...The PCI-DSS Framework: Protecting Stored Cardholder Data Wednesday, November 25th 2009 Contents The PCI-DSS Framework: Protecting Stored Cardholder Data 3 Introduction 3 PCI-DSS Compliance 4 Solutions for Encrypting Data at Rest 4 Data Classification, an Alternative to Encryption 8 Building Policies and Procedures 12 Conclusion 12 References 14 The PCI-DSS Framework: Protecting Stored Cardholder Data Introduction Payment cards, whether they are debit or credit cards are an essential component of modern commerce. EMV-based cards have already helped improve the security of millions of bank cards throughout the world, giving even more people the confidence to make payments. But there are other security concerns associated with bank cards. (Card Technology Today, 2009) Globally, debit and credit cards are used for a wide variety of payments with Internet card payments increasingly significantly in recent years. However, with this growth in Internet-based transactions has come an increase in stories related to Card Not Present (CNP) fraud via Internet channels. (Laredo, 2008) The proliferation of fraud and identity theft cases has put the Payment Card Industry (PCI) on the offensive frontlines. (Morse and Raval, 2008) American Express, Discover, JCB, MasterCard, and Visa have joined forces and formed the PCI Security Standards Council, an independent...
Words: 3961 - Pages: 16
...Compliments of ersion 2.0 ! ated for PCI DSS V Upd pliance PCI Com ition Qualys Limited Ed Secure and protect cardholder data Sumedh Thakar Terry Ramos PCI Compliance FOR DUMmIES ‰ by Sumedh Thakar and Terry Ramos A John Wiley and Sons, Ltd, Publication PCI Compliance For Dummies® Published by John Wiley & Sons, Ltd The Atrium Southern Gate Chichester West Sussex PO19 8SQ England Email (for orders and customer service enquires): cs-books@wiley.co.uk Visit our Home Page on www.wiley.com Copyright © 2011 by John Wiley & Sons Ltd, Chichester, West Sussex, England All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London, W1T 4LP, UK, without the permission in writing of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, England, or emailed to permreq@wiley.com, or faxed to (44) 1243 770620. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com and...
Words: 15012 - Pages: 61
...Role and Functions of Law Paper Shante’ Simms ETH/321 May 11, 2015 University of Phoenix Role and Functions of Law Paper Federal courts and Florida state courts systems are similar in some ways, but also very different in many ways. Both systems function with specific process of order, and a chain of command to adhere to. Neither the Federal Court nor Florida Court has seniority over the Constitutional Laws that our Country has in place. Federal Vs Florida The federal courts consist of a three part structure that combines the Supreme Courts, the Courts of Appeal, and the District Courts. The Supreme Court is the highest level court in the federal court system, with nine justices ("Florida Supreme Court ", n.d.). The Supreme Court’s original jurisdiction is limited over some cases, but appeals jurisdiction through certiorari process. The Courts of Appeal is considered the medium level courts in the federal system, including twelve regional circuit courts. The Courts of Appeal is specifically appellate court and does not have an original jurisdiction because of that. The District Courts are the lowest level courts in the federal system, combining a total of ninety four judicial districts over fifty states and territories. These lower level courts have no appellate jurisdiction, but have original jurisdiction over most cases. The Supreme Court is the highest level court for Florida as well, only containing seven justices. The Supreme...
Words: 764 - Pages: 4
...Term Paper: Security Regulation Compliance Giancarlos Guerra Strayer University CIS 438 - Information Security Legal Issues Abstract: In this paper I shall provide an overview that will be delivered to senior management of regulatory requirements the agency needs to be aware of, including: i. FISMA; ii. Sarbanes-Oxley Act; iii. Gramm-Leach-Bliley Act; iv. PCI DSS; v. HIPAA; vi. Intellectual Property Law. Describe the security methods and controls that need to be implemented in order to ensure compliance with these standards and regulatory requirements. Describe the guidance provided by the Department of Health and Human Services, the National Institute of Standards and Technology (NIST), and other agencies for ensuring compliance with these standards and regulatory requirements. Term Paper: Security Regulation Compliance Introduction In the day-to-day operations of information security, security professionals often focus the majority of their time dealing with employee access issues, implementing security methods and measures, and other day-to-day tasks. They often neglect legal issues that affect information security. As a result, organizations often violate security-related regulations and often have to pay heavy fines for their non-compliance.” A Chief Information Officer in a government agency should realize the need to educate for senior leadership on some of the primary regulatory requirements, and realize the need to ensure that the employees in the agency...
