Golden Gate Lab 3 PCI DSS Noncompliance CardSystems Solutions Case Study Refer to the attachment of the case study and then answers relevant questions.
Learning Objectives
Upon completing this lab, you will be able to:
Relate a real-world case study on the Payment Card Industry Data Security Standard (PCI DSS) standard noncompliance and its implications.
Distinguish how the Payment Card Industry Data Security Standard (PCI DSS) is a standard and not a law, and how it defines requirements for information systems security controls and countermeasures.
Review a case study on a credit card transaction-processing companys noncompliance with the Payment Card Industry Data Security Standard (PCI DSS) and identify the privacy data breach that occurred.
Recommend PCI DSS-compliant mitigation remedies to prevent the same loss from occurring again at a similar organization. Lab #3 Case Study on PCI DSS Noncompliance:
CardSystems Solutions
Introduction
Payment Card Industry Data Security Standard (PCI DSS) is a compliance standard that helps
prevent private data breaches in companies. Before PCI DSS was drafted, each credit card
company had its own security requirements. Any merchant wanting to accept that companys
credit card would need to comply with the companys security requirements. Merchants wanting
to accept multiple credit cards grew frustrated by having to comply with multiple sets of
requirements. To assist merchants, card companies sought a solution.
The solution began with the major credit card companies collaborating to form a representative
group, now called the PCI Security Standards Council. Commonly called the PCI Council, they
drafted and approved the standard, the PCI DSS. Its important to remember that the PCI Council
is a group of companies, not a government agency. While the PCI Council is a group, only the
individual credit card company can enforce PCI DSS on its own card. Instances of
noncompliance are dealt with through penalties.
In this lab, you will review a real-world case study that involves a PCI DSS noncompliance
scenario, and you will recommend mitigation remedies to prevent the loss of private data for
similar organizations.
Learning Objectives
Upon completing this lab, you will be able to:
Relate a real-world case study on the Payment Card Industry Data Security Standard (PCI
DSS) standard noncompliance and its implications.
Distinguish how the Payment Card Industry Data Security Standard (PCI DSS) is a standard
and not a law, and how it defines requirements for information systems security controls
and countermeasures.
Review a case study on a credit card transaction-processing companys noncompliance with
the Payment Card Industry Data Security Standard (PCI DSS) and identify the privacy
data breach that occurred.
Recommend PCI DSS-compliant mitigation remedies to prevent the same loss from
occurring again at a similar organization.
18
19
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your
instructor:
1. Lab Report file;
2. Lab Assessments file.
Instructor Demo
The Instructor will present the instructions for this lab. This will start with a general discussion
about the PCI DSS standard and the required security controls and security countermeasures that
the standard defines. PCI DSS is a standard, not a law. PCI DSS directly impacts information
systems security given that it defines requirements. The Instructor will then present an overview
of the case study in this lab.
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
20 | LAB #3 Case Study on PCI DSS Noncompliance: CardSystems Solutions
Hands-On Steps
?Note:
This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft®
Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing
application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab
deliverable files.
1. On your local computer, create the lab deliverable files.
2. Review the Lab Assessment Worksheet. You will find answers to these questions as you
proceed through the lab steps.
3. Review the Payment Card Industry Data Security Standard (PCI DSS) overview in Figure
1.
PCI Data Security StandardHigh-Level Overview
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update antivirus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
21
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
Figure 1 PCI DSS v1.2 information systems security requirements
4. In your Lab Report file, explain how PCI DSS is a standard and not a law and discuss
how it defines requirements for information systems security controls and
countermeasures.
uNote:
Upon review of the PCI DSS supporting documents repository (link provided in below step), you will see a
Prioritized Approach v2.0 document. This document details the 12 requirements of PCI DSS and prioritizes them
in a to-do list resembling a Gantt chart. Highly recommended.
5. Review the following case study on PCI DSS noncompliance:
External hackers managed to breach a credit card transaction-processing firm, resulting in
the theft of privacy information. You can find more information on this case against the
company, CardSystems Solutions, by visiting the Federal Trade Commissions (FTCs)
Web site at http://www.ftc.gov/news-events/press-releases/2006/02/cardsystems-solutionssettles-ftc-charges. You can find information about the PCI DSS standard and PCI DSS
requirements documents by visiting
Case Study: CardSystems Solutions
CardSystems Solutions, a third-party payment processor, collected thousands of
transactions of small and medium businesses. These transactions were then processed as
batches and sent to credit card providers (such as Visa and MasterCard). The companys
collection and processing of private information and financial data made it a prime target
of potential hackers. Because of this, the company had to meet the data security standards
that the federal, state, and industry standards require. Compliance is not optional for
companies such as CardSystems Solutions.
In June 2004, an external auditor certified the company as Payment Card Industry Data
Security Standard- (PCI DSS-) compliant. The PCI DSS standards include installing a
firewall and antivirus software and updating virus definitions on a consistent schedule.
Companies must also encrypt privacy data elements. The companys certification implied
that it followed a high standard of security, meaning the company used encryption
methods to store privacy data. However, after the breach, a security assessment was
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
22 | LAB #3 Case Study on PCI DSS Noncompliance: CardSystems Solutions
conducted. This assessment of the security measures used at the company proved that the
company was not PCI DSS-compliant.
