What are the PCI DSS Business Continuity Requirements?

Are you sure you are ready to deal with the loss of a server or recover lost data? Does your business continuity planning include human loss as part of your operational resources? PCI DSS Requirement 12.10 covers business continuity following a data breach incident.

What is a Business Continuity Plan?

A Business Continuity Plan (BCP) provides companies with a way to cope with the commercial effects of any catastrophic incident and maintain their business. It is a strategic view that includes the development of specific emergency plans that address high probability outages. Together with the associated disaster recovery plan (DRP), a business continuity plan process forms a large part of an organization’s “worst-case scenario” planning and provisions.

Business continuity plans (BCPs) help auditors and assessors determine whether an organization is taking adequate steps to prepare for a disaster.

Is PCI DSS Concerned With Business Continuity?

PCI DSS requirements are surprisingly small on business continuity. The PCI DSS requirement is 12.10.1, where your incident response plan states that it should address business recovery and continuity procedures. To maintain PCI compliance during the adoption of the business continuity process, you must first act according to your PCI scope.

See Also: PCI DSS Disaster Recovery Requirements

In other words, any implementation of a business continuity process will likely significantly change the scope of your PCI DSS compliance. Therefore, when adopting a new technique, you need to properly assess the change in your scope and then determine what it means to stay compliant with the PCI DSS standard’s relevant requirements.

PCI DSS requirement 12.10.1 requires you to establish an incident response plan to be implemented in the event of a breach and to ensure that the program addresses at least the following:

  • Special incident response procedures
  • Business recovery and continuity procedures
  • Data backup processes
  • Analysis of legal requirements to declare settlements
  • Coverage and responses of all essential components of the system
  • Reference or incorporation from payment brands of incident management procedures.

We need to address business recovery and continuity procedures and data backup processes among the above items on business continuity.

Typically, PCI DSS never really cared about business continuity unless it was a seamless failover solution.

Looking at the PCI DSS 12.10.1 requirement, we come across a statement that the incident response plan should be comprehensive. We include all the key elements to ensure that your company responds effectively in the event of a breach that could affect cardholder data.

The PCI Compliance Report (ROC) only asks for the PCI QSA to approve the incident response plan, including these items.

Essentially, PCI DSS wants organizations to ensure continuity of PCI compliance when they initiate business continuity plans. However, it should not be forgotten that PCI DSS includes business continuity or disaster recovery activities only if cardholder data (CHD) is actively included in the scope.

Of course, business continuity occurs when organizations have useful recovery capabilities in disaster recovery data centers or copy CHD data to a disaster recovery site in real-time.

Otherwise, the disaster recovery site is not covered by the PCI assessment. As a result, most organizations need to include disaster recovery sites in their PCI assessments if they have card data.

If a disaster recovery site has never been evaluated for PCI compliance, your PCI coverage would be underestimated. Organizations should include disaster recovery sites and regularly assess processes for PCI compliance.

See Also: How to Implement a Successful Incident Response Plan for PCI DSS

While PCI DSS does not require an assessment of business continuity and data backup processes, PCI DSS provides a friendly reminder to organizations that business continuity can become a compliance issue and should be looked after before it becomes an issue.

Ideally, your business continuity planning considers the impact of any scenario on your PCI DSS scope and includes actions to take to adapt your business processes to the new scope. But in reality, most businesses overlook the PCI DSS scope requirements for business continuity plans.

Therefore, you should completely reassess your PCI DSS scope to ensure you return to a compliant state as soon as possible.

What Are The Steps Of a Business Continuity Plan?

In a business continuity plan, there are four required steps:

  1. Business Impact Analysis: Create and manage a survey.
  2. Recovery Strategies: Select and implement the chosen strategies.
  3. Plan Development: Develop, document, and approve plans.
  4. Tests and Exercises: Train BCP teams to plan tests and include lessons learned.

Let’s examine the business continuity steps in detail below and determine what needs to be done.

1. Business Impact Analysis

The first step in your business continuity plan is the Business Impact Analysis (BIA) process. The purpose of this step is to estimate the consequences or impact of the deduction on a specific business function.

Identify time-sensitive and critical business functions and the resources that support them. Take a comprehensive look at all IT components, including servers, networks, and devices, with data protection and availability in mind. Understand what these ingredients do and what will happen if they stop doing it.

