SlideShare ist ein Scribd-Unternehmen logo

A Case Study on Payment Card Industry Data Security Standards

‱Als DOCX, PDF herunterladen‱
‱
V
Victor Oluwajuwon Badejo

A detailed analysis on the Security Standard goals and requirements. Examples of companies that failed to comply, with emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance.

Technologie
1 von 10
Case Study: Payment Card Industry – Data Security Standards (PCI-DSS) Written by: Badejo, Victor Oluwajuwon 11th March, 2016
Abstract The Payment Card Industry publishedthe Data Security Standard (PCI DSS) 11 years ago to provide a minimum set of required security controls to protect cardholder data. However, criminals are still breachingcompaniesandgettingaccesstocardholderdataasaresultof non-compliance tothese security standards. Thiscase studygivesa detailed analysisof the securitystandard goalsandrequirements.Italsopresents examples of companies that failed to comply with the lawswith emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance. It concludes by analyzingwhysome companiesare compliantbut not securedand proposeschangescompaniesshould adopt to avoid a security breach and still remain PCI DSS compliant. Key Terms Firewall, malware, Qualified Security Assessor, SQL Injection, CVV security code, FTP server, RAM Scrapper, POS terminal, class action lawsuit.
1. Introduction. 1.1 PCI SecurityStandards Council and PCI DSS The PCI SecurityStandardsCouncil isaglobal organizationthatmaintains, andpromotesPaymentCard Industrystandardsforthe safetyof cardholderdata across the globe. The council wasfoundedin2006 by AmericanExpress,DiscoverFinancialServices,JCBInternational,MasterCard,andVisaInc. (PCI SecurityStandardsCouncil,2016).Companiesacceptingpaymentcardtransactionsfromanyof these paymentbrandshave to complywithPCIDSSrequirements. The PaymentCardIndustrySecurity StandardsCouncil (PCISSC) publishedthe DataSecurityStandard(DSS) toprovide aminimumsetof requiredsecuritycontrolstoprotectcardholderdata. (Moldes,2015) The council has twomajor prioritieswhichinclude:  Helpingmerchantsandfinancial institutionsunderstandandimplementstandardsforsecurity policies,technologiesandongoingprocessesthatprotecttheirpaymentsystemsfrombreaches and theftof cardholderdata  Helpingvendorsunderstandandimplementstandardsforcreatingsecure paymentsolutions. (PCISecurityStandardsCouncil,2016) 1.2 GOALS AND PCI DSS REQUIREMENTS PCIDSS requiresdocumentationtobe developedandmaintained,preventiveanddetective security controlsto be implemented,andprocessestobe inplace inorderto identifyandcontainanysecurity breachattemptsas soonas possible.The PCIDSSgoalsand requirementsare listedinthe table below: GOALS PCIDSS REQUIREMENTS BuildandMaintaina Secure Network 1. Install andmaintaina firewall configurationtoprotect cardholderdata 2. Do notuse vendor-supplieddefaultsforsystempasswordsand othersecurityparameters ProtectCardholderData 3. Protect storedcardholderdata 4. Encrypt transmissionof cardholderdataacrossopen,public networks Maintaina Vulnerability ManagementProgram 5. Use and regularlyupdate anti-virussoftware orprograms 6. Developandmaintainsecure systemsandapplications ImplementStrongAccess Control Measures 7. Restrictaccess to cardholderdataby businessneed-to-know 8. Assigna unique IDto eachpersonwithcomputeraccess 9. Restrictphysical accessto cardholderdata RegularlyMonitorandTest Networks 10. Track and monitorall accessto networkresourcesand cardholderdata 11. Regularlytestsecuritysystemsandprocesses Maintainan Information SecurityPolicy 12. Maintaina policythataddressesinformationsecurityfor employeesandcontractors (PCISecurityStandardsCouncil,2016)
