ITSS 4370
Assignment 3: Process Framework
PCI DSS
As a consumer of any company, the most basic and expected capability in completing a transaction is that the seller be able to keep the consumer’s credit card and cardholder information secure and confidential. The Payment Card Industry Data Security Standard (PCI DSS) was developed and created in 2004 by the major credit card issuers Visa, MasterCard, Discover and American Express just for this purpose (1, Rouse). The PCI DSS aims to ensure and optimize cardholder data security and encourage the implementation of consistent security measures around the world. The intention of these standards is meant to be applied to any companies involved in payment card processing including merchants, processors, acquirers, issuers, and service providers, as well as any entities that store, process or transmit cardholder data (5, PCI Security Standards Council). The PCI DSS centralizes its standards around six main goals: Build and Maintain a Secure Network and Systems, Protect Cardholder Data, Maintain a Vulnerability Management Program, Implement Strong Access Control Measures, Regularly Monitor and Test Networks, and Maintain an Information Security Policy. These standards have become especially prevalent in the past decade, as there has been numerous cyber-attacks on companies for cardholder date such as Target, Sony, TJMaxxx, etc. making the adoption of these standards essential for all companies who store or transmit such data.
The first of the six goals outlined in the PCI DSS security standards is the goal to build and maintain a secure network and systems. There are two requirements for this goal, first is to install and maintain a firewall configuration to protect cardholder data. The second requirement for this goal is to not use vendor-supplied defaults for system passwords and other security parameters. For authentication purposes, using default settings for information such as PIN’s or passwords, would provide an easy loophole for attackers to target.
The second goal centers around the protection of stored cardholder data. Wherever personal cardholder data such as birthdates, social security numbers, addresses, security questions, and phone numbers should be completely invulnerable to attacks. Cardholder data is typically transmitted through the use of public networks which requires that data to be encrypted in case the files are accessed by hackers.
Third in the list of goals is for companies to implement and maintain a vulnerability management program. The implementation of the program requires the system to protect against all malware and regularly update anti-virus software or programs. In addition, it requires the development and maintaining of secure systems and applications. This refers to continuously updating and adapting systems and applications to meet the latest standards and introducing fixes to vulnerabilities.
The fourth goal involves coming up with and implementing str...