Back to Engineering
Engineering Case Study

PCI DSS Forensic Investigation Architecture

How a PFI-style payment-card investigation is architected: evidence preservation, chain of custody, cardholder-data-environment scoping, and a defensible workflow that survives scrutiny.

Forensic disk & memory imagingWrite-blockers & hashing (SHA-256)Chain-of-custody recordsCDE scoping & data-flow mappingLog & timeline reconstructionMalware / RAM-scraper analysisTamper-evident evidence storagePCI Forensic Investigator (PFI) workflow
PyramidLedger Engineering11 min read

What a card-data investigation is actually for

When a payment processor, merchant, or service provider is suspected of a cardholder-data compromise, the investigation that follows is not a normal incident response. It is a formal, evidence-driven process — the model the industry defines as a PCI Forensic Investigator (PFI) engagement — whose findings will be read by the card brands, the acquiring bank, and potentially regulators and litigators. The output is a report that must withstand adversarial scrutiny, so the entire architecture is built around a single property: defensibility. Every conclusion has to trace back to preserved evidence through a process that a hostile reviewer cannot poke holes in.

That purpose shapes everything. A routine incident responder wants to stop the bleeding and get back to business as fast as possible. A forensic investigation has a competing priority: establish what happened, when, to which data, and how — with evidence intact enough that the answer holds up months later. These two goals genuinely conflict, most sharply at the very start, when the instinct to reboot, reimage, or 'clean up' a compromised payment system can destroy exactly the volatile evidence the investigation depends on. Reconciling that conflict is the first thing the architecture has to get right.

The scope questions the investigation must answer are specific: was cardholder data actually exposed, and if so, which accounts and what data elements; what was the window of exposure; what was the entry point and the method; and is the environment still compromised. Each of those questions has to be answerable from evidence, not inference, which is why the workflow is engineered backward from 'what will we need to have preserved in order to prove this.'

Evidence preservation: getting the first hours right

The most consequential and least recoverable decisions happen in the first hours, so the architecture front-loads discipline there. The governing principle is preserve before you touch: capture the environment in a forensically sound way before taking any remediation action that would alter it. That means imaging systems rather than working on live originals, and capturing volatile data — running memory, active network connections, live process lists — before anything is powered down, because for card-skimming attacks the decrypted card data and the malware itself often live only in RAM and vanish the instant the machine is rebooted.

Forensic soundness has a precise technical meaning here. Disk images are captured through write-blockers so the acquisition process cannot alter the source media, and every image is hashed — using a strong algorithm such as SHA-256 — at the moment of capture. That hash is the evidentiary anchor: re-hashing the image at any later point and getting the same value proves the evidence has not changed since acquisition, and all subsequent analysis is performed on verified working copies while the original images are sealed. If an investigator ever has to work on a live system because it cannot be taken down, that decision and its justification are documented explicitly, because deviations from the preserve-first ideal are exactly what a hostile reviewer will probe.

The tension with business continuity is real and we do not pretend otherwise. A payment environment under active compromise creates enormous pressure to wipe and rebuild immediately. The architecture manages this by separating the two activities in time and space: preserve the evidence first — image the affected systems, capture the memory and logs — and only then remediate, ideally rebuilding onto clean infrastructure while the imaged originals are retained. Skipping preservation to remediate faster is the single most common way an investigation is fatally undermined before it even begins.

Chain of custody as an engineered property

Evidence is only as valuable as the ability to prove it was not tampered with, and that proof is the chain of custody: an unbroken, documented record of every piece of evidence — where it came from, who collected it, when, and every person who handled it or accessed it thereafter. A gap in that chain is an opening for the argument that evidence was altered or substituted, and a single credible tampering claim can collapse an entire finding. So chain of custody is not paperwork bolted on at the end; it is architected into the workflow from the first acquisition.

Concretely, that means each evidence item — a disk image, a memory capture, a log export — is uniquely identified, recorded with its acquisition hash, and stored so that access is controlled and logged. Custody records document each transfer of possession. Evidence at rest is held in tamper-evident storage: access-controlled, with integrity hashes that can be re-verified on demand, and ideally on write-once or immutable media so the record of what was collected cannot itself be quietly edited. The design goal is that at any point, for any item, you can produce both its provenance and cryptographic proof that it matches its original state.

