What is a QIRA?
Qualiﬁed Incident Response Assessor
What is a QIRA?
Qualiﬁed Incident Response Assessor
They are the special investigation units of the Payment Card
Industry who have PCI knowledge and forensic examination
David Barnett email@example.com
Sr. Security Architect, Orbitz WorldWide
also - Sr. Consultant, Blue-Lava - Financial crimes forensic/fraud
Ex Forensics Investigator for a QSA (QIRA)
Consultant/Educator for US Secret Service, DHS, FBI, and DoD.
Participant HoneyNet Project
Why this talk
Conversations with David Taylor
from PCI Knowledge Base.
Provided a wealth of data from
interviews and anonymous
Dave passed away suddenly from a
heart attack on Oct 27, 2009.
Breach war stories have been done
ad-nausea, poorly most of the time
Incident Response Plans should
basically the same for all
Lessons from 100+ CC investigations
Find the right lawyer
Pick your forensics investigator*
Know how to work with your merchant bank and the card
Ensure your software/hardware vendors, VARs, subcontractors,
etc. take responsibility for their work
Prepare for the QIRA onsite investigation
*note - forensic (QIRA) vs. other forensic entities
In the beginning:
US Secret Service and Card Association saw individual breaches
not the wider common attack trends
Investigated them as isolated breaches
Remediated as isolated cases
No or little breach trending
The fundamental ways data breaches occur -
Theft or Loss of Physical Equipment: such as laptop computers or
memory storage devices.
Illegal access to the systems or information: A data breach can occur
through unlawful access to PII data by technological means such as
hacking into existing computer systems.
Insiders: A data breach can be committed by current employees, ex-
A credit card breach = PCI
Who is allowed to perform forensics
Only Qualiﬁed Incident Response Assessors
Master list at http://usa.visa.com/merchants/risk_management/
The list has changed over the last few years - Last BIG update
January 11, 2010 (only 3 companies when I was in the thick of it)
The process of who can be one and who can’t makes no sense at
all - though looks to be improving
How are merchants notiﬁed?
“Why are they picking on me?”
Almost all notiﬁcation is due to the merchant ID being identiﬁed
by one of the card brands as a Common Point of Purchase,
typically referred to as (CPP) or Point of Compromise (POC)
This is the one method of how a merchant or processor can be
identiﬁed as the breach point in a payment card fraud /
In this case, the similarity is a single business where all of the stolen credit cards
had been used before the cards had been involved in fraudulent activity. This
could potentially be the sign of an employee skimming card numbers, or a breach
in a database. There are always going to be coincidences involving data on a
large scale, but because of the scale, itʼs very difﬁcult to end up with false positive
fraud once a margin of error is established.
Card issuers may request that MasterCard initiate an
investigation of a merchant for possible CPP activity at any time.
Acquiring banks have 5 business days to acknowledge a request
from MasterCard for a CPP investigation and 30 calendar days to
complete the investigation. Failure to respond may result in ﬁnes
or assessments. $$$$
Only MasterCard, not a member bank, may designate a
merchant location as a CPP and request that an acquiring bank
conduct a CPP investigation. MasterCard will identify a merchant
location as a CPP from one or more of the following sources:
Information received from law enforcement and investigative authorities
Card issuers in accordance with the established criteria
MasterCard systems, databases, and any other source deemed to be
It is important to move swiftly
1. Follow your completed Data Breach Incident Response Plan
2. Document all ongoing events, all people involved, and all discoveries
into a timeline for evidentiary use. The following is a list of actions that
are going to need to be taken when a breach occurs:
Visa Fraud Investigations CISP Team has their own agenda,
though they state the following:
1 Works with the compromised entity to obtain all potentially
compromised account numbers.
2 Disseminates "at risk" account numbers (or data) to the issuing
3 Begins monitoring the activity on the affected accounts.
4 Works with the appropriate law enforcement on the entity’s behalf.
5 Provides guidelines to the compromised entity to assist them in
responding to the incident.
6 Works with the entity to identify security deficiencies.
7 Facilitates forensic investigation in a timely manner.
8 Ensures the entity takes corrective action to minimize the risk of
future loss or theft of account information.