Words: 2284 - Pages: 10
...These standards, “ensure that ALL companies accept, process, store or transmit credit card information maintain a secure environment” (PCI Compliance FAQ). To meet the security requirement details certain sensitive financial information, such as the credit card number or social security number, is masked. If an update to the payment information is requested, then the member must be present and swipe their own credit card. The responsible PCI compliance audits are for the most part transferred to ABC Financial. RHF pays an additional fee for this PCI security protection. Annually ABC Financial undergoes a PCI compliance audit completed by Security Metrics. Currently, they are up to date with their Level 1 PCI Validation details for PCI DSS and is valid through June 30, 2017. However, RHF is responsible for reporting compliance with the PCI DSS as well. ABC Financial works in partnership with their clients to help complete the needed security tool...
Words: 1746 - Pages: 7
...Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2 April 2016 Document Changes Date October 2008 Version 1.2 Description Pages To introduce PCI DSS v1.2 as “PCI DSS Requirements and Security Assessment Procedures,” eliminating redundancy between documents, and make both general and specific changes from PCI DSS Security Audit Procedures v1.1. For complete information, see PCI Data Security Standard Summary of Changes from PCI DSS Version 1.1 to 1.2. Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2. Correct “then” to “than” in testing procedures 6.3.7.a and 6.3.7.b. 1.2.1 32 Remove grayed-out marking for “in place” and “not in place” columns in testing procedure 6.5.b. 33 For Compensating Controls Worksheet – Completed Example, correct wording at top of page to say “Use this worksheet to define compensating controls for any requirement noted as ‘in place’ via compensating controls.” July 2009 5 64 October 2010 2.0 Update and implement changes from v1.2.1. See PCI DSS – Summary of Changes from PCI DSS Version 1.2.1 to 2.0. November 2013 3.0 Update from v2.0. See PCI DSS – Summary of Changes from PCI DSS Version 2.0 to 3.0. April 2015 3.1 Update from PCI DSS v3.0. See PCI DSS – Summary of Changes from PCI DSS Version 3.0 to 3.1 for details of changes. April 2016 3.2 Update from PCI DSS v3.1. See PCI DSS – Summary...
Words: 57566 - Pages: 231
...Card Security Policy 17 2.1 Introduction 17 2.2 Scope of Compliance 17 2.3 Requirement 1: Build and Maintain a Secure Network 17 2.4 Requirement 2: Do not use Vendor-Supplied Defaults for System Passwords and Other Security Parameters 18 2.5 Requirement 3: Protect Stored Cardholder Data 19 2.6 Requirement 4: Encrypt Transmission of Cardholder Data across Open and/or Public Networks 20 2.7 Requirement 5: use and Regularly Update Anti-Virus Software or Programs 20 2.8 Requirement 6: Develop and Maintain Secure Systems and Applications 21 2.9 Requirement 7: Restrict Access to Cardholder Data by Business Need to Know 21 2.10 Requirement 8: Assign a Unique ID to Each Person with Computer Access 22 2.11 Requirement 9: Restrict Physical Access to Cardholder Data 22 2.12 Requirement 10: Regularly Monitor and Test Networks 23 2.13 Requirement 11: Regularly Test Security Systems and Processes 25 2.14 Requirement 12: Maintain a Policy that Addresses Information Security for Employees and Contractors 26 2.15 Revision History 29 3 Acceptable Use Policy 30 3.1 Overview 30 3.2 Purpose 30 3.3 Scope 30 3.4 Policy 31 3.5 Policy Compliance 35 3.6 Related Standards, Policies and Processes 35 3.7 Definitions and Terms 35 3.8 Revision History 36 4 Ethics Policy 37 4.1 Overview 37 4.2 Purpose 37 4.3 Scope 37 4.4 Policy 38 4.5 Policy Compliance 39 4.6 Exceptions 40 4.7 Related Standards, Policies and...