PCIDSS has evolvedsteadilyoverthe years.Eversince the releaseof version 1.0,the council hasmade frequentchangestoimprove clarityandconsistency.The latestVersion 3.1was releasedinApril2015, and will be retired3monthsafterversion3.2 isreleased.Asaresultof these updates,companieshave had to continuouslyvalidatetheircompliance tothe standard. The standardwascreatedto increase controlsaroundcardholderdatato reduce creditcard fraud. Accordingto PCI securityStandards(2008), “Validationof compliance isperformedannually,eitherbyanexternal QualifiedSecurityAssessor(QSA) that createsa Reporton Compliance (ROC) fororganizationshandlinglarge volumesof transactions,or by Self-AssessmentQuestionnaire (SAQ)forcompanieshandlingsmallervolumes”. It istherefore notenoughfora company to achieve PCIDSScompliance andrelyonitfor a longperiod of time asattackersare alwaysreadyto exploit new vulnerabilities.Constant auditand validationof compliance istherebynecessarytoensure effective security. “Unlike securitylawssuch asGramm-Leach-Bliley,HIPAA andSarbanes-Oxley,the PCIStandardand SecurityProgramrulesare not statutesor regulationsenforceddirectlybythe government.Rather,the PCIStandard andthe SecurityProgramrulesare imposedandtypicallyenforcedcontractuallythrough the PCI ContractChain”.(Moldes,2009). As a result,if a companywantto be able toaccept payment cards, theymustentera contractual relationshipwithapaymentprocessorandmusttherefore be PCI DSS compliant.Due tothe many stagesrequiredtobe compliant,some companiesoptnottoaccept paymentcardsto transact theirbusinesses.
2. Analysis The evolvingglobal nature of transactingbusinessmeansthat some companieswouldnotsurvive if they refuse toaccept paymentcardsto transact business. Manycompanieshave thereforeembraced the PCI DSS goalsand have strivedtoremaincompliant. A closerlookattwo differentcompaniesthatfailedto complywiththe standardwouldhelpunderstandthe PCIDSSbetter.We wouldlookatareasof the standardstheyviolatedandhowitaffectedthemadversely,andfinesthatresultedfromtheirnon- compliance. 2.1 Heartland Payment System In 2009, HeartlandPayment Systems,aFortune 1000 U.S.-basedpaymentprocessingandtechnology provider, announcedthatithadbeena victimof a confidentialitybreachwithinitsprocessingsystemin 2008. The data breach issaidto have compromisedtensof millionsof creditand debitcards transactionsmakingitone of the largestdatabreacheseverrecorded.“The datastolenincludedthe digital informationencodedontothe magneticstripe builtintothe backsof creditanddebitcards; with that data, thievescanfashioncounterfeitcreditcardsbyimprintingthe same stoleninformationonto fabricatedcards”.(Krebs,2009) 2.1.1 PCI DSS Failure Analysingthe companyshowsthatit failedtocomplywiththe followingPCIGoals:  Buildand MaintainaSecure Network 1. Install andmaintaina firewall configurationtoprotect cardholderdata The compromise came througha SQL injectionattackonthe company'swebsite.AlbertGonzalez, an Americancomputerhackerandcomputercriminal who wasthe mastermind of the attack usedSQL injection todeploybackdoorsonseveralcorporate systems (Krebs,2013).Although,itwasdetected,it made itsway throughthe company’sfirewall.The companyclearlyviolatedof one of the PCIgoalsby not havinga systemsecure enoughtopreventthe injectionattack.  Protect CardholderData 3. Protect stored cardholderdata 4. Encrypt transmissionofcardholderdataacross open,publicnetworks Accordingto SecureWorks (2012), “Roughlysix monthslater,inmid-May2008, the malware made the leapfromthe corporate networktothe paymentprocessingnetwork,butHPSdidn'tknow thatat the time”. Asstatedearlier,the datastolenincludedinformationencodedonthe magneticstripe atthe back of the debitanddebitcards.Thisdata couldthenbe transferredunto counterfeitcardsby imprintingthe stoleninformationonthem.The companyhadstoredcardholderdataandfailedto protectit. The company’sencryptionforthe dataat rest wasnot effective. Thisismade evidentbythe abilityof the malware to retrievingcardholderdata,whichisclearlyaviolationof one of the PCIgoals. 2.1.2 Fines The company paida heavyprice. HeartlandPaymentSystem wasdelistedbyVisaandMasterCard. AlbertGonzalezwhowas indictedinAugust2009, pleadedguiltytocarrying outthe attack and was