Determine at what point the loss of particular business activity or capacity will have the corresponding effect.

Much of this step will consist of information gathering activities that will later be used to create your recovery strategies. These activities revolve around your BIA survey or worksheets. Your BIA process should look like this:

  • Create a BIA survey.
  • Train critical people on how to fill in the questionnaire.
  • Collect and review surveys.
  • Conduct follow-up interviews to validate and fill in surveys.

2. Recovery Strategies

Recovery requires resources. It is possible to destroy buildings and machines, and supply chains can fail, and IT systems can be disrupted. Recovery strategies offer an alternate approach to keep the organization alive and running at a minimally appropriate pace.

After collecting BIA questionnaires and worksheets, evaluate the resources needed to recover from the minimum acceptable level’s potential impacts. You need to know what will be required and how much it will cost to return to this level.

The larger the company, the more recovery strategies can be discovered. Methods can include relocation, working with third parties, short-term partnerships, and the reassignment of responsibilities.

All staff at all levels should be consulted to determine which strategies will work or not. Collaboration and participation are essential because the people who do the job are the people who understand the procedures best.

Steps of the Recovery Strategies phase include:

  • Summarize resource requirements according to BIA.
  • Conduct a gap analysis on differences between recovery requirements and available capabilities.
  • Explore, select and validate recovery strategies
  • Apply recovery strategies.

3. Plan Development

During Plan Development, you will thoroughly document your plan for the implementation of the chosen strategies. At this stage, you are likely to have more than one contingency plan to come up with.

  • Develop the framework for your plan.
  • Create rescue teams.
  • Fill in real plans, related steps, etc.
  • Write down your formal business continuity plan, contingency plans, and disaster recovery procedures.
  • Finalize, verify and approve the plan.

It will take time to implement the plan. This process’s ultimate objective is to have on file a complete, approved, thoroughly reviewed, checked, and updated Business Continuity Plan (BCP).

4. Tests and Exercises

As with an incident response plan, your business continuity plan’s success largely depends on ongoing testing and training. If your entire company is unaware of their role during an emergency or extended business impact scenario, educating them in a crisis will waste your valuable time.

Unless employees have tested their role in the plan under the pressure of an exercise, they will not do so if a real emergency occurs.

Desktop exercises, training, communication, and messaging are important aspects of this process, and key players should be considered by departments such as HR, marketing, and internal communications.

The process of testing and exercises should cover the following:

  • Improve testing, exercise, and care needs.
  • Organize regular training sessions with business continuity teams.
  • Conduct exercises and tests and document the results.
  • Include regularly lessons learned from exercises, tests, and exercises.
  • Keep BCP relevant information up to date and easily accessible to all major players.

What Are Business Continuity Standards?

The Business Continuity Plan (BCP) details what, in what order, and how fast the job will be recovered, disaster recovery (DR) puts this plan into effect, and incident response (IR) includes both the Business Continuity Plan (BCP) and disaster recovery (DR). It reveals the triggering event that triggers the plans.

There are many well-known standards for Business Continuity, and they usually cover more than IT systems:

  • ISO 22301: 2012: Social security – Business continuity management systems – Requirements
  • ISO 22313: 2012: Social security – Business continuity management systems – Guidelines
  • ISO/IEC 27031: 2011: Information security – Security techniques – Guidelines for the preparation of information and communication technology [ICT] for business continuity
  • NIST Special Publication 800-34 Rev. 1, Emergency Planning Guide for Federal Information Systems
  • ANSI/ASIS SPC.1-2009 Organizational Resilience: Security, Readiness and Continuity Management Systems

For disaster recovery (DR), start by mapping all your business processes and asset dependencies. You’ll have no idea how to bring them in place if you don’t know how things go together. If your asset management processes are not robust, you cannot even begin the mapping process, so you must first determine your business processes and assets.

Once you’ve mapped your business processes, editing all your procedural documents is a relatively straightforward task. So whether you have full redundancy in everything, hot-swappable spares, or many other DR clichés, how to get your systems back online is down to a set of easy-to-follow instructions.

From an IT standpoint, all the BCP plan does is tell you what order and at what time frame you will be bringing these systems back online. It should not be forgotten that the business continuity plan should be tested annually.

None of the security aspects should be implemented as half-circuit; disaster recovery and business continuity processes are no exception. Even in security, business continuity is a specialty, and making the plan affordable and straightforward is more of a skill than a skill.

