3.09 – Payment Card Security Incident Response Policy

Purpose of Document:

The purpose of the Incident Response Policy is to establish procedures in accordance with applicable legal and regulatory requirements to address instances of unauthorized access to or disclosure of third party credit card information. The Incident Response Policy defines the policy, roles and responsibilities for the involved personnel when reacting to a breach in security as it relates to credit card information.

Executive Summary

  • Asbury Theological Seminary will follow our established procedures in the event of a Payment Card Security Incident as outlined herein. 

Policy:

For the purposes of this Policy, “credit card information” includes the following:

  • Cardholder Name
  • Primary Account Number (PAN)
  • Personal Identification Number (PIN)
  • Expiration Date
  • Service Code

Immediate Response Procedures

Any employee who knows of or suspects that a compromise has occurred must take the following steps: 

  1. Lock down area where incident took place, preventing contamination of the scene. 
  2. Contact the Controller. If the Controller is not available, or may be involved in the breach, then contact the Director of Administrative Technology.

The office in question, along with the Incident Response Team (see Appendix A), will then:

  1. Gather, review, and analyze all logs and other pertinent materials. 
  2. Conduct appropriate forensic analysis (see Appendix B) of compromised area. 
  3. Contact the appropriate law enforcement agency. 
  4. Make forensic analysis available to appropriate law enforcement or card industry security personnel. 
  5. Assist law enforcement and card industry security personnel in investigative process. 
  6. Document the incident using the Payment Card Security Incident Response Form. Each incident’s documentation should include the following:
    • A summary of the incident
    • Contact information (e.g., system owners, system administrators)
    • Notification Source
    • Indicators and other incidents related to the incident
    • Actions taken by all incident handlers on this incident
    • Chain of custody, if applicable
    • Impact assessments related to the incident
    • A list of evidence gathered during the incident investigation
    • Notes from incident handlers
    • Next steps to be taken (e.g., obtain new safe, etc.)

Disclosure Requirements 

In consultation with Counsel and with the card industry security personnel, disclose to customers or students affected by a breach in accordance with all applicable laws and regulations in effect at the time of the breach.

LITS Staff reserve the right to modify this policy at any time.

Approvals: 

  • LITS: October 11, 2019
  • Provost: February 2020