Incident Response Plan for PCI DSS Incidents

The purpose of this standard is to define requirements for responding to a cybersecurity incident involving credit cardholder data.

User Requirements

University Policy 1305: Reporting Electronic Security Incidents requires every faculty member, staff member, student, temporary employee, contractor, outside vendor, and visitor to campus who has access to university-owned or managed information through university-provided or personal computing systems, devices, or physical or electronic files to report Information Security Incidents. As defined in University Policy 1114: Data Stewardship, sensitive information includes “payment card numbers associated with a personal identifier,” as defined by the Payment Card Industry Data Security Standards (PCI DSS).

As stated in University Policy 1305, Information Technology Services (ITS) and the Information Technology Security Office, in conjunction with the Office of University Counsel and the affected university department, shall direct the incident response and investigation. ITS, the IT Security Office, the Office of University Counsel, and the affected university department will coordinate on business recovery procedures, business continuity procedures, and data back-up processes, as appropriate.

Specific procedures are defined in University Policy 1305: Reporting Electronic Security Incidents. Communication and contact strategies in the event of an information security incident are also defined in the “IV. RESPONSIBILITIES” and “V. DATA BREACH NOTIFICATION RESPONSIBILITIES” sections of University Policy 1305. The IT Security Office will coordinate with the Office of University Counsel and Fiscal Services, as appropriate, when the notification of the payment brands may be necessary. The Office of University Counsel is responsible for the ongoing analysis of legal requirements for reporting compromises.

As a part of the incident response process, consultation of incident response procedures proposed by the payment brands may be required:

  • American Express Data Security Operating Policy [1]
  • MasterCard Account Data Compromise User Guide [2]
  • Visa—Responding to a Data Breach[3]
  • Visa—What To Do If Compromised [4]


Version: 1.1
Date of last revision: 18 December 2019