Free Essay

Pci Dss

In:

Submitted By nnhenry
Words 4052
Pages 17
AN INTRODUCTION TO
PCI-DSS COMPLIANCE

Author: Nicholas Henry

April 2016

Table of Contents

1. Abstract

2. History

3. PCI-DSS Overview

4. Understanding PCI-DSS Compliance

5. Achieving PCI-DSS Compliance

6. PCI-DSS in the IT Department

7. Negatives of PCI-DSS

8. Positives of PCI-DSS

Abstract

Around the world, consumer migration from traditional cash and check payments to electronic payment methods such as credit, debit or bank transfers continue to grow. In 2009 a survey discovered that less than 37% of all payments are now made using cash or check. While there are many benefits to this, there are also significant new issues introduced as a result. As customers use electronic payment methods, there is an expectation of security for the cardholder’s identity and payment information. With all the recent data theft and security breaches, this is becoming a significant issue. To ensure the protection of consumer information, the Payment Card Industry, or PCI, developed a set of data security standards (DSS) that merchants and financial service providers must maintain to be able to process debit and credit cards. While PCI does not manage compliance or impose consequences for non-compliance, individual card associations may initiate financial/operational penalties to businesses that are non-compliant. The framework for compliance is based on merit, and it prevents security incidents from happening. PCI encourages the detection and resolution of any incidents as swiftly as possible.

History

Credit card companies initially developed and managed their own data security policies independently, which included VISA’s Accounting Information Security, and MasterCard’s Site Data Protection, American Express’s Data Security Standards, Discover Card’s Information and Compliance, and the JCB Data Security Program. These programs were aimed to bring a minimum level of standards for merchants who transmitted and processed cardholder data. Due to the similarities amongst these standards, PCI-DSS was established on December 16, 2004 in order to bring a set of security standards for companies that were involved with credit card transactions. Visa and MasterCard became the enforcers of the standard. For instance, MasterCard is responsible for the certification of products for companies who are can fulfill the scanning requirements, and Visa is responsible for training, certifying companies, as well as individuals who are capable of fulfilling the on-site audit requirements. Other PCI organizations are also contributors to the standards, but each card brand still has its own programs that go more in depth than PCI-DSS. However, PCI-DSS provides a solid foundation for cardholder data security as the PCI Council continuously adapts to new discoveries and changes in technology.

PCI-DSS Overview

PCI-DSS is known today as a set of information security standards that provide supporting materials for organizations that operate with debit, credit, prepaid, e-purse, ATM, and POS cards to improve credit card security. This standard operates on an international level for merchants that transmit card data. Also, it provides software developers and device manufacturers with guidance under the specific requirements. Before discussing PCI-DSS, a few terms need to be defined first.

- Visa and MasterCard are made up of Member organizations that can be either Acquirers or Issuers, or both.

- Acquirers are the Members of the Visa or MasterCard organizations which handle Merchants.

- Issuers are the Members of the Visa or MasterCard organizations that issue the cards to cardholders

- Merchants are businesses who accept card transactions.

- Service Providers are the entities that provide any service requiring the processing, storing or transport of card information.

In addition to developing security prevention and detection processes, PCI is also responsible for validating each organization’s compliance. For merchants that do not require an on-site data security assessment as per PCI DSS Security Assessment Procedures, Self Assessment Questionnaires, or SAQs need to be conducted to become PCI DSS compliant.

Understanding PCI Compliance

PCI compliance can be divided into three steps. When accepting payment cards we must:

Assess: Identify cardholder data, take an inventory of IT assets and business processes for payment card processing, and look for vulnerabilities that could expose cardholder data.

Remediate: Fix vulnerabilities and do not store cardholder data unless necessary.

Report: Compile and submit remediation validation records, and submit compliance reports to the bank and card brands. Merchants can validate compliance with the PCI DSS internally or externally depending on the credit card data volume.

Achieving PCI Compliance

PCI DSS requires 12 points of compliance across six major areas. All merchants who use credit card data in their transactions must comply with PCI DSS. As PCI is recognized by all five global payment brands, compliance is important for every merchant worldwide. Penalties issued for non-compliance can range from fines to suspension, or limiting the ability to accept card payments.