The hacker who performed the attack used a basic exploit known as a Structured Query
Language (SQL) injection, which allows the hacker to place a snippet of code into the
application. The hacker gained access through a Web application that customers used to
access their data. With the code inserted into the fields of a form, the hacker was able to
send SQL commands to the backend SQL server. The hacker wrote a script that gathered
credit card data from the database, put it in a compressed ZIP file, and sent the credit card
data to the hacker community through a File Transfer Protocol (FTP) site. The impact of
the attack almost caused the company to go out of business. It had to eventually be
acquired by another business.
These types of SQL injection attacks can be mitigated. Quality Web site design, secure
coding, and internal firewalls all contribute to mitigating these types of attacks. The PCI
DSS standard requires these types of mitigation controls and security methods.
CardSystems was supposedly in compliance with the PCI DSS standard; however, if the
company were in compliance, a successful SQL injection attack would mean the firewall
was somehow circumvented.
?Note:
Implementing PCI DSS controls will not prevent the most determined hacker from successfully attacking, but they
provide a calculated level of due diligence to close virtually all attack channels.
CardSystems stored unencrypted data and failed to use proper security firewalls. It also
failed to maintain its antivirus definitions. As a result, the FTC found CardSystems
Solutions and its predecessors negligent and in violation of the FTC Act 15, U.S.C.
§§ 41-58.
Federal Trade Commission Act (15 U.S.C. §§ 41-58, as amended)
Under this act, the commission is empowered, among other things, to (a) prevent unfair
methods of competition and unfair or deceptive acts or practices in or affecting
commerce; (b) seek monetary redress and other relief for conduct injurious to consumers;
(c) prescribe trade regulation rules defining with specificity acts or practices that are
unfair or deceptive, and establishing requirements designed to prevent such acts or
practices; (d) conduct investigations relating to the organization, business, practices, and
management of entities engaged in commerce; and (e) make reports and legislative
recommendations to Congress.
6. In your Lab Report file, discuss the PCI DSS requirements related to the case study on
PCI DSS noncompliance. Explain which requirements werent met and how these violate
the Federal Trade Commission Act.
7. In your Lab Report file, recommend two or three mitigation remedies to prevent the same
thing from happening at another organization.
23
?Note:
This completes the lab. Close the Web browser, if you have not already done so.
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Student Lab Manual
24 | LAB #3 Case Study on PCI DSS Noncompliance: CardSystems Solutions
Evaluation Criteria and Rubrics
The following are the evaluation criteria for this lab that students must perform:
1. Relate a real-world case study on the Payment Card Industry Data Security Standard (PCI
DSS) standard noncompliance and its implications. [25%]
2. Distinguish how the Payment Card Industry Data Security Standard (PCI DSS) is a
standard and not a law, and how it defines requirements for information systems security
controls and countermeasures. [25%]
3. Review a case study on a credit card transaction-processing companys noncompliance
with the Payment Card Industry Data Security Standard (PCI DSS) and identify the
privacy data breach that occurred. [25%]
4. Recommend PCI DSS-compliant mitigation remedies to prevent the same loss from
occurring again at a similar organization. [25%]
Purchase answer to see full
attachment
Why Choose Us
Top quality papers
We always make sure that writers follow all your instructions precisely. You can choose your academic level: high school, college/university or professional, and we will assign a writer who has a respective degree.
Professional academic writers
We have hired a team of professional writers experienced in academic and business writing. Most of them are native speakers and PhD holders able to take care of any assignment you need help with.
Free revisions
If you feel that we missed something, send the order for a free revision. You will have 10 days to send the order for revision after you receive the final paper. You can either do it on your own after signing in to your personal account or by contacting our support.
On-time delivery
All papers are always delivered on time. In case we need more time to master your paper, we may contact you regarding the deadline extension. In case you cannot provide us with more time, a 100% refund is guaranteed.
Original & confidential
We use several checkers to make sure that all papers you receive are plagiarism-free. Our editors carefully go through all in-text citations. We also promise full confidentiality in all our services.
24/7 Customer Support
Our support agents are available 24 hours a day 7 days a week and committed to providing you with the best customer experience. Get in touch whenever you need any assistance.
Try it now!
How it works?
Follow these simple steps to get your paper done
Place your order
Fill in the order form and provide all details of your assignment.
Proceed with the payment
Choose the payment system that suits you most.
Receive the final file
Once your paper is ready, we will email it to you.
Our Services
No need to work on your paper at night. Sleep tight, we will cover your back. We offer all kinds of writing services.
Essays
You are welcome to choose your academic level and the type of your paper. Our academic experts will gladly help you with essays, case studies, research papers and other assignments.
Admissions
Admission help & business writing
You can be positive that we will be here 24/7 to help you get accepted to the Master’s program at the TOP-universities or help you get a well-paid position.
Reviews
Editing your paper
Our academic writers and editors will help you submit a well-structured and organized paper just on time. We will ensure that your final paper is of the highest quality and absolutely free of mistakes.
Reviews
Revising your paper
Our academic writers and editors will help you with unlimited number of revisions in case you need any customization of your academic papers