The same rigor extends to the analysis environment. Investigators work on verified copies in an isolated forensic environment, never on the sealed originals, and analysis actions are logged so the investigative process is itself reconstructable. The honest cost of all this is speed and overhead: chain-of-custody discipline is deliberate and slow, and it feels like bureaucracy right up until the moment someone challenges a finding — at which point it is the only thing standing between a defensible conclusion and an unprovable assertion. We design it in from the start because it cannot be retrofitted; custody that was not maintained contemporaneously cannot be reconstructed after the fact.

Scoping the cardholder data environment

A card-data investigation lives or dies on scope: which systems store, process, or transmit cardholder data, and which systems can reach those. Getting this wrong in either direction is costly. Scope too narrowly and the investigation misses the system the attacker actually used as a pivot or a staging point, leaving the compromise partly uninvestigated. Scope too broadly and the effort drowns trying to forensically image an entire enterprise, most of which never touched a card number. So disciplined scoping of the cardholder data environment (CDE) is a core part of the architecture, not a preliminary formality.

The method is data-flow driven. The investigation maps where card data enters the environment, every system it flows through, where it is stored, and where it leaves — the point-of-sale or payment page, the processing applications, any transmission paths, any logging or storage that might inadvertently capture it. Then it maps connectivity: which systems can reach the CDE, because those are the plausible attack paths and staging grounds even if they never legitimately handle card data themselves. Together these define the investigation's boundary — the systems that must be preserved and examined.

A recurring and important finding is that card data ends up in places it was never supposed to be: debug logs, temporary files, memory dumps, error captures, unencrypted swap. Part of scoping is actively hunting for that stray data, because its existence changes both the exposure assessment and the scope. This is also where the investigation frequently uncovers segmentation failures — a system that was assumed to be outside the CDE but in fact had an unrestricted path into it. We treat scope as evidence-driven and revisable: the initial boundary is a hypothesis, refined as data-flow mapping and early findings reveal where card data and access actually reach, rather than a line drawn once and defended regardless of what the evidence shows.

Reconstruction, reporting, and honest limits

With evidence preserved and scope established, the analytical core is reconstruction: building a defensible timeline of what happened. This draws on system and application logs, the forensic images, memory analysis, and network evidence, correlated into a coherent account of the entry point, the attacker's movements, what tooling or malware was deployed — for card environments, typically memory-scraping malware that harvests card data from RAM — and, critically, the window during which data was exposed and which data elements were reachable. Malware recovered from memory or disk is analyzed to determine its capability and, where possible, whether and how it exfiltrated data, because 'data could have been accessed' and 'data was demonstrably exfiltrated' are very different findings with very different consequences.

A well-architected investigation designs for the reality that logs are often incomplete or were tampered with. Attackers routinely clear or disable logging, so the workflow corroborates across independent sources — endpoint artifacts, network records, memory, and any centralized or immutable logs that were beyond the attacker's reach — rather than trusting any single source. Where evidence is missing, the report says so plainly: an honest investigation distinguishes between what the evidence proves, what it suggests, and what cannot be determined. Overstating certainty is not just poor craft; in a report that will be read adversarially, an overreach that is later exposed undermines every sound conclusion around it.

The final architecture consideration is that the report is the product, and it is written for a demanding audience — card brands, the acquirer, and possibly counsel — who will test every claim. So findings are traceable to specific preserved evidence, methodology is documented well enough to be independently scrutinized, and conclusions are calibrated to what the evidence actually supports. We are candid about the limits of the whole endeavor: forensics is reconstruction after the fact, and if evidence was destroyed before preservation — the system rebooted, the disk reimaged, logging never enabled — some questions may simply be unanswerable, and the report must say that rather than paper over it. The value we deliver is not a guarantee of complete answers; it is a rigorous, defensible process that extracts the maximum supportable truth from whatever evidence survived, and states its own limits honestly.

Building something like this?

We engineer secure, regulated, and AI-driven systems at this depth. Tell us what you are building and we will help you architect it.

Start Your Project