There are six basic goals adhering to PCI DSS and each goal is comprised of specific requirements. Each goal is composed of additional procedures and requirements to be fulfilled outlined as follows:

Goal 1: Build and maintain a secure network

o Requirement 1: Install and maintain a firewall configuration to protect cardholder data

o Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Goal 2: Protect cardholder data

o Requirement 3: Protect stored data

o Requirement 4: Encrypt transmission of cardholder data across open, public networks

Goal 3: Maintain a vulnerability management program

o Requirement 5: Use and regularly update anti-virus software or programs

o Requirement 6: Develop and maintain secure systems and applications

Goal 4: Implement strong access control measures

o Requirement 7: Restrict access to cardholder data by business need-to-know

o Requirement 8: Assign a unique ID to each person with computer access

o Requirement 9: Restrict physical access to cardholder data

Goal 5: Regularly monitor and test networks

o Requirement 10: Track and monitor all access to network resources and cardholder data o Requirement 11: Regularly test security systems and processes

Goal 6: Maintain an information security policy

o Requirement 12: Maintain a policy that addresses information security for all personnel

Overall, there are 6 principles, 12 requirements, 45 sub requirements, 75 detailed requirements and other relevant testing procedures contained within PCI DSS 2.0 version which was released in October 2010. Significant changes in v2.0 include the application of PCI DSS to virtualization, and that each vulnerability must be evaluated against a risk assessment.

Companies that handle large volumes of transactions, such as service providers that transmit cardholder data of card company customers, merchants, or other service providers, require an annual validation procedure done by an external Qualified Security Assessor, or QSA. All major credit card companies divide each service provider into levels based on transaction volume. Each level then guides the service providers to their respective validation requirements.

PCI-DSS in the IT Department

To efficiently design a compliant IT environment, six steps should be followed to avoid extra costs:

1. Identify business processes with card data.

2. Focus on reducing the scope.

3. Identify where the data is stored.

4. Determine what to do with the data.

5. Determine who needs access to the data.

6. Develop and document policies.

Becoming compliant to PCI-DSS requires constant monitoring and maintenance involving more than just the IT department. It should be initiated from the upper management team, and established as an overall strategic goal. In general, the goal of PCI DSS is to prevent major security issues and to reduce the risks of payment card transactions by raising security amongst the merchants and service providers. PCI removes the burden of data security from business owners and limits credit card data storage where possible. The PCI standard operates internationally, and oversees any companies that deal with credit cards. Not adhering to the PCI requirements will result in penalties issued by the PCI Security Standards Council.

Negatives of PCI-DSS

According to a survey done by the Ponemon Institute, 71% of companies interviewed do not consider PCI-DSS as a strategic goal, and more than 50% believed that their CEO does not embrace PCI-DSS compliance. But despite the negative attitude, the survey also indicated that 75% of organizations achieved some level of compliance, while 22% achieved full compliance.

In addition, the institute discovered that companies are often not sure as to who should be responsible for their PCI-DSS compliance. 23% of organizations surveyed believed that the Certified Information Security Officer, or CISO should be responsible, and 21% believed that no one person should be responsible for PCI compliance. So achieving PCI compliance will be inefficient and more time consuming as a result. They also discovered that hiring employees for the purpose of PCI compliance will be very expensive.

Ever since PCI-DSS was introduced, many have doubted if it protects sensitive cardholder data. Compliance with PCI-DSS requirements requires several changes to a business’s existing systems. In the past, many of these changes were too expensive and involved changes to a business’ infrastructure. For smaller business, the implementation of business infrastructure changes, including access controls, secured network, and information security policies, can lead to lower profits, and prove to be disadvantageous.

As another example of PCI-DSS’ failure, in the year 2008, Hannaford Brothers, a PCI-DSS compliant grocery chain, lost 4.2 million credit card numbers. The Ponemon Institute conducted a study that collected information from 517 IT security employees, who were in charge of PCI compliance, and it showed that:

- Cost of PCI DSS compliance, is on average 1/3 of the overall IT security budget.

- 79% of companies have had a data breach.

- 55% of companies focus on protecting credit card data but not other sensitive information.

- There is uncertainty on which personnel are the most responsible for PCI-DSS compliance.

- Smaller companies are less compliant than large corporations.

PCI favors large corporations, and the cost of compliance prevents smaller companies from being PCI-DSS compliant. Smaller companies have fewer resources and often have difficulty in interpreting the standards and drafting a plan for compliance. Merchants are aware of the fact that they may have reduced profits and incur fines for being non-compliant. Level 1 merchants that deal with more than 6 million transactions/year, spent $3.38 million to become PCI compliant in 2008. The average cost of initial PCI compliance was approximately $700,000, and the average annual cost of maintaining PCI compliance was over $1,390,000.