Is Business Continuity Plan Requirement for PCI or Other Standards?

In short, yes. Specific requirements will depend on what type of data a company processes and what industry standards, government regulations, or institutions it is governed by.

Activities undertaken during an appropriate business continuity plan will meet most disaster-related requirements of regulatory and government agencies. For instance, the FDIC needs institutions to do extensive disaster planning in banking and finance. In health care, the Health Insurance Portability and Accountability Act (HIPAA) allows covered entities and business partners to maintain a contingency plan.

PCI DSS requirement 12.10.1 requires you to establish an incident response plan to be implemented in the event of a breach and that the program addresses business recovery and continuity procedures.

An emergency plan is categorized as Administrative Protection in HIPAA Security Rule 164.308 (a) (7) (i). HIPAA contingency plans address the “availability” of data in connection with the security policy.

The availability policy is concerned with the risk of business interruption. The goal is to help provide authorized access to vital systems and information when needed. Accessibility is critical in HIPAA because lives can be at risk if medical information is not available when needed.

What Does The Success Of The Business Continuity Plan Depend On?

Successful business continuity depends on extensive communication and planning within an organization. Ready-to-use creativity will help at every stage, so all kinds of thinking, temperament, and attitude should also develop the process. Be sure to include all roles expected to perform in an emergency in planning and testing.

Ultimately, your BCP is a paper-filled binder and is the result of a particular “process.” Still, it represents human action and impact, and it is essential to understand the importance and relevance of such a plan for all members of your organization.

See Also: How are the PCI Risk Assessment Requirements Implemented?

When developing an Incident Response Plan (IRP) or Disaster Recovery Plan (DRP), you should also plan and test the loss of personnel, showing that you can perform the required business recovery tasks without individuals or at least at a reduced level. In today’s business environment, how can you resolve any critical personnel role losses?

Below are several scenarios that can be planned:

  • Serious Illness – The severe illness of one or more staff impacts the critical roles required to serve your customers. In most cases, staff cross-training will eliminate a single point of failure in the process. In other cases, you may have to redesign processes so that there is no single point of failure in your DRP.
  • Weather-Based Events – Adverse weather conditions such as blizzards or hurricanes affect the suitability of your in-office staff. Do you have a plan for working remotely across departments or organizations? Employees who are generally in the office must understand how to connect to the office remotely when needed. Your company’s VPN must be able to handle the flow of remote employee traffic.
  • Disgruntled Employee Leaving – Malicious employees can infiltrate an organization for malicious purposes after their jobs are terminated. Does your incident response plan take such actions into account? If you fire your administrative staff, do you have the capacity to keep them out?

Security continuity and business continuity depend on each other. In a bad scenario, you should add features to the plan that you should implement that protect your customer data is still managed.

Daily maintenance of your security program is essential. Develop contingency plans to review your logs, remove accounts, and remove physical access to people who are no longer working.

Your Business Continuity Plan (BCP) should include controls for people and processes, not just technology. As part of each of these attributes, the ability to recover security functionality is crucial to the customer’s trust in the services you provide. Ensure you have a trained staff that you plan for limited capacity not only in stressful situations but also during these times.

Each of your employees must know how to play their positions. The only way to ensure that your incident response and disaster recovery plans ensure business continuity is to review and test them regularly.

Surkay Baykarahttp://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Biznet. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Biznet, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

Point of Sale (POS) Security Issues

POS related data breaches and security issues in recent years indicate that POS systems are vulnerable and may be at risk from attacks.

Point of Sale (POS) Security Checklist

Merchants are responsible for ensuring that their respective payment systems and infrastructures are secure.

What are the Acceptable Formats for Truncation of PAN

The industry practice is to eliminate the middle six digits, but the standards for each major card brand range slightly. Organizations seeking flexibility in this area should review the individual requirements for each card brand.

Related posts

Latest posts

Point of Sale (POS) Security Issues

POS related data breaches and security issues in recent years indicate that POS systems are vulnerable and may be at risk from attacks.

Point of Sale (POS) Security Checklist

Merchants are responsible for ensuring that their respective payment systems and infrastructures are secure.

What are the Acceptable Formats for Truncation of PAN

The industry practice is to eliminate the middle six digits, but the standards for each major card brand range slightly. Organizations seeking flexibility in this area should review the individual requirements for each card brand.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!