sentencedto20 years injail. The company alsosuffereda$170 millionloss.Although$20 millionwas coveredbyinsurance,theirnetlosswas$150 million. (SecureWorks,2012). 2.2 Target Corporation On December19, 2013, Minneapolis basedretailgiant,Targetconfirmeditwas aware of unauthorized access to paymentcarddata that impactedguests makingcreditanddebitcardpurchasesinitsU.S. stores. The confidentiality breach,whichoccurredfromNovember27to December15, is one of the largest,high-profile attacksinrecentyears. Hackersmade off withcustomernamesandaccountdata, includingcreditanddebitcardnumbers,expirationdates,the three-digitCVV securitycode,andeven PIN data for 40 millionaccountholders. (Krebs,TargetInvestigatingDataBreach,2013) (Perez,2014). Target CEO at the time,GreggSteinhafel confirmed thatthe attackersstole carddata by installing malicioussoftware onpoint-of-sale (POS) devicesinthe checkoutlinesatTargetstores usinga technique thatparsesdatastoredbrieflyinthe memorybanksof specificPOSdevices.“The malware capturesthe data storedon the card’s magneticstripe inthe instantafterithas beenswipedatthe terminal andisstill inthe system’smemory.Armedwiththisinformation,thievescancreate cloned copiesof the cards and use themto shopin storesforhigh-pricedmerchandise”(Krebs,2014) 2.2.1 PCI DSS Failure Accordingto the reportfrom the breach,itis clearTarget didn’tmeetthe followingPCIDSS requirementsatthe time of the attack:  Protect CardholderData 3. Protect stored cardholderdata 4. Encrypt transmissionofcardholderdataacross open,publicnetworks (Moldes,ContractingforPCIDSSCompliance,2009) Fig1.0
Fig1.0 showsthe typical flowof data fromthe pointa customerswipesintill he/shereceives acknowledgementforatransaction. Target failedtoprotectCardholderdatabynot encryptingthe transmissionof cardholderdatafromthe POSterminal andthroughoutthe transactionprocess.Whena purchase ismade at the POSterminal,the cardholderdataisstoredtemporarilyonthe live memory of the computer,where itappearsinplaintext before passedontothe back office server.Thisisclearlyin violationof the goal thatsays “Encrypt transmissionofcardholderdataacross open,publicnetworks”.  MaintainaVulnerabilityManagementProgram 5. Use andregularlyupdate anti-virussoftwareor programs 6. Develop andmaintainsecure systems andapplications Furtheranalysisrevealedthatthe RAMscraper, or memory-parsingmalware thatinfectedTarget’s checkoutcounters(POS) wentundetected for6days.The malware startedtransmittingthe stolendata to an external FTPserver,usinganotherinfectedmachine withinthe Targetnetwork. “These transmissions occurred several times a day over a 2 week period. The cyber criminals behindthe attack useda virtual private server(VPS) locatedinRussiato downloadthe stolendata from the FTP. They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive customer information” (Jonathan, 2016). This showsfailure onthe company’sabilitytomaintainavulnerabilitymanagementprogram. 2.2.2 Fines Although,Targetdidnotlose authorizationtoprocesspaymentcardtransactions,non-compliance in termsof implementationexposedthemtofines.Targetagreedtopay$10 milliontosettle aclass-action lawsuitimposed asaresultof the breach. The proposedsettlementwouldalsorequire the Minneapolis-basedTargetCorp.toimplementchanges to itssecuritypolicieswithin10businessdaysof the settlementbecomingeffective. Those changeswouldinclude requiringthe companyto i. Appointachief informationsecurityofficer. ii. Keepa writteninformationsecurityprogram, whichwilldocumentpotential securityrisks, and developmetricstomeasure the securityof itssystems. iii. Offersecuritytrainingto"relevant"workersthateducatesthemaboutthe importance of safeguardingpersonalidentifyinginformation.(npr,2015)
3. Conclusion 3.1 InterestingDiscovery A commonscenarioassociatedwiththe PCIDSSoccurs whencompaniesare breachedandclaimtobe compliantatthe time of the hack. Bothcompaniesdiscussedabove,all claimtobe PCIDSS Compliantat the time of the attack. We lookat some of the discoveries; Two weekspriortothe date the paymentsystemwascompromised, HeartlandPaymentSystem was approvedbytheirQualifiedSecurityAssessor(QSA) asPCIcompliantaccordingto (SecureWorks,2012). Thissparkeda lot of debate due tothe fact thatmany companiesare believedtohave spentbillionsof dollarsimplementingPCIrequirementsandbillionsmore inmandatorythird-partycompliance assessments. Thishasn’thelpedinpreventingthemfrombeingattacked. Accordingto (Vijayan,2014),the breach at Target Corporation highlightedweaknessesinPCI Security standards.AlthoughPCImandatescheckingformalware,he stressedthatnone of the typical anti- malware productscouldfindthe TargetMalware.It isbelievedthatnothinginthe PCIstandardcould have helpedtargetdetectandblockthe intrusionbefore ithappened.He concludedbysayingPCI doesn’tmandate next-generationanti-malware securitythat’sstartingtoemerge. “The biggestproblemisthe PCIstandarddoesn'trequire companiestoencryptdatainmotion. While the PCI DSSstandard has requirementsforencryptingdataat rest,there isno suchrequirementfordata inaction duringthe entire transactionprocessingchain”.