Advice re network compromise and "law enforcement" (PCI certification)

David H ispcolohost at
Wed Jan 11 14:37:19 UTC 2017

Hi all, I figure there's probably some folks on the list that have hands in
environments that touch credit cards.  Unlike HIPAA compliance, or even
social security numbers, PCI is very ambiguous about what must occur if a
network/systems breach occurs that exposes credit card data.  PCI, and its
auditors, don't seem to want to tell you what your security policy should
state with regard to what constitutes an event worthy of 'law enforcement'
contact, nor what agency is appropriate, yet they require you to have such
a policy in place.

Anyone have pointers/advice on what you came up with for a reasonable
definition of events that warrant involving law enforcement, and then what
agency/agencies would be contacted?  We're obviously not going to waste the
time, on either side, of calling the FBI if one credit card number is
stolen since they won't care, nor would the local police, who don't even
have a cybercrime section.

Generic policies covering network breaches and law enforcement would be
welcome too; may be able to work it into something that is appropriate for
our environment and credit card data.



More information about the NANOG mailing list