Step 4, Communication: Notify relevant internal stakeholders (finance, legal, compliance, executive leadership) of potential payment processing disruption; if cardholder data exposure is possible, engage legal and privacy counsel to assess breach notification obligations under PCI DSS and applicable state law.
Detection & Analysis
NIST 800-61r3 §3.1 (Preparation Phase - notification procedures) and §3.2.2 (Detection and Analysis Phase - reporting)
NIST 800-53 IR-1 (Incident Response Policy)
NIST 800-53 IR-4 (Incident Handling)
CIS 6.1 (Establish an Incident Response Process)
Compensating Control
Use your documented incident communication plan (required by policy): (1) Pre-write notification templates for finance (payment processing status, estimated recovery time), legal (data exposure assessment, breach notification timeline), and executive (business impact, stakeholder communications). (2) Establish a war room: daily call at fixed time (e.g., 9 AM) with attendees listed in advance. (3) Use a shared tracking document (Google Sheet, Excel) to log: questions raised, decisions made, action owners, deadlines. (4) Assign one person as communications lead to centralize message consistency. (5) For PCI/breach assessment, consult your contract's payment processor liability clause and state data breach notification laws (usually 30–60 days). Frame legal conversation as: 'Do we meet breach definition under state law? What is our notification timeline?'
Preserve Evidence
Capture BEFORE notification: (1) Forensic timeline: when was disruption first detected, when was BridgePay notified, when did you learn of ransomware? (2) Data exposure scope: what data transited BridgePay during the attack window (card numbers, expiration, CVC, cardholder names/addresses)? (3) Encryption status: was data encrypted, tokenized, or in plaintext? (4) Affected customer count: how many transactions/records are potentially exposed? (5) PCI compliance status: do you have a current P2PE attestation, or were you storing card data outside compliance scope?