(Vijayan,2014) 3.2 Solution/ Remediation Afterextensive research,ithasbeenconcludedthatalthoughthe PCIDSSstandardsare not perfect,the standardis still verymucheffective inensuringprotectionof paymentsystemsand protecting cardholderdata. Some of the suggestionsbelow woulddefinitelyhelpreduce breachesassociatedwith paymentcard systems: i. Newupdatestothe PCI DSScompliance goalsshouldensure that encryptionof dataisnot onlydone duringtransmission.The new goal shouldindicate thatencryptionof datashould done at rest,as well asinmotion.Thiswouldclarifythe PCIDSS requirementwhichsays “Encrypt transmissionof cardholderdataacrossopen,publicnetworks” ii. The breachespointoutPCI implementationfailuresratherthana lackof controlsinthe standardsitself. The partof the PCIprocessthat needschange isthe Compliance AssessmentProcess.Implementation andvulnerabilityscanning shouldtherefore be carried out properlybycertifiedsecurityassessorsmore frequentlyinordertoreduce the number of attacksassociatedwithpaymentsystems. While PCISSCcan improve the PCIDSS infuture versionsastheyhave beendoingwitheveryrelease, ultimately,cardholderdatasecurity,andnotjustcompliance isthe responsibilityof eachorganization.
References JonathanJaffe,K.J.(2016). 20131218-Target. Retrievedfromhttp://nc3.mobi/references/2013-detail/ Krebs,B.(2009, January20). PaymentProcessorBreach May Be Largest Ever. RetrievedfromThe WashingtonPost: http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.ht ml?hpid=topnews Krebs,B.(2013, December18). Target Investigating Data Breach.RetrievedfromKrebsonSecurity: http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/ Krebs,B.(2014, January14). A First Lookat the targetIntrusion,Malware. Retrievedfrom KrebsonSecurity:http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion- malware/ Moldes,C.J. (2009, August14). Contracting forPCIDSSCompliance. RetrievedfromSANSInstitute ReadingRoomsite:https://www.sans.org/reading- room/?utm_source=web&utm_medium=text- ad&utm_content=generic_rr_pdf_logo1&utm_campaign=Reading_Room&ref=36909 Moldes,C.J. (2015, December7). Compliantbutnotsecure: Why PIC-Certified CompaniesAreBeing Breached. RetrievedfromSANSInstituteInfoSecReadingRoom: https://www.sans.org/search/results/PCI+DSS/0/2 npr.org.(2015, March 19). Target offers$10 Million SettlementIn Data Breach Lawsuit. Retrievedfrom www.npr.org:http://www.npr.org/sections/thetwo-way/2015/03/19/394039055/target-offers- 10-million-settlement-in-data-breach-lawsuit PCISecurityStandardsCouncil.(2016). Maintaining PaymentSecurity. RetrievedfromPCISecurity StandardsCouncil: https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security PCISecurityStandardsCouncil.(2016). PCI Security.RetrievedfromPCISecurityStandardsCouncil: https://www.pcisecuritystandards.org/pci_security/ pcisecuritystandards.(2008,October). Understanding theintentsof therequirementsof PCIDSS. RetrievedfromPCISecurityStandards: https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf Perez,S.(2014, January 10). Target'sData Breach Gets Worse.RetrievedfromTechCrunch: http://techcrunch.com/2014/01/10/targets-data-breach-gets-worse-70-million-customers-had- info-stolen-including-names-emails-and- phones/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+ %28TechCrunch%29&utm_content=Netvibes SecureWorks.(2012, October25). Risk Management.Retrievedfromwww.secureworks.com: https://www.secureworks.com/blog/general-pci-compliance-data-security-case-study-heartland
Vijayan,J.(2014, January 24). Security failuresat companiescertified as PCIcompliantsuggestsproblem in the standardsand compliance.RetrievedfromComputerWorld: http://www.computerworld.com/article/2486879/data-security/after-target--neiman-marcus- breaches--does-pci-compliance-mean-anything-.html Wikipedia.(2016,February24). AlbertGonzalez.RetrievedfromWikipedia.