9 Works with the entity to verify PCI DSS compliance in an expedited
Account Data Compromise Recovery
Visa validates whether validated compromise meets ADCR
criteria (full track, 10,000+ US accounts, incremental magnetic
stripe counterfeit fraud on accounts)
Visa calculates and advises the acquirer of its potential ADCR
If at the end of the issuer fraud reporting window Visa calculates
actual fraud and operating expense liability due to each
participating and impacted issuer Visa notiﬁes acquirers and
issuers of their respective liability and reimbursement
From Breach to Fraud - Typical Timeline
Date of Transaction at Entity Date of Transaction at Entity
for Earliest Account for LatestAccount
DATE THE BREACH
PERIOD of Compromised # of Accounts Likely off this chart,
BEGIN Transactions List of Accounts END most breaches are not
Time period of entity's transaction data Dates of Transactions discovered until late -
due to poor monitoring/
Period of Breach End date of
Time Period of penetration
PERIOD of Compromised Transactions
Start Date of Breach DELAY END
Time period when entity's transaction data is exploited
PCI Assessments are only Date of earliest Date of latest
valid for a "point in time: fraudulent Transaction fraudulent Transaction
Breaches occur over
Pre-Breach Stage Sustained Breach Exploitation-Only Stage
Compromised Account Management
Merchant discovers account compromise and notiﬁes it
Compromised (or suspected) accounts are uploaded into CAMS
Visa investigates to determine if an account compromise has
occurred and sends CAMS alerts to affected issuers to notify
them of compromised accounts
Affected issuers monitor, block or close compromised accounts
Post notiﬁcation, know what
your expected to do, what you
need to do, and the difference
Visa mandated steps in event of a suspected
payment card data breach
Immediately contain and limit exposure
Alert all necessary parties immediately
Provide all compromised accounts to your merchant bank within
Provide an Incident Response Report within 3 days to your
What your expected to do by the
The development of an Incident Response Plan is mandated by
the PCI DSS in Requirement 12.9:
12.9.1: Create an incident response plan
12.9.2: Test the plan at least annually
12.9.3: Designate speciﬁc personnel to be available on a 24/7 basis to respond to
12.9.4: Provide appropriate training to staff with security breach response responsibilities
12.9.5: Include alerts from IDS, IP and ﬁle integrity monitoring systems
12.9.6: Develop processes to modify and evolve the IR plan according to lessons learned.
Focus areas during the forensic investigation
Determine the type of cardholder information at risk
Determine the how many cardholder information is /was at risk
Perform incident validation and assessment
Check for sensitive authorization data - Track data, CVV2 and PIN block
Review payment gateway, VisaNet endpoint security and risk
Preserve all electronic evidence
Perform an internal and external vulnerability scan
Was the merchant PCI compliant at the time of the breach
Be sure to contact -
Your internal information security group and incident response
Your merchant bank.
Your local ofﬁce of the United States Secret Service.
If you do not know the exact name and/or contact information
for your merchant bank, notify Visa Fraud Investigations and
Incident Management group immediately at (650) 432-2978.
Provide all compromised Visa, Interlink, and Plus accounts to
your merchant bank within 10 business days.
All potentially compromised accounts must be provided and
transmitted as instructed by your merchant bank and Visa Fraud
Investigations and Incident Management group.
Visa will distribute the compromised Visa account numbers to
Issuers and ensure the conﬁdentiality of entity and non-public
Within 3 business days of the reported compromise, provide an
Incident Report document to your merchant bank
..and know them intimately
Software/hardware Merchant Bank Card Association
Be Prepared to Answer the Following
Initial point of entry
Timeline of events
Data exﬁltrated and exposed
Network architecture and application overview
Logging and monitoring
Per Visa - Identify and establish relationships
agreements with key vendors, including:
Outside IT security forensics experts who can investigate if, when
and how a breach occurred, and how to close and repair your
“Visa requires its partners to use external experts for this function,
and doing so is critical to establishing credibility with the media,
customers, investors and other key audiences. Also, consider using
a different vendor from the one that may have done previous security
Identify how the breach happened, contain the breach, and
implement a solution so it can not happen again
Notify appropriate people within the company
Notify External Agencies, within required time frames, such as:
›› Forensics Investigator
›› Law Enforcement
›› Affected vendors, suppliers
›› State Attorneys General (where applicable)
Visa and MasterCard are not interested in
forensics, they are interested in risk mitigation.
Visa maintains relationships with their QSA’s for a reason
Tend to work with the same people throughout the PCI-DSS world, for
example, same people move from a QSA company to the PCI SSC (PCI
Security Standards Council)
Creates an echo chamber
Lack of knowledge of modern forensics
Place artiﬁcial pressure on investigators to got out a compromise time frame
Rather wind down a case on lax evidence than determine the true causal
effect of compromise and compromise patterns
Saw this all the time while a QIRA
Important breach issues
Breach Issues Action Items
Mandated Breach Notiﬁcation Which States require notiﬁcation
Media reporting Hire ﬁrm for media coverage and
Negative customer reaction creating early press releases
Cost associated with brand damage Early customer communications
and lost revenue
Fines; according to the card
Stiff ﬁnes and penalties ranging from $10K-$500K per month for non-
$500K ﬁne per credit card data compromise incident if not PCI
$100K ﬁne if Visa is not immediately notiﬁed of as suspected data
If track data or other sensitive data elements was compromised, the
merchant can be assessed the estimated cost of fraud under Visa’s
ADCR Program as well as cost of card re-issuance (est. $7-$20 per
Potential termination of credit card processing privileges
Monthly Prohibited Data Fines for Merchant Data
Storage Violation Fines Compromise
Up to $600,000 for non-compliance
Months with PCI DSS requirements.
