I am not a lawyer, and this is not legal advice, but...
General rule is to always notify the credit card companies, and to notify
legal. One/both/neither may advice law enforcement activity. In either
case, your PCI-required Incident response plan is required to do certain
isolation steps explicit
What advice does your QSA have regarding writing the policy?
There are generic templates available to write your company security policy.
That policy doesn’t necessarily constitute legal definitions or requirements
for any sort of breach, which may vary by locale and provider. I’m assuming
EDUs
Adding to what Rich said, it's very easy for advice on this to cross into
advice on legal matters.
It's also usually very illegal for non-attorneys or non-licensed attorneys
to offer advice on legal matters.
I recommend finding a lawyer with expertise in this area and who has
specific knowledge o
On Wed, Jan 11, 2017 at 09:37:19AM -0500, David H wrote:
> Anyone have pointers/advice on what you came up with for a reasonable
> definition of events that warrant involving law enforcement, and then what
> agency/agencies would be contacted?
This question is best answered by an attorney with e
Hi all, I figure there's probably some folks on the list that have hands in
environments that touch credit cards. Unlike HIPAA compliance, or even
social security numbers, PCI is very ambiguous about what must occur if a
network/systems breach occurs that exposes credit card data. PCI, and its
au
5 matches
Mail list logo