Empfohlen

Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Virus encryption
Virus encryptionVirus encryption
Virus encryptionssusere0e9b7
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligencePrachi Mishra
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cyclepenetration Tester
 

Empfohlen

Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Virus encryption
Virus encryptionVirus encryption
Virus encryptionssusere0e9b7
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligencePrachi Mishra
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cyclepenetration Tester
 
Risk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniquesRisk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniquesILRI
 
2022-05-12 Live Forensics for Law Enforcement @UniPD
2022-05-12 Live Forensics for Law Enforcement @UniPD2022-05-12 Live Forensics for Law Enforcement @UniPD
2022-05-12 Live Forensics for Law Enforcement @UniPDDavide Gabrini
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
OSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureOSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureChristian Martorella
 
The secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanThe secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanPECB
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptxMuhammad Mazhar
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThreatConnect
 
Calculate the Risk
Calculate the RiskCalculate the Risk
Calculate the RiskSalih Islam
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Network Intelligence India
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain AttacksLionel Faleiro
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE MethodRaul Calzada
 
OSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesOSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesSyedAmoz
 
Cyber security threats and its solutions
Cyber security threats and its solutionsCyber security threats and its solutions
Cyber security threats and its solutionsmaryrowling
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance ReportHolly Vega
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Risk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniquesRisk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniquesILRI
 
2022-05-12 Live Forensics for Law Enforcement @UniPD
2022-05-12 Live Forensics for Law Enforcement @UniPD2022-05-12 Live Forensics for Law Enforcement @UniPD
2022-05-12 Live Forensics for Law Enforcement @UniPDDavide Gabrini
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
OSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureOSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureChristian Martorella
 
The secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanThe secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanPECB
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptxMuhammad Mazhar
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThreatConnect
 
Calculate the Risk
Calculate the RiskCalculate the Risk
Calculate the RiskSalih Islam
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain AttacksLionel Faleiro
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE MethodRaul Calzada
 
OSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesOSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesSyedAmoz
 
Cyber security threats and its solutions
Cyber security threats and its solutionsCyber security threats and its solutions
Cyber security threats and its solutionsmaryrowling
 

Was ist angesagt? (20)

Risk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniquesRisk management: Principles, methodologies and techniques
Risk management: Principles, methodologies and techniques
 
2022-05-12 Live Forensics for Law Enforcement @UniPD
2022-05-12 Live Forensics for Law Enforcement @UniPD2022-05-12 Live Forensics for Law Enforcement @UniPD
2022-05-12 Live Forensics for Law Enforcement @UniPD
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
malware analysis
malware analysismalware analysis
malware analysis
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
OSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureOSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and future
 
The secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanThe secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity Plan
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptx
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
 
Calculate the Risk
Calculate the RiskCalculate the Risk
Calculate the Risk
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE Method
 
OSINT with Practical: Real Life Examples
OSINT with Practical: Real Life ExamplesOSINT with Practical: Real Life Examples
OSINT with Practical: Real Life Examples
 
Cyber security threats and its solutions
Cyber security threats and its solutionsCyber security threats and its solutions
Cyber security threats and its solutions
 

Ähnlich wie A Case Study on Payment Card Industry Data Security Standards

PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance ReportHolly Vega
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardsallychiu
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS SlidecastRobertXia
 
Is your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if notIs your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if notCheapSSLsecurity
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,Khaled Mosharraf
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?EMC
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheyPeter Tran
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliantDivya Kothari
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 

Ähnlich wie A Case Study on Payment Card Industry Data Security Standards (20)

PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS Compliance
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
 
Is your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if notIs your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if not
 
MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_Richey
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
 

KĂŒrzlich hochgeladen

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂșjo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