The PCI standards also appear to be an incomplete security measure. Businesses comply with PCI DSS to be operational, functional, and legal, and PCI DSS is just a checklist of rules. This means that most businesses achieve the minimum standard, but are not really thinking about security. Also 55% of the companies surveyed showed interest only in protecting credit card data and neglected social security numbers and addresses. So in other words, PCI DSS did not enforce security, and protect systems against threats. It is not a complete solution to credit card data breaches. Therefore, being PCI compliant does not imply security.

QSAs discovered that more than 50% of companies do not take a proactive approach when looking at data security, and 54% of companies find PCI DSS compliance too expensive. Another issue shown was the division between the department that handles IT budgeting, and the one that handles IT functions. Most businesses allocate a budget for PCI compliance while the IT security group is responsible for the compliance procedures. This creates a mismatch of investment and expectation of outcome.

Positives of PCI-DSS

The primary goal of PCI is to reduce the risk of transactions and raise awareness of key aspects of data security. PCI fulfills its objectives as businesses are spending more on system security and are forced to be compliant with PCI DSS. It still does not guarantee absolute security, but the risks faced by card brands and cardholders have been significantly reduced.

Surveys indicate that PCI was important in persuading organizations to encrypt their data, and there has been a decline in theft of card data as a result. In addition, complying with PCI DSS enables a company to build brand trust, limit risk exposure, and therefore increase revenue.

Another advantage of becoming PCI DSS compliant is that it grants the business the safe harbor status. This means that in the event of a security breach, PCI DSS compliant business will not be fined, and courts will also be more lenient with PCI compliant businesses if they are sued by customers. Non-compliant businesses that handle credit cards are open to audits, fines, lawsuits, and losing the right to process credit cards.

A true security system requires personalization that addresses the specific needs of each individual company. PCI DSS should be the baseline for the overall security program and additional steps should be taken after assessing the business’ overall controls and risks

According to VeriSgn Global Security Consulting Services who conducted many PCI assessments over the past several years, 78 percent of businesses failed the audit due to lack of data protection, the lack of IT policies, controls, and governance. Proper governance should be ensure the success of PCI compliance. Risk assessments should be done outside of PCI as a supplement to PCI standards.

