Finance Department
PCI Resources
Symptoms of Data Breaches
The following are common symptoms to look for in a data breach.
- A system alarm or similar indication from an intrusion detection tool
- Unknown or unexpected outgoing Internet network traffic from the payment card environment
- Presence of unexpected IP addresses or routing
- Suspicious entries in system or network accounting
- Accounting discrepancies (e.g. gaps in log-files)
- Unsuccessful logon attempts
- Unexplained, new user accounts
- Unknown or unexpected services and applications configured to launch automatically on system boot
- Anti-virus programs malfunctioning or becoming disabled for unknown reasons
- Unexplained, new files or unfamiliar file names
- Unexplained modifications to file lengths and/or dates, especially in system executable files
- Unexplained attempts to write to system files or changes in system files
- Unexplained modification or deletion of data
- Denial of service or inability of one or more users to log in to an account
- System crashes
- Poor system performance
- Unauthorized operation of a program or sniffer device to capture network traffic
- Use of attack scanners, remote requests for information about systems and/or users, or social engineering attempts
- Unusual time of usage
- Unauthorized wireless access point detected
Please review the POS Tampering Checklist located here and review these items weekly.
Security Breach
An ‘incident’ is defined as a suspected or confirmed ‘data compromise’. A ‘data compromise’ is any situation where there has been unauthorized access to a system or network where prohibited, confidential or restricted data is collected, processed, stored or transmitted; payment card data is prohibited data. A ‘data compromise’ can also involve the suspected or confirmed loss or theft of any material or records that contain cardholder data.
In the event of a breach or suspected breach of security, the department must immediately execute each of the relevant steps detailed below:
· The merchant department responsible person (MDRP) or any individual suspecting a security breach must immediately notify the Incident Response Team at pcicompliance@rollins.edu, in accordance with the Incident Response Plan, of an actual breach or suspected breach of payment card information. Email should be used for the initial notification and include a telephone number for the Incident Response Team to respond to. Details of the breach should not be disclosed in email correspondence.
· Notify the MDRP and the department head of the unit experiencing the suspected breach.
· The MDRP or any individual suspecting a security breach involving e-commerce also must immediately ensure that the following steps, where relevant, are taken to contain and limit the exposure of the breach:
- Prevent any further access to or alteration of the compromised system(s). (i.e., do not log on at all to the machine and/or change passwords)
- Do not switch off the compromised machine; instead, isolate the compromised system(s) from the network by unplugging the network connection cable.
- Preserve logs and electronic evidence.
- Document every action you take from the point of suspected breach forward, preserving any logs or electronic evidence available. Include in the documentation:
- Date and time
- Action taken
- Location
- Person performing action
- Person performing documentation
- All personnel involved
- Be on HIGH alert and monitor all e-commerce applications
· If a suspected or confirmed intrusion / breach of a system has occurred, the Incident Response Team will alert the merchant bank, the payment card associations, Campus Safety, local authorities, Rollins College Chief Financial officer and the Chief Information Officer. A detailed incident response plan will be maintained by PCI Compliance Team.