KĂŒrzlich hochgeladen (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

A Case Study on Payment Card Industry Data Security Standards

  • 1. Case Study: Payment Card Industry – Data Security Standards (PCI-DSS) Written by: Badejo, Victor Oluwajuwon 11th March, 2016
  • 2. Abstract The Payment Card Industry publishedthe Data Security Standard (PCI DSS) 11 years ago to provide a minimum set of required security controls to protect cardholder data. However, criminals are still breachingcompaniesandgettingaccesstocardholderdataasaresultof non-compliance tothese security standards. Thiscase studygivesa detailed analysisof the securitystandard goalsandrequirements.Italsopresents examples of companies that failed to comply with the lawswith emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance. It concludes by analyzingwhysome companiesare compliantbut not securedand proposeschangescompaniesshould adopt to avoid a security breach and still remain PCI DSS compliant. Key Terms Firewall, malware, Qualified Security Assessor, SQL Injection, CVV security code, FTP server, RAM Scrapper, POS terminal, class action lawsuit.
  • 3. 1. Introduction. 1.1 PCI SecurityStandards Council and PCI DSS The PCI SecurityStandardsCouncil isaglobal organizationthatmaintains, andpromotesPaymentCard Industrystandardsforthe safetyof cardholderdata across the globe. The council wasfoundedin2006 by AmericanExpress,DiscoverFinancialServices,JCBInternational,MasterCard,andVisaInc. (PCI SecurityStandardsCouncil,2016).Companiesacceptingpaymentcardtransactionsfromanyof these paymentbrandshave to complywithPCIDSSrequirements. The PaymentCardIndustrySecurity StandardsCouncil (PCISSC) publishedthe DataSecurityStandard(DSS) toprovide aminimumsetof requiredsecuritycontrolstoprotectcardholderdata. (Moldes,2015) The council has twomajor prioritieswhichinclude:  Helpingmerchantsandfinancial institutionsunderstandandimplementstandardsforsecurity policies,technologiesandongoingprocessesthatprotecttheirpaymentsystemsfrombreaches and theftof cardholderdata  Helpingvendorsunderstandandimplementstandardsforcreatingsecure paymentsolutions. (PCISecurityStandardsCouncil,2016) 1.2 GOALS AND PCI DSS REQUIREMENTS PCIDSS requiresdocumentationtobe developedandmaintained,preventiveanddetective security controlsto be implemented,andprocessestobe inplace inorderto identifyandcontainanysecurity breachattemptsas soonas possible.The PCIDSSgoalsand requirementsare listedinthe table below: GOALS PCIDSS REQUIREMENTS BuildandMaintaina Secure Network 1. Install andmaintaina firewall configurationtoprotect cardholderdata 2. Do notuse vendor-supplieddefaultsforsystempasswordsand othersecurityparameters ProtectCardholderData 3. Protect storedcardholderdata 4. Encrypt transmissionof cardholderdataacrossopen,public networks Maintaina Vulnerability ManagementProgram 5. Use and regularlyupdate anti-virussoftware orprograms 6. Developandmaintainsecure systemsandapplications ImplementStrongAccess Control Measures 7. Restrictaccess to cardholderdataby businessneed-to-know 8. Assigna unique IDto eachpersonwithcomputeraccess 9. Restrictphysical accessto cardholderdata RegularlyMonitorandTest Networks 10. Track and monitorall accessto networkresourcesand cardholderdata 11. Regularlytestsecuritysystemsandprocesses Maintainan Information SecurityPolicy 12. Maintaina policythataddressesinformationsecurityfor employeesandcontractors (PCISecurityStandardsCouncil,2016)
  • 4. PCIDSS has evolvedsteadilyoverthe years.Eversince the releaseof version 1.0,the council hasmade frequentchangestoimprove clarityandconsistency.The latestVersion 3.1was releasedinApril2015, and will be retired3monthsafterversion3.2 isreleased.Asaresultof these updates,companieshave had to continuouslyvalidatetheircompliance tothe standard. The standardwascreatedto increase controlsaroundcardholderdatato reduce creditcard fraud. Accordingto PCI securityStandards(2008), “Validationof compliance isperformedannually,eitherbyanexternal QualifiedSecurityAssessor(QSA) that createsa Reporton Compliance (ROC) fororganizationshandlinglarge volumesof transactions,or by Self-AssessmentQuestionnaire (SAQ)forcompanieshandlingsmallervolumes”. It istherefore notenoughfora company to achieve PCIDSScompliance andrelyonitfor a longperiod of time asattackersare alwaysreadyto exploit new vulnerabilities.Constant auditand validationof compliance istherebynecessarytoensure effective security. “Unlike securitylawssuch asGramm-Leach-Bliley,HIPAA andSarbanes-Oxley,the PCIStandardand SecurityProgramrulesare not statutesor regulationsenforceddirectlybythe government.Rather,the PCIStandard andthe SecurityProgramrulesare imposedandtypicallyenforcedcontractuallythrough the PCI ContractChain”.(Moldes,2009). As a result,if a companywantto be able toaccept payment cards, theymustentera contractual relationshipwithapaymentprocessorandmusttherefore be PCI DSS compliant.Due tothe many stagesrequiredtobe compliant,some companiesoptnottoaccept paymentcardsto transact theirbusinesses.
