...The PCI-DSS Framework: Protecting Stored Cardholder Data Wednesday, November 25th 2009 Contents The PCI-DSS Framework: Protecting Stored Cardholder Data 3 Introduction 3 PCI-DSS Compliance 4 Solutions for Encrypting Data at Rest 4 Data Classification, an Alternative to Encryption 8 Building Policies and Procedures 12 Conclusion 12 References 14 The PCI-DSS Framework: Protecting Stored Cardholder Data Introduction Payment cards, whether they are debit or credit cards are an essential component of modern commerce. EMV-based cards have already helped improve the security of millions of bank cards throughout the world, giving even more people the confidence to make payments. But there are other security concerns associated with bank cards. (Card Technology Today, 2009) Globally, debit and credit cards are used for a wide variety of payments with Internet card payments increasingly significantly in recent years. However, with this growth in Internet-based transactions has come an increase in stories related to Card Not Present (CNP) fraud via Internet channels. (Laredo, 2008) The proliferation of fraud and identity theft cases has put the Payment Card Industry (PCI) on the offensive frontlines. (Morse and Raval, 2008) American Express, Discover, JCB, MasterCard, and Visa have joined forces and formed the PCI Security Standards Council, an independent...
Words: 3961 - Pages: 16
...Compliments of ersion 2.0 ! ated for PCI DSS V Upd pliance PCI Com ition Qualys Limited Ed Secure and protect cardholder data Sumedh Thakar Terry Ramos PCI Compliance FOR DUMmIES ‰ by Sumedh Thakar and Terry Ramos A John Wiley and Sons, Ltd, Publication PCI Compliance For Dummies® Published by John Wiley & Sons, Ltd The Atrium Southern Gate Chichester West Sussex PO19 8SQ England Email (for orders and customer service enquires): cs-books@wiley.co.uk Visit our Home Page on www.wiley.com Copyright © 2011 by John Wiley & Sons Ltd, Chichester, West Sussex, England All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London, W1T 4LP, UK, without the permission in writing of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, England, or emailed to permreq@wiley.com, or faxed to (44) 1243 770620. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com and...
Words: 15012 - Pages: 61
...company’s policy is in compliance with all relevant federal regulations and industry standards. As an insurance company, Heart-Healthy Insurance works with and stores personal health information, financial information, and credit card information of clients and business partners. Data of this type is required to be protected by the United States Federal Government under several privacy acts. Heart-Healthy Insurance must also be Payment Card Industry Data Security Standard (PCI-DSS) compliant due to the fact the company takes credit cards to pay for premiums and deductibles. Below is information on each privacy act and security standard that Heart-Healthy Insurance must be in compliance with. The Payment Card Industry Data Security Standard (PCI-DSS) The Payment Card Industry Data Security Standard (PCI-DSS) was developed “to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally” (PCI Security Council, 2010 p. 5). PCI-DSS provides the following requirements for passwords and user access: -Each user must be assigned a unique ID for system access. -A user’s identity must be verified before passwords are reset. -Passwords for new users and reset passwords for existing users must be set...
Words: 1355 - Pages: 6
...not run and therefore the business will not make money. This simple sentence directly relates to the implementation of defense in depth within an enterprise environment. The multiple rings of defense portrayed in Course Module Five (5), reflected a defense in depth approach (Course Content 5). The rings represented a specific layer of defense starting with the lock on the door, an alarm, a security guard, vibration sensors, etc. The controls listed were all physical controls. Of course, the course recommended adding camera systems, which in today’s world are expectations for minimum physical security controls. Not all organizations can afford cameras and the associated costs of storage media. The industry (Navigating the PCI DSS, 2010) standard PCI DSS lists the requirement to record traffic in and out of sensitive areas. The specific requirement calls out to record or user other means of monitoring traffic in and out of sensitive areas. This means that recording is the best practice, however it is costly and not all organizations can implement cameras, however an organization may put badge readers in place to track users coming into and out of sensitive areas to meet the intent of the requirement. This is a minimum security standard. Now as we go even further down the layers to the more abstract logical controls is where costs (time and resources) can begin to rise. It is critical at this phase for organizations to identify the data in place and its value to the organization...