Words: 26545 - Pages: 107
...criminals have hacked into merchant databases to obtain cardholder details enabling them to conduct fake transactions or to sell the details in the digital underground economy. The card brands have set up a standard called PCI DSS to secure credit card details when they are stored online. We investigate the standard and find significant flaws especially in its requirements on small businesses. Finally, we propose some general rules for the secure management of online data. The initial version 1 of PCI DSS was set up in 2004 and updated to the current 1.1 standard [2] in 2006 by the main card brands in order to protect sensitive cardholder data stored online by merchants and other card processors. It followed on from the informal program started in 1999 by Visa and formalised in 2000 into the Cardholder Information Security Program [3]. It is designed to meet the problems of storing large amounts of credit card data stored online that may be compromised. The largest number of cards compromised so far is the TK Maxx case, where over 46 million cardholder details were stolen over a number of years [4]. The hackers used the common method of breaching insecure wireless networks from car parks outside the shops and installing malware to steal the card details. Many of the PCI DSS controls would have avoided or mitigated this attack. For example, networks must be protected from external intruders by adequate firewalls, and wireless networks must use a recent standard for protecting data such...
Words: 4316 - Pages: 18
...Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Case Study: Critical Controls that Could Have Prevented Target Breach In December 2013 over 40 million credit cards were stolen from nearly 2000 Target stores by accessing data on point of sale (POS) systems. This paper will explore known issues in the Target breach and consider some of the Critical Controls that could have been used to both prevent this breach and mitigate losses. AD Copyright SANS Institute Author Retains Full Rights Case Study: Critical Controls that Could Have Prevented Target Breach GIAC (GSEC) Gold Certification Author: Teri Radichel, teri@radicalsoftware.com Advisor: Stephen Northcutt Accepted: August 5th 2014 Abstract In December 2013 over 40 million credit cards were stolen from nearly 2000 Target stores by accessing data on point of sale (POS) systems. This paper will explore known issues in the Target breach and consider some of the Critical Controls that could have been used to both prevent this breach and mitigate losses. From what is known about the Target breach, there were multiple factors that led to data loss: vendors were subject to phishing attacks, network segregation was lacking, point of sale systems were vulnerable to memory scraping malware and detection strategies employed by Target failed. A possible...
Words: 8983 - Pages: 36
...Best Practices and Recommendations: Tablet Selection for Use by Healthcare Practitioners White Paper Date: April 16, 2016 Contents * Overview and Background * Criteria for Consideration * Operating Systems * Security, Legal and Regulatory * Hardware * Recommendation Overview and Background A large, local hospital has requested consulting assistance with a technical research and specification project related to the selection of a tablet device for use in their medical practice. This tablet will be used by personnel for medical and administrative purposes throughout the hospital. Criteria for Consideration The following criteria have been considered as part of this evaluation: Operating System: There are many different options available in healthcare mobility solutions; however, the three most common operating systems in place today are MS Windows 10, iOS 9.x and Android 6.0. There are well-defined positives and negatives around each platform that must be carefully reviewed prior to making a decision. As operating system selection is primary to device selection, it is critical that this step in the selection criteria is well thought out. When reviewing operating systems, it is important to keep in mind the initial criteria of this research. Selecting an operating system for an enterprise-based medical device is quite different than selecting an operating system and device for personal use. While the Apple iOS and Google Android OS...
Words: 1626 - Pages: 7
...Student Lab Manual © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Student Lab Manual © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT Auditing IT Infrastructures for Compliance © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION IS4680 © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett©Learning, LLC Learning, LLC, an Ascend Learning Company Bartlett Current Version Date: 11/21/2011 © Jones & Learning, LLC Copyright 2013 by Jones & Bartlett www.jblearning.com! NOT FOR SALE OR DISTRIBUTION ...
