1. Did CardSystems Solutions break any federal or state laws?
• Federal Trade Commission presented a decision order on CardSystems Solutions and its predecessors as a result of negligence and violation of FTC Act 15, U.S.C. 41-58.
2. CardSystems Solutions claim to have a hired an auditor to assess compliance with PCI DSS and other best practices for ensuring the C-I-A of privacy data for credit card transaction processing. Assuming the auditor did indeed perform a PCI DSS security compliance assessment, what is your assessment of the auditor’s findings?
• If compliant they would have implemented proper IP s firewalls or maintained their anti-virus program definitions. Also they were required to encrypt all stored sensitive privacy data for research.
3. Can CardSystems sue the auditor for not performing his or her tasks and deliverables with accuracy? Do you recommend that CardSystems Solutions pursue this avenue?
• No because they were PCI DSS compliant in 2004 but was not certifiably compliant at the time of attack in June of 2005.
4. Who do you think is negligent in this case study and why?
• CardSystems. Given their high profile, they were expected to be in compliance for properly storing and protecting all privacy data including gathered transactions and credit card information of their cliental in an encrypted manner.
5. Do the actions of the CardSystems warrant an “unfair trade practice” designation as stated by the Federal Trade Commission (FTC)?
• Yes, because the cliental trust in good faith at the fact that their information will not be compromised in the possession of the company. If the company was not compliant then all sensitive data was put at risk.
6. What security policies do you recommend to help with monitoring, enforcing, and ensuring PCI DSS compliance?
• Gramm-Leach-Briley Act (GLBA), Payment Card Industry Standards (PCI),