Words: 420 - Pages: 2
...Document Changes Date October 2008 Version 1.2 Description Pages To introduce PCI DSS v1.2 as “PCI DSS Requirements and Security Assessment Procedures,” eliminating redundancy between documents, and make both general and specific changes from PCI DSS Security Audit Procedures v1.1. For complete information, see PCI Data Security Standard Summary of Changes from PCI DSS Version 1.1 to 1.2. Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2. Correct “then” to “than” in testing procedures 6.3.7.a and 6.3.7.b. 1.2.1 32 Remove grayed-out marking for “in place” and “not in place” columns in testing procedure 6.5.b. 33 For Compensating Controls Worksheet – Completed Example, correct wording at top of page to say “Use this worksheet to define compensating controls for any requirement noted as ‘in place’ via compensating controls.” July 2009 5 64 October 2010 2.0 Update and implement changes from v1.2.1. See PCI DSS – Summary of Changes from PCI DSS Version 1.2.1 to 2.0. November 2013 3.0 Update from v2.0. See PCI DSS – Summary of Changes from PCI DSS Version 2.0 to 3.0. April 2015 3.1 Update from PCI DSS v3.0. See PCI DSS – Summary of Changes from PCI DSS Version 3.0 to 3.1 for details of changes. April 2016 3.2 Update from PCI DSS v3.1. See PCI DSS – Summary of Changes from PCI DSS Version 3.1 to 3.2 for details of changes. Payment Card Industry (PCI) Data Security Standard,...
Words: 57566 - Pages: 231
...Question 1 TJX is the parent company of popular off-price retailers like TJ Maxx and Marshalls. Based in Framingham, Massachusetts, TJX has over 2,400 stores worldwide and earned US$17.4 billion in sales during the 2007 fiscal period. On December 18th, 2007, TJX discovered that it fell victim to one of the largest data theft cases in American history. Approximately 94 million credit and debit cardholders were affected by the attack. The American Secret Service and FBI had to investigate the breach and TJX lost millions of dollars in the following years due to class-action lawsuits and investigation costs. This report will analyze the causes of TJX’s IT security weaknesses and provide recommendations on what the company should do in the short-term and long-term to ensure something like this never happens again. Question 2 Management – TJX’s management needs to move fast and implement better IT security measures to prevent an attack like this from ever happening again. They must accomplish this while balancing lawsuits from credit card companies & customers and ongoing federal investigations while still managing day-to-day operations. TJX has already booked a provision of $168 million related to the attack and does not want to suffer any more financial loss. It also needs to regain customer confidence, which is crucial to maintaining its market leadership and sales. Customers – TJX’s customers have lost confidence in the company’s ability to store its sensitive...
Words: 2721 - Pages: 11
...4/20/2014 4/20/2014 Aaron Wheeler Cut loose incorporated Aaron Wheeler Cut loose incorporated Marketing Plan Outline Paper Shredding Business Marketing Plan Outline Paper Shredding Business Marketing Management 522 Keller School of Management Executive Summary Each year improper document management costs businesses millions of dollars in liability and lost productivity. Paper shredding business are beginning to spring up across the nation. The concerns over privacy in addition to new regulations and guidelines have open the door for a need in paper shredding services. No matter the size of a company they are in need of shredding services. Investing in a paper shredding business has a very promising future and will continue on an upward trend. The Federal Government alone is destroying more documents each day and the time limit for companies to destroy signed documents, job applications or a customer’s receipts for transactions are getting shorter. The lawful requirements are helping to expand shredding services. This continuing process virtually guarantees that a confidential paper disposal service can thrive. CUT LOOSE Inc. is an innovative document destruction company that offers a convenient facility, on-site and mobile shredding services to the Pikes Peak region of Colorado Springs. We cater to all organizations and individuals in need of secure, reliable, and cost efficient material destruction. As the premier document destruction company in Colorado Springs...
