Section Menu

Finance Department

PCI Resources

Symptoms of Data Breaches

The following are common symptoms to look for in a data breach.

  • A system alarm or similar indication from an intrusion detection tool
  • Unknown or unexpected outgoing Internet network traffic from the payment card environment
  • Presence of unexpected IP addresses or routing
  • Suspicious entries in system or network accounting
  • Accounting discrepancies (e.g. gaps in log-files)
  • Unsuccessful logon attempts
  • Unexplained, new user accounts
  • Unknown or unexpected services and applications configured to launch automatically on system boot
  • Anti-virus programs malfunctioning or becoming disabled for unknown reasons
  • Unexplained, new files or unfamiliar file names
  • Unexplained modifications to file lengths and/or dates, especially in system executable files
  • Unexplained attempts to write to system files or changes in system files
  • Unexplained modification or deletion of data
  • Denial of service or inability of one or more users to log in to an account
  • System crashes
  • Poor system performance
  • Unauthorized operation of a program or sniffer device to capture network traffic
  • Use of attack scanners, remote requests for information about systems and/or users, or social engineering attempts
  • Unusual time of usage
  • Unauthorized wireless access point detected

Please review the POS Tampering Checklist located here and review these items weekly.

Security Breach

An ‘incident’ is defined as a suspected or confirmed ‘data compromise’. A ‘data compromise’ is any situation where there has been unauthorized access to a system or network where prohibited, confidential or restricted data is collected, processed, stored or transmitted; payment card data is prohibited data. A ‘data compromise’ can also involve the suspected or confirmed loss or theft of any material or records that contain cardholder data.

In the event of a breach or suspected breach of security, the department must immediately execute each of the relevant steps detailed below:

·         The merchant department responsible person (MDRP) or any individual suspecting a security breach must immediately notify the Incident Response Team at, in accordance with the Incident Response Plan, of an actual breach or suspected breach of payment card information. Email should be used for the initial notification and include a telephone number for the Incident Response Team to respond to. Details of the breach should not be disclosed in email correspondence.

·         Notify the MDRP and the department head of the unit experiencing the suspected breach.

·         The MDRP or any individual suspecting a security breach involving e-commerce also must immediately ensure that the following steps, where relevant, are taken to contain and limit the exposure of the breach:

  • Prevent any further access to or alteration of the compromised system(s). (i.e., do not log on at all to the machine and/or change passwords)
  • Do not switch off the compromised machine; instead, isolate the compromised system(s) from the network by unplugging the network connection cable.
  • Preserve logs and electronic evidence.
  • Document every action you take from the point of suspected breach forward, preserving any logs or electronic evidence available. Include in the documentation:
    • Date and time
    • Action taken
    • Location
    • Person performing action
    • Person performing documentation
    • All personnel involved
    • Be on HIGH alert and monitor all e-commerce applications

·         If a suspected or confirmed intrusion / breach of a system has occurred, the Incident Response Team will alert the merchant bank, the payment card associations, Campus Safety, local authorities, Rollins College Chief Financial officer and the Chief Information Officer. A detailed incident response plan will be maintained by PCI Compliance Team.