for information, you don't want to keep them on hold.
In the end, the reports are going to tell the story. You must have quality, accurate and readable data that enables you to make the best decisions for remediation, address incident disclosure requirements and future prevention. Make sure the QIRA team has the knowledge, experience and processes in place to support your company when it faces an emotionally-charged crisis situation.

As long as the internet is integral to business and payment cards are used to complete transactions there will be those who will seek to profit from stolen data. Be sure your organization is proactive and remains prepared to respond.
Share this article:

Sign up to our newsletters

More in Opinions

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.

When it comes to cyber attacks, predictions are pointless but preparation is key

When it comes to cyber attacks, predictions are ...

Rather than predicting the next lightning strike it is far better to pay attention to the areas we already know are vulnerable.