7 Guidelines for Choosing a PCI Forensic Investigator

This is an excerpt of an article that was originally printed in the April/May issue of the Bottomline. It is part of a PCI Compliance series that is leading up to HITEC 2012.


The hospitality industry has been targeted by cyber criminals seeking to steal credit card information for years — primarily because of the volume of transactions and the potential ability to propagate to multiple locations within the hotel chain.

In fact, for the past three years, Trustwave has identified the hospitality industry as one of the top targets for cyber criminals in Trustwave’s annual Global Security Reports (2009 – 2011).

Unfortunately, to-date the hospitality industry as a whole has been slow to identify breaches.

In most cases, hotels are alerted after customers call to complain that their card has been used fraudulently or the credit card processing bank alerts the hotel about the potential credit card breach.

How Hotels Are Alerted to Potential Breaches

When a certain percentage of credit cards that have experienced fraudulent activity have been processed through a hotel’s payment environment, the Payment Brands (i.e., Visa Inc., MasterCard Worldwide, American Express, Discover Network and JCB) will flag the hotel as the source of a potential breach and issue a Common Point of Purchase (CPP) report.

The payment brands alert the hotel’s processing bank, which then contacts the hotel about the potential breach.

Regardless of how the breach occurred, the hotel is required to enlist a PCI Forensic Investigator (PFI) to identify the details of the breach and the necessary remediation activities.

When processing banks request an official forensic investigation, only the PFIs can conduct the investigation. Additionally, hotels can only use PFI companies that are approved by the PCI Security Standards Council.

7 Guidelines for Choosing a PFI

There are presently only 15 PFI approved companies around the world. Here are some guidelines to consider when choosing a PFI:

1. Eligibility

Hotels must ensure that the company they select is on the list of approved companies.

If they choose a company that is not on the list of approved PFI companies, they will most likely have to repeat the investigation with an approved company, which means increased costs, and potentially degradation of evidence.

Bottom line: It’s best to work with an approved company upfront.

2. Presence

An important consideration for choosing a PFI is where the firm can conduct investigations — this is critical for hotels with multiple locations around the globe. Even if those locations are not on the suspected list, it is possible that attackers may have propagated to them through Local Area Network.

Out of the 15 approved PFI firms, there are two firms that can conduct PFI investigations in all regions.

While it is not disallowed to use multiple forensic firms for a data breach, it could lead to confusion and increased costs.

3. Reputation

Choose a company with experience in the field. The PFI list changes every year, so it is important to ask the company how long it has been certified as a PFI firm.

The firms that have been conducting credit card breach investigations for multiple years would most likely have many experiences with complex cases.
Also, ask your credit card processing bank for recommendations. Though they don’t select a PFI firm, if asked, they may give provide a short list to choose from.

Hotels should conduct their own research on the PFI firms. Many firms share their breach statistics and white papers on credit card breaches.
Furthermore, hotels should look to peers in the hospitality industry for advice and recommendations.

4. Timelines

When a hotel experiences a security breach, they need to act as quickly as possible.

Questions for PFI firms include: 1) How long it will it take to start the investigation? 2) How long will it take to complete the project?

For a single property, the project start date should be within five days of signing the paperwork, while the project completion should be within a month.

The investigation for multiple locations could depend on the complexity of the case. Also, it is the hotel’s right to request weekly updates on the investigations.

Most importantly, the PFI firm must allocate time for questions about the breach and its financial and reputational consequences.

5. Reporting and Remediation

PFI firms are required to submit a preliminary report within five business days from the completion of the onsite visit at the suspected property.

While additional analysis is required by the PFI firm following the onsite visit, a skilled PFI firm will most often have the ability to discover key information regarding the breach and assist in containment within the first 24 hours of their visit to the impacted location.

Completion of the investigation results in a comprehensive final report. The final report will outline in detail all findings uncovered by the PFI firm per PFI requirements.

Within the final report, a comprehensive list of completed and outstanding remediation steps will also be documented (which will most likely mirror PCI DSS compliance requirements).

Subsequent to the completion of the PFI investigation, the breached entity will be responsible for fulfilling and validating PCI DSS compliance requirements as quickly as possible.

6. Costs

The costs of hospitality investigations depend on the scope of the investigation.

The first thing an investigator will determine is the merchant ID that is experiencing fraud. For example, if Common Point of Purchase report was called on the hotel restaurant’s Merchant ID and that restaurant environment is not connected to other areas of the network, then the investigation can be limited to the restaurant environment only.

However, it is very common for hotels to have interface systems that connect the hotel restaurants, spa and other areas within the hotel to a common property management system.

It is important for hotels to have a complete understanding of the systems that process, transmit or store credit card data so that they can provide adequate information to the PFI firm.

The scope of the investigation could also increase based on connectivity with the corporate location and/or other franchisee locations. Hotels should ask PFI firms about the costs in the event of scope increases to encompass multiple locations and systems so that there are no surprises during the investigation.

7. Disclosure of Information

Per PFI contracts, firms are required to submit reports to the client, as well as the contracted acquiring bank and the impacted card brands. At the time of selecting a PFI firm, hotels should inquire about their data disclosure policy and be comfortable with their policies.

Many mature PFI firms have relationships with law enforcement agencies and will share data per the authorization of the client. While it is important to share the forensic findings with law enforcement agencies to catch the attackers, the decision to share the data with any parties other than acquiring bank and card brands lies on the shoulders of the impacted client.

Bottomline: Pick a PFI that has a great reputation and can handle complex cases

Without a doubt, credit card data breaches are stressful and can be expensive. Hotels should look for a PFI firm that has a great reputation and is capable of handling complex cases.

The requirements in this guide are designed to help organizations within the hospitality industry select a PFI firm that can provide them with the best service during the investigation, questions to ask them and clear guidelines on how to move forward after the investigation.


Jibran Ilyas is a senior security consultant, incident response with Trustwave. He is also member of the HFTP PCI Compliance Task Force. For more information, you can follow @jibranilyas and @Trustwave on Twitter.

You May Also Like

About the Author: Contributor

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.