Months 4-6 Issuer Recovery Cost of Fraud.
Months 7 and up Charges that occurred on all exposed
Merchant Level 1 cards from the compromised
$100,000 The cost of the forensic investigation.
Merchant Level 2
$5,000 The cost to replace exposed credit
In reality, ﬁnes have been handed
down with no consistency
Large discrepancies in the per incident cost between large level 1 merchants and level 4
An average ﬁne for a single food services merchant (a local bar) was $350k not
Forensics assessment, incident investigation and containment
Upgrading non-compliant POS software & IT and security remediation and
Identity protection for impacted individuals (~$30 per person)
Cost associated with onsite validation for 1 year - now a Level 1 merchant
Class action lawsuits and liability in the event that privacy data was compromised
The Heartland Data Breach
"Visa sent customized settlement information packets to the
affected ﬁnancial institutions on January 14, 2010. In order to
accept the settlement, a ﬁnancial institution was required to
afﬁrmatively complete and return the settlement paperwork to
Visa by January 29, 2010," said the statement from lawyers
representing some of the impacted banks. "The offers--at least
those reviewed by class counsel--appeared to be less than 10
cents on the dollar for most ﬁnancial institutions and some at
less than 1 cent on the dollar."
Make sure you know a qualiﬁed
lawyer and call them
A good lawyer can make all the difference in the penalty
Interview your lawyer
Does the lawyer have:
dedicated Internet law department?
In house forensics professional?
Know what PCI is?
Worked with and know key individuals at Visa/MasterCard, the
banks, processors, etc.
How many digital crimes cases have they handled?
Know your merchant bank’s Point of Contact for fraud /PCI
Call them. Get to know this person. Take them for a beer.
They will be involved early in the process, up until the very end.
They typically know their counter parts at the card associations
But wait, do you have a processor who isn’t your merchant bank?
Better ﬁnd out and give them a call too!
Ensure these people are your advocate.
For level 4 merchants this can be quite complicated
Where does the responsibility
Per incident costs typically lower than level 3 or 4 merchants
Leverage with manufacturers
Media/Marketing Dept. to control the message
The “favorites” game
Several instances of medium to large size breaches which
remain off all breach lists and in the media
Good legal representation early in the process
Tend to lay blame of the software/hardware vendors
Card Associations deathly afraid of Full Disclosure
These and other issues have lead to many complaints of the ADCR
http://Datalossdb.org unofﬁcial master record-keeper of
From 01/21/2010 www.infolawgroup.com
In an interesting development, a handful of issuing banks
impacted by the Heartland breach have filed a class action
lawsuit against two acquiring banks related to Heartland
Payment Systems. According to this article, the issuing
banks are unhappy with Heartland's proposed settlement with
Visa. This appears and to be an attempted end-run around
the proposed $60 million settlement with Visa. It also may
demonstrate that issuing banks are not satisfied with the
dispute resolution mechanisms under the Visa Operating
Regulations (the Account Data Compromise Recovery process
estimated the loss at $140 million, yet the settlement was
for only $60 million), and their ability to be made whole
under those mechanisms.
From 01/21/2010 www.infolawgroup.com
Just as merchants shop for PCI assessors (QSA’s) merchants
shop for QIRA’s
This tends to skew a speciﬁc company’s analysis
Trend numbers from each company by themselves should not
be taken all that seriously
Some basic trends can be seen when viewed outside the
conﬁnes of these companies
www.datalossdb.org is a good overall source for breach data
but ... several breach cases I worked on and am aware of are
not on their list
Deﬁnite trends can be seen when
viewed outside the conﬁnes of
each of the forensics company
Next up ..... banks
(February 16, 2010) A Michigan-based manufacturing
firm is suing its bank after online crooks
depleted the company's account by $560,000 via a
series of unauthorized wire transfers last year.
The lawsuit is one of several that have been filed
over the past few months involving banks and
customers victimized by online theft. In this
case, the theft occurred after an employee at EMI
supplied the crooks with the company's online
banking credentials in response to a phishing e-
mail that purported to come from the bank.