Incident Response Plan
| Field | Value |
|---|---|
| Document ID | POL-005 |
| Version | 1.0 |
| Effective Date | 2026-04-08 |
| Next Review Date | 2027-04-08 |
| Classification | Internal |
| Owner | Information Security Officer |
| Approved By | CEO, Paylithix Inc. |
| Parent Policy | Information Security Policy (POL-001) |
1. Purpose
This plan defines how Paylithix Inc. detects, responds to, contains, and recovers from security incidents that could affect the Gatelithix Gateway Cardholder Data Environment (CDE) or compromise cardholder data. It satisfies PCI DSS 4.0.1 Requirement 12.10.
2. Scope
This plan covers all suspected or confirmed security incidents affecting:
- The CDE (Token Vault Service, PCI VPC, PCI Cloud SQL, Cloud KMS keys)
- Connected systems (Gateway API, Connector services, Admin dashboard)
- Cardholder data in any form (encrypted PAN, tokens, card metadata)
- Authentication and authorization systems (Auth0, GCP IAM, API keys)
- Third-party service providers that process or could affect cardholder data
2.1 Incident Definition
A security incident is any event that:
- Results in or could result in unauthorized access to cardholder data
- Compromises the confidentiality, integrity, or availability of CDE systems
- Violates security policies defined in this policy framework
- Indicates unauthorized PAN storage on any system outside the vault (PCI DSS 12.10.7)
3. Roles and Responsibilities
3.1 Incident Response Team
| Role | Primary | Backup | Responsibilities |
|---|---|---|---|
| Incident Commander (IC) | Thibault Le Conte (CSO) | Benoit Boisset | Overall incident coordination; decision authority; communications |
| Technical Lead | Thibault Le Conte (Engineering) | [External contractor if engaged] | Technical investigation; containment actions; evidence collection |
| Communications Lead | Benoit Boisset (Business) | Thibault Le Conte | External communications; merchant notification; regulatory reporting |
3.2 24/7 Contact List
This contact list is maintained with current information and tested annually (last verified: 2026-04-16).
| Role | Name | On-Call | Escalation Order | |
|---|---|---|---|---|
| Incident Commander (IC) / CISO / ISO | Thibault Le Conte | thibault@paylithix.com | PagerDuty — SEV-1 and SEV-2 alerts | 1st |
| Technical Lead (Engineering) | Thibault Le Conte | thibault@paylithix.com | PagerDuty — SEV-1 and SEV-2 alerts | 1st |
| Communications Lead | Benoit Boisset | benoit@paylithix.com | PagerDuty — SEV-1 escalation (15 min) | 2nd |
| Legal Counsel | [TBD] | [Email] | As needed | As needed |
| QSA Contact | [TBD] | [Email] | As needed (to be selected Q4 2026) | As needed |
| GCP Support | — | cloud.google.com/support | P1 support case | As needed |
| Auth0 Support | — | support.auth0.com | Support ticket | As needed |
On-call: PagerDuty alert routes to thibault@paylithix.com for SEV-1 and SEV-2. Benoit Boisset (benoit@paylithix.com) is escalation contact if IC unreachable within 15 minutes.
Escalation rule: If the primary contact does not respond within 15 minutes, escalate to the backup. If neither responds within 30 minutes, escalate to the next person in order.
Contact list last verified: 2026-04-16. See compliance/evidence/2026-04-16/irt-contact-list.md for full verification record.
4. Detection
4.1 Monitoring and Alerting Sources
| Source | What It Detects | Alert Mechanism |
|---|---|---|
| Cloud Logging + Monitoring | Anomalous API patterns, error rate spikes, unauthorized access attempts | Cloud Monitoring alert policies (email + PagerDuty) |
| Cloud Audit Logs | IAM changes, KMS key access, resource creation/deletion in CDE | Log-based alerts |
Vault Audit Trail (pkg/audit/) | Unusual decrypt patterns, high-volume token access, unknown merchant IDs | Application-level monitoring queries |
| Auth0 Logs | Failed login attempts, MFA bypass attempts, suspicious IP origins | Auth0 anomaly detection |
| Trivy / govulncheck | Critical vulnerabilities in container images or Go dependencies | CI pipeline alerts |
| Cloudflare | DDoS attacks, WAF triggers, bot activity | Cloudflare notifications |
| ASV Scans (quarterly) | External vulnerabilities | ASV scan reports |
| Penetration Tests (annual) | Exploitable vulnerabilities | Pentest reports |
| Personnel Reports | Suspicious activity observed by staff | Direct report to ISO |
4.2 Alert Triage
When an alert fires or a potential incident is reported:
- The first responder (whoever receives the alert) performs initial triage within 15 minutes.
