What is PCI’s perspective on Business Continuity? Here is an overview on Business Continuity as described through the lens of the PCI DSS v3.2.1.
Business Continuity is tied to Incident Response
Building and maintaining a quality cyber security program includes a common set of best practices and activities across business functions, regardless of what framework a program may be modeled against. The bottom line is that good blocking and tackling is just that: good blocking and tackling. If you get the basics right, most of the common issues around security will be addressed, and when you forgo the basics, security issues will most certainly arise.
Business Continuity is part of the blocking and tackling of Information Security. During good economic times and fair weather operations, it is often considered a nice-to-have and less necessary, but when the climate changes (e.g. market, economy, key personnel turnover), those companies without a Business Continuity plan may be left scrambling to address critical issues after they have already become problems.
The focus of the Payment Card Industry Data Security Standard (PCI DSS) is the protection, confidentiality, integrity, and availability of the credit card ecosystem. Thus, related to business continuity, PCI’s concern is focused on the continuity of systems and environments that process, transmit, and store cardholder data (CHD).
In the PCI DSS, there is not a dedicated section or set of requirements set aside for Business Continuity. Instead, Business Continuity is folded under the banner of Incident Response (PCI DSS 12.10). In light of the purpose of the PCI DSS, this makes sense: the payment brands want merchants and service providers to be able to effectively respond to security incidents that may impact CHD, and Business Continuity considerations are viewed as a nested or secondary aspect of incident response planning.
While companies that are interested in building a more robust Business Continuity plan may do well in referencing best practices, such as those outlined in ISO 22301 Business Continuity Management, the following are the Payment Card Industry’s perspective on the comingling of Business Continuity and Incident Response.
PCI Incident Response + Business Continuity Requirements
For organizations that must be PCI compliant, the following are mandatory requirements that must be implemented. Of note, item 2.c, below, calls for Business Recovery and Continuity Procedures, but does not specify what that looks like. We recommend ISO 22301 as a framework for thinking about BCP and developing right-sized and organization-specific procedures.
- Implement an incident response plan. Be prepared to respond immediately to a system breach. [PCI DSS 12.10]
- Create the incident response plan to be implemented in the event of system breach. Include at a minimum: [PCI DSS 12.10.1]
- Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
- Specific incident response procedures
- Business recovery and continuity procedures
- Data backup processes
- Analysis of legal requirements for reporting compromises
- Coverage and response of all critical system components
- Reference or inclusion of incident response procedures from the payment brands
- Review and test the plan, including all elements above, at least annually [PCI DSS 12.10.2]
- Designate specific personnel to be available on a 24/7 basis to respond to alerts [PCI DSS 12.10.3]
- Provide appropriate training to staff with security breach response responsibilities [PCI DSS 12.10.4]
- Include alerts from security monitoring systems, including, but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems [PCI-DSS 12.10.5]
- Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments [PCI DSS 12.10.6]
Top 5: Common Pitfalls & Best Practices for Implementing Business Continuity
The following are a short list of the common issues and best practices that we have seen in organizations implementing continuity related to PCI compliance:
- Not communicating the plan to responsible and affected parties.
- Not including all business units and key stakeholders in annual reviews and testing of the plan
- Not providing dedicated training to staff with responsibilities for executing the plan
- Disconnect between IT (monitoring/alerting) and Business Leaders (decision making)
- Failure to update the plan to reflect the realities of the changing business landscape
- Create a Common Operating Picture: Have a plan that is right-sized and reflective of the business environment, and is communicated and understood among all relevant stakeholders
- Implement a RACI diagram to describe and communicate the roles and responsibilities under the Business Continuity plan
- Relatedly, define authorities and decision-making responsibilities. Ambiguous situations may arise, and having a framework for decision making will enable those responsible to take appropriate action. This should be included within the plan.
- Test ‘fallout-1’ scenarios. The plan is only effective if it provides guidance and empowers the team to take action when the primary leader is absent/unavailable.
- Mature the plan over time: utilize annual testing to build out and document scenarios (e.g. ‘playbook’ as an Annex to the continuity plan)
Whether implementing Business Continuity to line up with a compliance framework, such as PCI DSS, or implementing it for the sake of sound business practice, it is important to get the blocking and tackling right. PCI DSS addresses BCP through the lens of IR, which is reflective of the payment brands’ purpose for the standard. While the PCI requirements for IR and BCP are structurally sound, they do not provide much guidance beyond the basic requirements. For going above and beyond compliance, consider ISO 22301 as sound guidance and best practices for building out a Business Continuity plan and procedures in line with industry best practice.