[PCI DSS 1.x] 12.9.1 Create the incident response plan to be implemented in the event of system compromise. Ensure

  • 12.9.1 Verify that the Incident Response Plan and related procedures include
  • roles, responsibilities, and communication strategies in the event of a compromise
  • coverage and responses for all critical system components
  • notification, at a minimum, of credit card associations and acquirers
  • strategy for business continuity post compromise
  • reference or inclusion of incident response procedures from card associations
  • analysis of legal requirements for reporting compromises (for example, per California bill 1386, notification of affected consumers is a requirement in the event of an actual or suspected compromise, for any business with California residents in their database)