- Triage determines severity level (see Section 4.3) and whether to activate the full incident response process.
- All alerts involving potential cardholder data exposure default to Severity 1 until investigation proves otherwise.
4.3 Severity Classification
| Severity | Definition | Response Time | Examples |
|---|---|---|---|
| SEV-1 (Critical) | Confirmed or likely cardholder data compromise; CDE system fully compromised | Immediate (within 15 min) | Unauthorized PAN access, KMS key compromise, vault service breach, unauthorized PAN found outside vault |
| SEV-2 (High) | Attempted unauthorized access to CDE; significant vulnerability discovered; CDE availability impacted | Within 1 hour | Brute force on Auth0, critical vuln in vault dependency, CDE outage, firewall rule tampering |
| SEV-3 (Medium) | Security policy violation without data exposure; vulnerability in non-CDE systems | Within 4 hours | Excessive access privileges found, non-critical vuln in connector, failed access review finding |
| SEV-4 (Low) | Minor policy deviation; informational security event | Within 1 business day | Password policy non-compliance, training overdue, minor config drift |
5. Response Procedures
5.1 Phase 1: Identification (0—30 minutes)
- Acknowledge the alert and log the start time.
- Assign an Incident Commander (ISO is default; escalate per contact list if unavailable).
- Open an incident channel (dedicated Slack channel or call).
- Gather initial facts:
- What systems are affected?
- Is cardholder data potentially exposed?
- What is the attack vector or failure mode?
- Is the incident ongoing or historical?
- Classify severity per Section 4.3.
- Begin incident log documenting all actions with timestamps.
5.2 Phase 2: Containment (30 minutes — 2 hours)
Short-term containment (stop the bleeding):
| Scenario | Containment Action |
|---|---|
| Compromised user account | Disable the account in Auth0 and revoke GCP IAM bindings |
| Compromised API key | Revoke the API key immediately via dashboard or database |
| Compromised service account | Disable the service account key; redeploy affected Cloud Run service with new identity |
| Unauthorized network access | Add deny firewall rule at highest priority via Terraform emergency apply |
| Vault service compromise | Scale vault Cloud Run service to zero replicas; block all ingress to PCI VPC |
| Malicious code in deployment | Rollback Cloud Run service to last known-good revision |
| Unauthorized PAN found outside vault | Isolate the system; securely delete the PAN; preserve forensic evidence |
| KMS key compromise | Create new key version; begin re-encryption; schedule compromised version destruction |
Long-term containment:
- Patch or remediate the root cause vulnerability.
- Verify containment is effective (attack is not continuing through other paths).
- Preserve evidence: do not destroy logs, database snapshots, or container images involved in the incident.
5.3 Phase 3: Eradication (2—24 hours)
- Identify and remove the root cause (vulnerability, misconfiguration, compromised credential).
- Apply patches, configuration changes, or code fixes.
- Verify the fix through testing in a non-production environment before deploying to production.
- Scan for indicators of compromise (IOCs) across all CDE and connected systems.
- Verify no unauthorized PAN storage exists on any system outside the vault (PCI DSS 12.10.7).
5.4 Phase 4: Recovery (24—72 hours)
- Restore affected systems to normal operation.
- Re-enable disabled accounts or services only after verifying the root cause is addressed.
- Increase monitoring sensitivity for the affected systems for a minimum of 30 days.
- Verify all security controls are functioning:
- Firewall rules match policy
- KMS key access restricted to vault service account
- Audit logging is active
- TLS is enforced on all connections
- Confirm no residual unauthorized access exists.