Words: 5559 - Pages: 23
...Aircraft Solutions (AS) Security Assessment Submitted to: Professor SEC-571 Principles of Information Security and Privacy Keller Graduate School of Management Submitted: Overview Aircraft Solutions (AS) is a southern California company specializing in cutting edge design and manufacturing. AS supplies products and solutions in the fields of electronics, commercial, defense, and aerospace to a wide variety of customers. AS not only has a highly skilled and trained workforce, but they also utilize state of the art equipment that provides efficiency and productivity rarely seen in this industry. AS’s headquarters is located in San Diego, California while their Commercial Division (CD) is located 40 miles east of San Diego in Chula Vista, California. The AS Defense Division (DD) is located between Los Angeles and San Diego in Orange County, California. AS uses Business Process Management (BPM) to integrate customers, vendors, and suppliers in order to create a successful product. The success of the BPM is closely dependent on the success and efficiency of the Information Technology (IT) process of AS. Customer data, design engineering, and Proof For Production (PFP) are all examples of how AS’s IT success directly impacts their BPM. Vulnerabilities Hardware vulnerability AS has an obvious hardware vulnerability that could potentially have a catastrophic effect on the Chula Vista CD and the rest of AS. AS has a current network architecture that...
Words: 2620 - Pages: 11
...alcohol requires strict compliance with several federal, state, and local laws; however, this section relates to Information Technology (IT) specific compliance and regulations. Because Beachside Bytes Bar and Grill will be accessing and storing sensitive information from customers and employees, guidelines, laws, and policies have been established to insure the privacy of such information is secure. Only those authorized to view, change, or remove such data must be fully authenticated through proper procedures. In addition, established protocols and encryption methods must be use to access database information via the Internet. This section of the report will address these and other challenges related to IT privacy and security. PCI DSS (Payment Card Industry Data Security Standard) is an information security standard that was created from a joint effort of major credit card companies in 2004. Its purpose is to create controls that would reduce credit card fraud. This standard is built around 6 principles and 12 requirements. It is assumed that Beachside Bytes intends to credit cards as a form of payment and must therefore comply with the following principles set forth. The first principle, "Build and Maintain a Secure Network", is enforced through 2 requirements: (1) Install and maintain a firewall, and (2) do not use defaults (IE. passwords). Firewalls create a single point of defense between two networks. Since the Internet is web of networks, it is important that...
Words: 1244 - Pages: 5
...The Management of Online Credit Card Data using the Payment Card Industry Data Security Standard Clive Blackwell Information Security Group Royal Holloway, University of London. Egham, Surrey. TW20 0EX. C.Blackwell@rhul.ac.uk Abstract Credit card fraud on the Internet is a serious and growing issue. Many criminals have hacked into merchant databases to obtain cardholder details enabling them to conduct fake transactions or to sell the details in the digital underground economy. The card brands have set up a standard called PCI DSS to secure credit card details when they are stored online. We investigate the standard and find significant flaws especially in its requirements on small businesses. Finally, we propose some general rules for the secure management of online data. The initial version 1 of PCI DSS was set up in 2004 and updated to the current 1.1 standard [2] in 2006 by the main card brands in order to protect sensitive cardholder data stored online by merchants and other card processors. It followed on from the informal program started in 1999 by Visa and formalised in 2000 into the Cardholder Information Security Program [3]. It is designed to meet the problems of storing large amounts of credit card data stored online that may be compromised. The largest number of cards compromised so far is the TK Maxx case, where over 46 million cardholder details were stolen over a number of years [4]. The hackers used the common method of breaching insecure wireless networks from...
Words: 4316 - Pages: 18
...AN INTRODUCTION TO PCI-DSS COMPLIANCE Author: Nicholas Henry April 2016 Table of Contents 1. Abstract 2. History 3. PCI-DSS Overview 4. Understanding PCI-DSS Compliance 5. Achieving PCI-DSS Compliance 6. PCI-DSS in the IT Department 7. Negatives of PCI-DSS 8. Positives of PCI-DSS Abstract Around the world, consumer migration from traditional cash and check payments to electronic payment methods such as credit, debit or bank transfers continue to grow. In 2009 a survey discovered that less than 37% of all payments are now made using cash or check. While there are many benefits to this, there are also significant new issues introduced as a result. As customers use electronic payment methods, there is an expectation of security for the cardholder’s identity and payment information. With all the recent data theft and security breaches, this is becoming a significant issue. To ensure the protection of consumer information, the Payment Card Industry, or PCI, developed a set of data security standards (DSS) that merchants and financial service providers must maintain to be able to process debit and credit cards. While PCI does not manage compliance or impose consequences for non-compliance, individual card associations may initiate financial/operational penalties to businesses that are non-compliant...
