So you have your incident response plan and process in place. PCI then wants to make sure you have tested them and implemented the lessons learned. How do you go about implementing a useful test for a compromise within your card environment?

You can't use live data (this would be the equivalent of a real breach!) and you don't want everyone to know it's a test (otherwise what can you learn!). Does anyone know where I could get test scenarios that could be used or have you already run these tests and discovered anything that everyone should learn from?

One option is to run a simulation - e.g. a backdoor-installing virus has made its way into the company/cardholder network.
Get 1 or 2 teams togther e.g. a mix of business/product people and IT/security staff in a room (or 2 room, to simulate the mix of locations, people being offsite etc) with a neutral monitor/notetaker. Work through the issues and steps invoveld over 3 or 4 hours, injecting new 'facts' every 20-30 minutes to see how people and the plan copes.

No live data is needed - this requirement is about the process, not the data.

Another scenario - pretend to be from the press, ring up someone and ask for comment on the recent breach of the company, claim you've got copes of cardholder records etc etc.

I participates in 1 where a truck loaded with toxic waste have crashed, damaging the corner of the building housing the IT systems. No access, no guards, no CCTV monitoring, degraded physical security, lots of unknown people in masks walking around pickng up who knows what.....

Use the immagination, within business reason and from the risk assessment. and it may be easier than you think - provided you can get the team away from their desks for a half day.

Lyal

Agreed, at a minimum, a table-top exercise involving all incident response personnel should be performed.