5.5 Phase 5: Notification
| Condition | Who to Notify | Timeframe | Method |
|---|---|---|---|
| Confirmed CHD breach | Affected merchants | Within 72 hours of confirmation | Email from CEO + dashboard notice |
| Confirmed CHD breach | Card brands (Visa, Mastercard) via acquiring bank | Per card brand rules (typically 24—72 hours) | Through acquiring bank |
| Confirmed CHD breach | QSA | Within 48 hours | Email/phone |
| Confirmed CHD breach | Legal counsel | Immediately upon confirmation | Phone |
| Confirmed CHD breach | Law enforcement (if required by law) | Per applicable state laws (FL: within 30 days) | Per legal counsel advice |
| CDE system compromise (no CHD exposure) | ISO and CEO | Immediately | Incident channel |
| Vulnerability discovered | Engineering team | Within triage timeframe | Incident channel |
5.6 Phase 6: Post-Mortem (Within 2 weeks of resolution)
Every SEV-1 and SEV-2 incident shall have a formal post-mortem. SEV-3 incidents have post-mortems at the IC’s discretion.
6. Post-Mortem Template
The post-mortem document shall include:
# Incident Post-Mortem: [Title]
**Date of Incident:** YYYY-MM-DD
**Severity:** SEV-[1/2/3]
**Incident Commander:** [Name]
**Duration:** [Time from detection to resolution]
**Cardholder Data Impacted:** [Yes/No, scope if yes]
## Timeline
- HH:MM — [Event or action taken]
- ...
## Root Cause
[Description of the fundamental cause]
## Impact
- Systems affected: [list]
- Data affected: [description, scope]
- Merchants affected: [count, names if applicable]
- Duration of exposure: [time]
## What Went Well
- [Item]
## What Could Be Improved
- [Item]
## Action Items
| Item | Owner | Due Date | Status |
|------|-------|----------|--------|
| [Action] | [Name] | YYYY-MM-DD | Open |
## Lessons Learned
[Summary of what the team learned]7. Annual Tabletop Exercise
- The ISO shall conduct at least one tabletop exercise per year to test this incident response plan (PCI DSS 12.10.2).
- The exercise shall simulate a realistic scenario (e.g., compromised API key leading to unauthorized vault access, ransomware targeting CDE infrastructure, insider threat).
- All incident response team members must participate.
- The exercise shall test:
- Alert detection and triage process
- Escalation and communication procedures
- Containment decision-making
- Evidence preservation procedures
- Notification procedures
- After each exercise, the IC shall document findings, update the IRP if needed, and record the exercise with date, participants, scenario, and outcomes.
- Exercise schedule: October of each year (6 months offset from policy review).
8. Evidence Preservation
During any security incident:
- Do not delete, modify, or overwrite logs, database records, or container images related to the incident.
- Capture Cloud Logging exports for the incident timeframe to a separate, access-restricted GCS bucket.
- Create Cloud SQL database snapshots before any remediation changes.
- Record all incident response actions in the incident log with timestamps.
- Preserve evidence for at least 12 months or as required by legal counsel.
- Chain of custody: document who accessed evidence, when, and for what purpose.
9. Training
- All incident response team members shall receive incident response training upon assignment and annually thereafter (PCI DSS 12.10.4).
- Training shall cover:
- This incident response plan and procedures
- Evidence collection and preservation techniques
- Detection of unauthorized activity indicators
- Use of monitoring and logging tools (Cloud Logging, Cloud Monitoring, Auth0 logs)
- Communication and escalation procedures
- Training completion is documented and retained for the duration of the individual’s IR team membership plus one year.
10. Plan Maintenance
- This plan shall be reviewed at least annually and updated as needed (PCI DSS 12.10.2).
- The plan shall be updated after:
- Every SEV-1 or SEV-2 incident (incorporating lessons learned)
- Every tabletop exercise (incorporating findings)
- Significant changes to CDE architecture
- Changes to incident response team membership
- Industry developments or new threat intelligence
- All plan updates require ISO approval and are tracked in the document history.
11. Compliance and Enforcement
- All personnel are required to report suspected security incidents immediately. Failure to report a known incident is a policy violation.
- Interference with incident investigation or evidence destruction is a critical violation subject to termination and potential legal action.
- The IC has authority to take any necessary containment action during an active incident, including shutting down services.
12. Related Documents
- Information Security Policy (POL-001) — Parent policy
- Access Control Policy (POL-002) — Account compromise response
- Network Security Policy (POL-003) — Network-level containment
- Key Management Policy (POL-004) — Key compromise procedures
- Data Classification Policy (POL-007) — Data categories and handling
- PCI DSS 4.0.1 Requirement 12.10
13. Document History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-04-08 | Information Security Officer | Initial plan creation |