PCI in Canada

Canadian businesses have a particular interest in these developments since Canadians are among the world's most frequent users of payment cards. However, Canada has lagged behind Europe in adopting Chip & PIN technology on credit cards, making itself an alluring target for international data thefts. According to the Canadian Bankers Association, the total value of reported payment card fraud exceeded half a billion dollars in 2008. Due to the lack of privacy laws and a large base of small and medium-sized enterprises (SME), Canada is a primary target for identity and data theft. These SMEs lack the awareness and resources to adequately secure their confidential data and their computers are often left unsecured. In addition, even government bodies such as the Royal Canadian Mounted Police (RCMP) and Passport Canada do not have sufficient control and governance over their data protection policies. IT security experts have surveyed and discovered that Canadian consumers did not exhibit confidence over the security of their personal data held by institutions and banks, but fortunately, Canadian legislators quickly grasped this concept and recognized the need to improve Canadian laws over the protection of consumers’ data. Consequently, the PCI DSS adopted by the United States became a favourite model to meet Canadian needs. Due to the frequency and magnitude of US-Canadian business involvement, the implementation of PCI DSS in the US reduced the number of cases of Canadian data theft. Thus, PCI DSS became a suitable candidate to protect Canadian consumers. However, during the early stage, there has been much debate in Canada regarding the introduction of PCI DSS. Although Canada was looking for a way to protect cardholder data, many have opposed the act of legislating PCI DSS. Arguments have been made that the existence of Personal Information Protection and Electronic Documents Act (PIPEDA), which regulates and protects personal data and other sensitive information, was a sufficient system to guarantee security in Canada and that PCI DSS can be used merely as a framework to enhance data security. Canada was evidently distant behind the U.S. in the implementation of IT security. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act only imposed insubstantial penalties to violators such as a notice of offence. The U.S. privacy laws, on the other hand, enforced strict policies that encouraged organizations to have strong IT security. The weak governing body was coupled with consumer concerns where only 0.5% of the consumers surveyed were confident that retailers could protect their online personal information, 9% were confident that major 9 financial institutions could safeguard their online information and only 36% of Canadian IT security executives surveyed believed that their company could exercise sufficient control to safeguard customer data.11 However, the forthcoming of PCI DSS also brought Canadian businesses trouble. Because of the delay in PCI implementation in Canada, many Canadian businesses became disoriented during the initial implementation stage due to lack of guidance and inconsistency in deadlines with their U.S. counterparts. The initial tight deadlines were dreadful for Canadian businesses, especially for SME, as they had a difficult time in interpreting the standard and little time to become compliant. In addition, SME in Canada complained that the cost of implementing PCI DSS greatly outweighed the potential penalty for being non-compliant. Consequently, many have resisted the implementation of PCI DSS. Technologies Involved There are a few technologies that enable cost effective compliance of PCI DSS. Among them, firewalls, anti-virus, anti-malware solutions, and encryption for data at rest and in motion ranked the highest. The survey also indicated that perimeter, location surveillance systems, website sniffer and crawlers appeared to be the least used out of the 18 technologies. QSAs believe that encryption is the most effective technology for data in motion and firewalls and encryption are amongst the most effective technologies for data at rest. Another interesting observation noticed was that only 2 percent of organizations assessed by QSAs fail, but 41 percent of organizations that pass the audit do not rely on mechanisms prescribed by the PCI DSS. Rather, compensating controls are used because the organizations deem the technology prescribed by PCI DSS to be infeasible. However, compensating controls can only serve as a temporary solution. As the reduction in future cost in technology, organizations need to adapt PCI DSS’ prescription. PCI DSS - Accounting Firms & Job Creation Since the inception of PCI DSS, accounting firms have been actively seeking ways to extend the breadth of their services and expand their services in the IT control and security industry. Major accounting firms such as Grant Thornton International Ltd earned their certification to become a Qualified Security Assessor (QSA)12 . Accounting firms are trying to establish the highest integrity and exhibit the highest level of competency in delivering PCI assessments. Increasingly, accounting firms are also 11 Arnfield, Robin. "Infosecurity (UK) - US Standards Drive Canadian Information Security."Infosecurity (UK) - the Online Magazine Dedicated to the Strategy and Technique of Information Security. 01 Mar. 2009. Web. 12 June 2011. //www.infosecurity-magazine.com/view/846/us-standards-drive-canadian-information-security/>. 12 Accounting Firms | Grant Thornton Becomes One Of The Largest Public Accounting Firms In The US To Be Named Qualified Security Assessor (QSA) Company by the Payment Card Industry Security Standards Council." Accounting Concepts and Finance. 2008. Web. 12 June 2011. //reviewitemssite.com/accounting/accounting-firms-grant-thornton-becomes-one-of-the-largest-publicaccounting-firms-in-the-us-to/>. 10 delivering IT consulting services incorporating PCI DSS compliance combined with process, controls, and other advisory services. The public has generally recognized that accounting firms’ auditing experience is of a great asset to assist them with PCI DSS assessment related works. Additionally, services offered by accounting firms such as internal controls audit and information security correspond to the skills necessary to assess card transaction security. An assessor should have an assurance background and experience to confirm compliance. Accounting firms will experience an increase in revenue due to the extended service line because they have a great reach to businesses and a solid client base. Compliance to PCI DSS is required by every business that handles credit card information, and thus, accounting firms can offer a more complete and one-stop-for-all services. Combined with their knowledge for existing clients and various industries, accounting firms will be able to add value to their service packages. The complexity of PCI DSS also triggers an additional line of service for savvy solution providers that help businesses to implement the system, reduce costs, and educate their clients. As the new 2.0 version emerges, businesses are rushing to update their systems while still struggling to grasp the existing mandate. The win-win opportunity arrives as savvy solution providers can handle PCI compliance projects and keep businesses focused on their main line of services. These solution providers also specialize in ensuring project efficiency and avoid redundancies in process and technology, which greatly enhances cost-savings for many businesses. A recent study done by the Aberdeen Group claimed that half of the cost can be saved by hiring solution providers.

Conclusion

It is critical for businesses that are not yet PCI compliant to take the appropriate measures to ensure the security of their customer’s sensitive cardholder data and achieve PCI compliance. Becoming PCI compliant will ensure the best customer experience, eliminate the risk of fines and protect their brand and customer confidence. For businesses who have already achieved compliance through an in-house solution, outsourcing should be considered as a means to free up the costs associated with this resource-intensive endeavor.

Although PCI DSS has apparent weaknesses and does not guarantee absolute security and safeguarding of cardholder data, it has enhanced the security over cardholders’ data to a great extent. PCI DSS should be kept in place and possibly implement minor changes to improve its efficiency and effectiveness. It has helped raise awareness of data security in the business world and encouraged many organizations to implement IT security systems. Additionally, PCI DSS has improved consumer confidence over the security of personal information to a great magnitude. Fraudsters are also forced to exploit more sophisticated data breach methods and overthrow traditional methods. This means that PCI DSS needs to remain alert to face emerging threats. Despite all the positive aspects of PCI DSS, it is by no means the end of IT security development. Each organization should assess its needs for security and develop a more company-specific solution, using PCI DSS as the foundation. Companies should feel responsible for consumer data they possess, and should continually enhance their IT policy, governance and system. No standard can ever guarantee absolute security, and it is dependent on each company’s effort to develop a complete and secure data storage system.