Words: 4052 - Pages: 17
...customer. An SLA can identify monetary penalties if the terms are not met. If your organization has SLAs with other organizations, these should be included in the risk management review. You should pay special attention to monetary penalties. For example, an SLA could specify a maximum downtime of four hours. After four hours, hourly penalties will start to accrue. You can relate this to the maximum acceptable outage (MAO). 2. Using the user domain, define risks associated with users and explain what can be done to mitigate them? the primary risks associated with the user domain are related to social engineering. Users can be conned and tricked. A social engineer tries to trick a user into giving up information or performing an unsafe action. You combat these risks by raising user awareness. Implement acceptable use policies (AUPs) to ensure users know what they should and should not be doing. Use logon banners to remind users of the AUP. Send out occasional e-mails with security tidbits to keep security in their minds. Use posters in employee areas. 3. Using the workstation domain, define risks associated within that domain and explain what can be done to reduce risks in that domain? Some of the primary risks associated with workstations are related to malware. Users can bring malware from home on Universal Serial Bus (USB) flash disks. They can accidentally download malware from Web sites. They can also install malware from malicious e-mails. The primary protection is to ensure...
Words: 994 - Pages: 4
...accounts left active, if the employee is terminated, and another employee has the log on credentials. Mitigation would to be disabling all user accounts upon termination. 3. The use of USB’s or disk, the files could contain viruses and infect other files or applications on the network. No acceptable user’s policy, AUP, or lack of training employees on the correct usage of the network 4. A. HIPPA-applies to any organization that handles health information.it contains health employers ,health plan sponsors, health care providers, public health authorizes and more B. SOX- applies to any business that required to be registered with the securities and exchanged commissions. This is pretty much any public trading company C. PCI DSS- it is not a law it is more of a standard that was jointly created by several credit card companies. Any company that accepts credit cards need to comply with these standards. D. CIPA-applies to any school or library that receives funding from the U.S....
Words: 389 - Pages: 2
...Linux Security Project Part 1 Instructor Sandro Tuccinardi Student Brian Dupee Security Policy Outline First World bank wants to provide banking services online to its customers. The institution estimates over $100,000,000 a year in online credit card transactions for loan applications and other banking services. According to a team that was formed using a Linux an open source infrastructure would roughly as estimated give an annual cost savings in licensing fees alone can be as much as $4,000,000. The assets while using Linux open source infrastructure goal would be maintaining (CIA) triad confidentiality, integrity, and availability in the infrastructure. There is legislation, regulations, federal and state laws governing online banking. Compliance regulations such as Sarbanes–Oxley Act of 2002, Gramm–Leach–Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), Federal Information Security Management Act of 2002, Control Objectives for Information and Related Technology (COBIT). Many or part of these and more must be taken into consideration while putting this project in play. There are a couple of documents: ISO\IEC 17799 and ISO\IEC 27001. The ISO\IEC 17799 IT security technique is the policy for information security management, guidelines, principles for implementing and improving security. • security policy; • organization of information security; • asset management; • human resources security; • physical and environmental...
Words: 448 - Pages: 2
...TJX case study Hanover Yuyang zhang 1. What were the root causes of this breach and how could it have been prevented? The root causes of this breach are the whole system is not consummate enough. Date security problem is the main issue at all merchant. Comply with PCI DSS standard is the easy way to prevented but also need customers have security consciousness. Update the new technology like biometrics identification technology to ensure payment security. 2. In general, what are the respective roles senior operational management vs. IT management must play in protecting their company’s information assets? (Utilize the companion article for assistance). Senior operational management need distinguish which information assets are most critical and what roles do cybersecurity and trust play in our customer value proposition. IT management have to develop and maintain the crossfunctional appproach to cybersecurity. And how to take steps to keep data secure and support the end-to-end customer experience. IT management also need to do how are we using technology processes to protect our critical information assets. 3. With increase of Card Not Present-CNP (i.e. “wireless” payments) who should pay for fraudulent payments (i.e. Apple, At&T, retailer, card issuer, etc.) and how would your recommendations make the respective players more accountable? I think the technical support company like Apple should pay for fraudulent payments. As we know, Apple pay is a...
Words: 355 - Pages: 2