Words: 30948 - Pages: 124
...information that is proprietary, confidential, sensitive or otherwise restricted from disclosure. If you are not an authorized recipient, please return this document to WATERWORLD WATERPARKS, Attention: IT Director. Dissemination, distribution, copying or use of this document in whole or in part by anyone other than the intended recipient is strictly prohibited without prior written permission of WATERWORLD WATERPARKS Executive Management. Revision History Changes | Approved By | Date | Initial Publication | John Smothson | 3-23-2011 | | | | | | | | | | | | | | | | | | | | | | | | | | | | Table of Contents 1 Introduction and Scope 8 1.1 Introduction 8 1.2 Payment Card Industry (PCI) Compliance 8 1.3 Scope of Compliance 8 2 Policy Roles and Responsibilities 10 2.1 Policy Applicability 10 2.2 Information Technology Manager 10 2.3 Information Technology Department 11 2.4 System Administrators 12 2.5 Users – Employees, Contractors, and Vendors 12 2.6 Human Resource Responsibilities 12 2.6.1 Information Security Policy Distribution 13 2.6.2 Information Security Awareness Training 13 2.6.3 Background Checks 13 3 IT Change Control Policy 15 3.1 Policy Applicability and Overview 15 3.2 Change Request Submittal 15 3.2.1 Requests 15 3.2.2 Request Approval 15 3.2.3 Request Management 17 3.2.4 Projects 17 3.3 Change Request Approval 18 3.4 Project Approval 18 3.5 Change Testing 19 3.6 Change Implementation 19 3.6.1 Release 19 3.6.2 Release Approval...
Words: 28277 - Pages: 114
...Technical Writing Project Cover Sheet Capstone Proposal Project Name: Network Infrastructure Upgrade Proposal Student Name: FRANK RIZZO Degree Program: BSIT Mentor Name: REJINA WIDENER Table of Contents Captone Proposal Summary 3 Review of Other Work 6 Rationale and Systems Analysis 8 Goals and Objectives 10 Project Deliverables 12 Project Plan and Timelines 14 References…………………………………………………………………………………………………………………………………………….17 Capstone Proposal Summary United Luxury Housing LLC. (Hereinafter referred to as “ULH” or “the company”) prides itself on being one of the fastest growing property management companies in the United States. ULH owns and or manages luxury apartment communities in eight states currently and is projected to double in size over the next three to five years. ULH takes pride in their unique luxury properties that include amenities such as 24 hour maintenance and pool access, top-of-the-line workout facilities, on-site stores with groceries and commonly used household goods, luxurious club houses, movie theaters, and free high-speed internet. ULH experienced most of its growth over the last 18 months and until now had not realized that their outdated network infrastructure could possibly inhibit future growth. ULH is seeking proposals to upgrade their IT infrastructure to be able to better meet existing demand and future growth. This proposal and project will consist of the following five phases: 1. Project...
Words: 3634 - Pages: 15
...Risk-Based IT Audit Risk-Based Audit Methodology Apply to Organization’s IT Risk Management Kun Tao (Quincy) Cal Poly Pomona Author Note This paper was prepared for GBA 577 Advanced IS Auditing, taught by Professor Manson. March 2014 Page 1 of 26 Risk-Based IT Audit Table of Contents Abstract .......................................................................................................................................... 3 Introduction .................................................................................................................................... 4 Methodology................................................................................................................................... 6 Risk-based auditing methodology: Risk assessment...................................................................... 6 IT Risk Management................................................................................................................... 7 IT Risk Control Framework........................................................................................................ 8 Identifying assets...................................................................................................................... 13 Determining criticality and confidentiality levels......................................................................14 Threat and vulnerability identification................................................................
Words: 6057 - Pages: 25
...Unit 1 Assignment 1: Security Policies Overcoming Business Challenges There are a number of Information Technology security controls. The three most common are: physical, technical, and administrative controls; however, many organizations break down administrative controls into two separate categories: procedural and legal controls. "Security controls are the means of enforcing security policies that reflect the organization's business requirements, " (Johnson). Security controls are implemented to guarantee the information security C-I-A triad. Furthermore, security controls fall into three types of control classifications, they are: preventive, detective and corrective. These classifications are used to specify when a security control applies. Physical Controls are exactly what they sound like, physical obstacles used to prevent or deter access to IS resources. Physical controls can be barriers such as locked doors, requiring some sort of authentication/authorization command to enter, like a cipher lock or keycard. Biometric scanners are also excellent controls to identify and allow access to authorized personnel. Video cameras and closed-circuit television are also examples of physical controls. For organizations requiring extreme security measures, perimeter barriers such as walls or electric fences are used; additionally, security guards fall into the physical controls category. Technical Controls are logical and/or software related controls designed to restrict access...
Words: 470 - Pages: 2