Recommendations

The following recommendations can help address some of the issues and concerns involving PCI DSS compliance.

- Tailor the compliance requirements to the specific needs and business environment of each organization. Smaller companies do not need the same security measure as larger firms. Smaller companies also lack resources to comply with complex policies and requirements.

- Develop a more cost-effective framework to benefit small to medium sized companies. If the cost to comply with PCI DSS is greater than the penalty it imposes for non-compliance, businesses are discouraged to adopt PCI DSS. The above recommendation is a possible method to reduce costs where smaller companies should have less complex requirements and procedures. • PCI Council should provide additional support and educate company executives on the role and importance of PCI DSS as part of a company’s overall strategy. Company executives often only fulfill the minimum regulatory requirements and fail to realize the potential role that PCI DSS can take on as part of a firm’s overall IT governance. This is especially true for small businesses where the owner lacks IT security knowledge and often do not use PCI DSS to its fullest extent. • PCI Council should improve its overall brand image and raise awareness of its brand value amongst the general public. It should subsequently create a compliance logo for each compliance business to display in-store or online. The purpose of this recommendation is to inform consumers that companies have taken additional security measures and have the capability to safeguard consumer confidential data. This can in turn encourage more companies to invest in security or improve the existing security system in order to gain a competitive advantage. PCI DSS can thus become a value-added requirement and businesses will be more willing to pay for its fees. • Designate the responsibility of PCI compliance to a defined personnel or a team within an organization to implement a company-wide security program. This team should initiate the implementation of PCI DSS and provide subsequent support upon implementation. Additionally, the team should be held accountable for the degree of utilization of PCI and integrate PCI as the foundation of the company’s overall security governance. This recommendation is more practical for larger firms with bigger IT security budgets, resources, and personnel.

References

Official PCI Security Standards Council Site -

www.pcisecuritystandards.org/security_standards/.

Payment Card Industry Data Security Standard Explained.

www.security-assessment.com

Similar Documents

Free Essay

Pci-Dss

...alcohol requires strict compliance with several federal, state, and local laws; however, this section relates to Information Technology (IT) specific compliance and regulations. Because Beachside Bytes Bar and Grill will be accessing and storing sensitive information from customers and employees, guidelines, laws, and policies have been established to insure the privacy of such information is secure. Only those authorized to view, change, or remove such data must be fully authenticated through proper procedures. In addition, established protocols and encryption methods must be use to access database information via the Internet. This section of the report will address these and other challenges related to IT privacy and security. PCI DSS (Payment Card Industry Data Security Standard) is an information security standard that was created from a joint effort of major credit card companies in 2004. Its purpose is to create controls that would reduce credit card fraud. This standard is built around 6 principles and 12 requirements. It is assumed that Beachside Bytes intends to credit cards as a form of payment and must therefore comply with the following principles set forth. The first principle, "Build and Maintain a Secure Network", is enforced through 2 requirements: (1) Install and maintain a firewall, and (2) do not use defaults (IE. passwords). Firewalls create a single point of defense between two networks. Since the Internet is web of networks, it is important...

Words: 1244 - Pages: 5

Free Essay

Pci Dss Compliance

...PCI DSS compliance is providing a safe place for your customers to do business with us either online or within our brick and motor location. Providing this compliance will ensure that your network has a chance to avoid the publicity nightmare that has effected so many other organizations, like Home Depot and J.P. Morgan Chase. As part of being PCI DSS compliant, organizations must adhere to risk analysis. In order for any organization to handle their network security risk it is important to understand the three important areas of a risk analysis and they are confidentiality, integrity, and availability. Confidentiality is all about letting only the allowed personal have access to that sensitive information and keeping private information private. Unsecure networks, malware, and even social engineering are all types of attacks that can compromise that important data. But intruders or the use of stolen credentials are topping the charts and have been a top ten issue for several years now. It also has been increasing in the number of case in recent years and this attack has accounted for 422 cases in 2013. Whether it comes from a Point of Sale (POS) interaction or a Web application attack the best defense is a strong password. A password should not be written down or can be found in a dictionary, but consist of upper and lower case letters with numbers and special characters mixed throughout (Verizon DBIR, 2014). Integrity is insuring that the information and devises...

Words: 623 - Pages: 3

Free Essay

Pci Dss Security Policy Template

...P01 - Information Security Policy Document Reference Date Document Status Version Revision History P01 - IS Policy Final 1.0 Table of Contents 1. 2. 3. 4. 5. 5.1. 5.2. 5.3. 5.4. 5.5. 5.6. 5.6.1. 5.6.2. 5.6.3. 5.6.4. 6. 6.1. 6.2. Policy Statement ....................................................................................................................... 3 Review and Update of the Policy Statement .......................................................................... 3 Purpose ...................................................................................................................................... 3 Scope.......................................................................................................................................... 3 Information Security Framework ........................................................................................... 3 Reporting Structure for the Business .......................................................................................... 3 Associated Teams....................................................................................................................... 4 Annual Policy Review................................................................................................................ 4 Policy Breaches .......................................................................................................................... 4 Individual Policies ......................

Words: 1892 - Pages: 8

Free Essay

The Pci-Dss Framework: Protecting Stored Cardholder Data

...The PCI-DSS Framework: Protecting Stored Cardholder Data Wednesday, November 25th 2009 Contents The PCI-DSS Framework: Protecting Stored Cardholder Data 3 Introduction 3 PCI-DSS Compliance 4 Solutions for Encrypting Data at Rest 4 Data Classification, an Alternative to Encryption 8 Building Policies and Procedures 12 Conclusion 12 References 14 The PCI-DSS Framework: Protecting Stored Cardholder Data Introduction Payment cards, whether they are debit or credit cards are an essential component of modern commerce. EMV-based cards have already helped improve the security of millions of bank cards throughout the world, giving even more people the confidence to make payments. But there are other security concerns associated with bank cards. (Card Technology Today, 2009) Globally, debit and credit cards are used for a wide variety of payments with Internet card payments increasingly significantly in recent years. However, with this growth in Internet-based transactions has come an increase in stories related to Card Not Present (CNP) fraud via Internet channels. (Laredo, 2008) The proliferation of fraud and identity theft cases has put the Payment Card Industry (PCI) on the offensive frontlines. (Morse and Raval, 2008) American Express, Discover, JCB, MasterCard, and Visa have joined forces and formed the PCI Security Standards Council, an independent...

Words: 3961 - Pages: 16

Premium Essay

Lab #3: Case Study on Pci Dss Non-Compliance: Cardsystems Solutions

...any federal or state laws? Yes they did because they did follw the compliance of the pci dss. 2. CardSystems Solutions claims to have hired an auditor to assess compliance with PCI DSS and other best practices for ensuring the C-I-A of privacy data for credit card transaction processing. Assuming the auditor did indeed perform a PCI DSS security compliance assessment, what is your assessment of the auditor’s findings? That he either did not do a full audit of the company just showed him part of what he needed to see to pass them so they could operate without prying eyes 3. Can CardSystems Solutions sue the auditor for not performing his or her tasks and deliverables with accuracy? Do you recommend that CardSystems Solutions pursue this avenue? No they did not and if they had credibility then yes they should sue but if they are at fault then they will be brought to trial in civil court 4. Who do you think is negligent in this case study and why? The company and the auditor because neither one did their job to the fullest extent and it cost the company 5. Do the actions of CardSystems Solutions warrant an “unfair trade practice” designation as stated by the Federal Trade Commission (FTC)? Yes it does because they did not comply with the standards that were put before them 6. What security policies do you recommend to help with monitoring, enforcing, and ensuring PCI DSS compliance? They should have had the firewalls in place that had monitoring built in...

Words: 559 - Pages: 3

Premium Essay

Pci Dss

...PCI DSS and the Seven Domains As a business that is entering into the web business and having the ability to receive payment from Credit Cards negates that the business now complies with some standards that secures all of the customers information from misuse and inappropriate access from unauthorized persons.. To do this some logical approaches and best practices have been proven to facilitate a business meeting the PCI DSS standards. These best practices start with a simple install of a firewall that isolates the business' network from unauthorized outside access to the customer's information. Also, make sure that all defaults setting on the network are changed as the default information is a generally known value and easy to bypass security if not changed. (Gibson, 2011) These are generally good practices for security on any network anyway, but definitely a good start to achieving the PCI DSS standard. Once these measures are taken, it is now important to protect the data that you are using from the customer to complete a purchases. The best way is to setup access control measure within the LAN and that the LAN to WAN interface is protected by a firewall. When using the information to authorize outside of the LAN environment it is important to protect the information by encrypting the data being sent to the authorizing entity. By doing this you can further protect the information stored at your business from unwanted access and viewing. Within the business itself...

Words: 504 - Pages: 3

Free Essay

Boss

...Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2 April 2016 Document Changes Date October 2008 Version 1.2 Description Pages To introduce PCI DSS v1.2 as “PCI DSS Requirements and Security Assessment Procedures,” eliminating redundancy between documents, and make both general and specific changes from PCI DSS Security Audit Procedures v1.1. For complete information, see PCI Data Security Standard Summary of Changes from PCI DSS Version 1.1 to 1.2. Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2. Correct “then” to “than” in testing procedures 6.3.7.a and 6.3.7.b. 1.2.1 32 Remove grayed-out marking for “in place” and “not in place” columns in testing procedure 6.5.b. 33 For Compensating Controls Worksheet – Completed Example, correct wording at top of page to say “Use this worksheet to define compensating controls for any requirement noted as ‘in place’ via compensating controls.” July 2009 5 64 October 2010 2.0 Update and implement changes from v1.2.1. See PCI DSS – Summary of Changes from PCI DSS Version 1.2.1 to 2.0. November 2013 3.0 Update from v2.0. See PCI DSS – Summary of Changes from PCI DSS Version 2.0 to 3.0. April 2015 3.1 Update from PCI DSS v3.0. See PCI DSS – Summary of Changes from PCI DSS Version 3.0 to 3.1 for details of changes. April 2016 3.2 Update from PCI DSS v3.1. See PCI DSS – Summary of...

Words: 57566 - Pages: 231

Free Essay

Pci for Dummies

...Compliments of ersion 2.0 ! ated for PCI DSS V Upd pliance PCI Com ition Qualys Limited Ed Secure and protect cardholder data Sumedh Thakar Terry Ramos PCI Compliance FOR DUMmIES ‰ by Sumedh Thakar and Terry Ramos A John Wiley and Sons, Ltd, Publication PCI Compliance For Dummies® Published by John Wiley & Sons, Ltd The Atrium Southern Gate Chichester West Sussex PO19 8SQ England Email (for orders and customer service enquires): cs-books@wiley.co.uk Visit our Home Page on www.wiley.com Copyright © 2011 by John Wiley & Sons Ltd, Chichester, West Sussex, England All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London, W1T 4LP, UK, without the permission in writing of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, England, or emailed to permreq@wiley.com, or faxed to (44) 1243 770620. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com and...

Words: 15012 - Pages: 61

Free Essay

Legal Issues in Information Security

...Payment Card Industry Data Security Standards-(PCI DSS) compliant. What is your assessment of the auditor’s findings? I personally disagreed with the auditors findings. If CardSysytems Solutions per the report were indeed deemed compliant, proper IP firewalls and antivirus programs would have been active as PCI DSS requires a firewall and an up to date anti-virus which CardSystem Solutions did not. 3. Can CardSystems Solutions sue the auditor for not performing his or her tasks and deliverables with accuracy? Do you recommend that CardSystem Solutions pursue this avenue? No. In 2004 they were PCI DSS compliant. At the time of the attack in June of 2005, they were not certified compliant. 4. Who do you think is negligent in this case study and why? CardSystems Solutions have to be considered the negligent party in the case. CardSystems Solutions is a high profiled company that is expected to comply with the regulations and requirements for properly protecting and storing private and secure data. 5. Do the actions of CardSystems Solutions warrant an “unfair trade practice” designation as stated by the FTC? Yes I believe it should 6. What security policies do you recommend to help with monitoring, enforcing, and ensuring PCI DSS compliance? SNMP along with MAC filtering. 7. What security controls and security countermeasures do you recommend for CardSystems Solutions to be in compliance with PCI DSS requirement? Answer: up to date anti-virus, firewall...

Words: 437 - Pages: 2

Free Essay

Tft2 Task 1

...changes are based upon the PCI-DSS Compliace: 1. Usage policies must be developed for critical technologies and defined for proper use of these technologies (PCI DSS 12.3). With this first policy an organization with prohibit or allow the usage of equipment and/or accounts depending on the individual’s permitted access. 2. Explicit approval by authorized parties (PCI DSS 12.3.1). This policy will grant specific approval by management to match the business needs. Proper approval to individual personnel will create a secured environment with critical systems. 3. Authentication for use of the technology (PCI DSS 12.3.2) Personnel will use passwords to authenticate the access they have to specific technology. This will hinder any individual who is trying to breach the environment and gain access to critical information. 4. Automatic disconnect of sessions after a specific period of inactivity (PCI-DSS 12.3.7) Users must log out if they plan to step away from their accounts and/or devices. Automatic log-off will stop any individual who is trying to gain access to the system without authorization. 5. Administer user accounts, including additions, deletions, and modifications (PCI-DSS 12.5.4) User accounts will be administered by the appropriate personnel. This responsibility will assure that any person in the organization has the correct information along with the correct access. 6. Educate personnel upon hire and at least annually (PCI-DSS 12.6.1) Security...

Words: 627 - Pages: 3

Free Essay

Information Security Policy Review

...the company’s policy is in compliance with all relevant federal regulations and industry standards. As an insurance company, Heart-Healthy Insurance works with and stores personal health information, financial information, and credit card information of clients and business partners. Data of this type is required to be protected by the United States Federal Government under several privacy acts. Heart-Healthy Insurance must also be Payment Card Industry Data Security Standard (PCI-DSS) compliant due to the fact the company takes credit cards to pay for premiums and deductibles. Below is information on each privacy act and security standard that Heart-Healthy Insurance must be in compliance with. The Payment Card Industry Data Security Standard (PCI-DSS) The Payment Card Industry Data Security Standard (PCI-DSS) was developed “to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally” (PCI Security Council, 2010 p. 5). PCI-DSS provides the following requirements for passwords and user access: -Each user must be assigned a unique ID for system access. -A user’s identity must be verified before passwords are reset. -Passwords for new users and reset passwords for existing users must be set...

Words: 1355 - Pages: 6

Free Essay

Bfd Itt

...(HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and Sarbanes-Oxley Act (SOX). HIPAA required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). In today’s era, everyone pays with credit cards or debit cards. This healthcare organization will need to be PCI DSS compliant. PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while compliance with the PCI Security Standards is enforced by the payment card...

Words: 276 - Pages: 2

Premium Essay

Lab 3 Assessment Questions Is3350

...with PCI DSS and other best practices for ensuring the C-I-A of privacy data for credit card transaction processing. Assuming the auditor did indeed perform a PCI DSS security compliance assessment, what is your assessment of the auditor’s findings? • If compliant they would have implemented proper IP s firewalls or maintained their anti-virus program definitions. Also they were required to encrypt all stored sensitive privacy data for research. 3. Can CardSystems sue the auditor for not performing his or her tasks and deliverables with accuracy? Do you recommend that CardSystems Solutions pursue this avenue? • No because they were PCI DSS compliant in 2004 but was not certifiably compliant at the time of attack in June of 2005. 4. Who do you think is negligent in this case study and why? • CardSystems. Given their high profile, they were expected to be in compliance for properly storing and protecting all privacy data including gathered transactions and credit card information of their cliental in an encrypted manner. 5. Do the actions of the CardSystems warrant an “unfair trade practice” designation as stated by the Federal Trade Commission (FTC)? • Yes, because the cliental trust in good faith at the fact that their information will not be compromised in the possession of the company. If the company was not compliant then all sensitive data was put at risk. 6. What security policies do you recommend to help with monitoring, enforcing, and ensuring PCI DSS compliance...

Words: 649 - Pages: 3

Free Essay

Managing Risk in Information Systems

...qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwer...

Words: 640 - Pages: 3

Premium Essay

Tft Task 1

...NEW HEART-HEALTHY INSURANCE INFORMATION SECURITY 1. Overview Heart-Healthy Insurance (HHI) is a company that is required by the federal government to keep the customer's information confidential, available and safe. The HHI is required to comply with PCI-DSS regulations, GLBA regulations, federal privacy laws, and HIPAA and HITECH regulations. 2. Scope The scope of this task is to develop a new policy statement with two modifications for the new users and password requirements that follow all the federal laws and regulations. 3. Policies of the HHI from before FOR NEW USERS. 4. New Users HHI requires new users to be assigned access based on the level of content they are requesting. The new users are required to prove their level of clearance base on the access they are requesting. It is also required that only the manager approves administrator level access for new users. 5. Password Requirements. The password is required to have at least eight characters. The password characters must contain a combination of upper and lowercase letters. A shared password is forbidden in any system that has patient information. The users are not allowed to reuse any of the previous six passwords that were used when resetting a password. Users must wait at least 15 minutes before the password can be reset when they insert the wrong information more than three times. 5. PASSWORD REQUIREMENT WITH NEW POLICY HHI has already strong password policies, but those password policies...

Words: 1481 - Pages: 6