  • 5. 2. Analysis The evolvingglobal nature of transactingbusinessmeansthat some companieswouldnotsurvive if they refuse toaccept paymentcardsto transact business. Manycompanieshave thereforeembraced the PCI DSS goalsand have strivedtoremaincompliant. A closerlookattwo differentcompaniesthatfailedto complywiththe standardwouldhelpunderstandthe PCIDSSbetter.We wouldlookatareasof the standardstheyviolatedandhowitaffectedthemadversely,andfinesthatresultedfromtheirnon- compliance. 2.1 Heartland Payment System In 2009, HeartlandPayment Systems,aFortune 1000 U.S.-basedpaymentprocessingandtechnology provider, announcedthatithadbeena victimof a confidentialitybreachwithinitsprocessingsystemin 2008. The data breach issaidto have compromisedtensof millionsof creditand debitcards transactionsmakingitone of the largestdatabreacheseverrecorded.“The datastolenincludedthe digital informationencodedontothe magneticstripe builtintothe backsof creditanddebitcards; with that data, thievescanfashioncounterfeitcreditcardsbyimprintingthe same stoleninformationonto fabricatedcards”.(Krebs,2009) 2.1.1 PCI DSS Failure Analysingthe companyshowsthatit failedtocomplywiththe followingPCIGoals:  Buildand MaintainaSecure Network 1. Install andmaintaina firewall configurationtoprotect cardholderdata The compromise came througha SQL injectionattackonthe company'swebsite.AlbertGonzalez, an Americancomputerhackerandcomputercriminal who wasthe mastermind of the attack usedSQL injection todeploybackdoorsonseveralcorporate systems (Krebs,2013).Although,itwasdetected,it made itsway throughthe company’sfirewall.The companyclearlyviolatedof one of the PCIgoalsby not havinga systemsecure enoughtopreventthe injectionattack.  Protect CardholderData 3. Protect stored cardholderdata 4. Encrypt transmissionofcardholderdataacross open,publicnetworks Accordingto SecureWorks (2012), “Roughlysix monthslater,inmid-May2008, the malware made the leapfromthe corporate networktothe paymentprocessingnetwork,butHPSdidn'tknow thatat the time”. Asstatedearlier,the datastolenincludedinformationencodedonthe magneticstripe atthe back of the debitanddebitcards.Thisdata couldthenbe transferredunto counterfeitcardsby imprintingthe stoleninformationonthem.The companyhadstoredcardholderdataandfailedto protectit. The company’sencryptionforthe dataat rest wasnot effective. Thisismade evidentbythe abilityof the malware to retrievingcardholderdata,whichisclearlyaviolationof one of the PCIgoals. 2.1.2 Fines The company paida heavyprice. HeartlandPaymentSystem wasdelistedbyVisaandMasterCard. AlbertGonzalezwhowas indictedinAugust2009, pleadedguiltytocarrying outthe attack and was
  • 6. sentencedto20 years injail. The company alsosuffereda$170 millionloss.Although$20 millionwas coveredbyinsurance,theirnetlosswas$150 million. (SecureWorks,2012). 2.2 Target Corporation On December19, 2013, Minneapolis basedretailgiant,Targetconfirmeditwas aware of unauthorized access to paymentcarddata that impactedguests makingcreditanddebitcardpurchasesinitsU.S. stores. The confidentiality breach,whichoccurredfromNovember27to December15, is one of the largest,high-profile attacksinrecentyears. Hackersmade off withcustomernamesandaccountdata, includingcreditanddebitcardnumbers,expirationdates,the three-digitCVV securitycode,andeven PIN data for 40 millionaccountholders. (Krebs,TargetInvestigatingDataBreach,2013) (Perez,2014). Target CEO at the time,GreggSteinhafel confirmed thatthe attackersstole carddata by installing malicioussoftware onpoint-of-sale (POS) devicesinthe checkoutlinesatTargetstores usinga technique thatparsesdatastoredbrieflyinthe memorybanksof specificPOSdevices.“The malware capturesthe data storedon the card’s magneticstripe inthe instantafterithas beenswipedatthe terminal andisstill inthe system’smemory.Armedwiththisinformation,thievescancreate cloned copiesof the cards and use themto shopin storesforhigh-pricedmerchandise”(Krebs,2014) 2.2.1 PCI DSS Failure Accordingto the reportfrom the breach,itis clearTarget didn’tmeetthe followingPCIDSS requirementsatthe time of the attack:  Protect CardholderData 3. Protect stored cardholderdata 4. Encrypt transmissionofcardholderdataacross open,publicnetworks (Moldes,ContractingforPCIDSSCompliance,2009) Fig1.0
  • 7. Fig1.0 showsthe typical flowof data fromthe pointa customerswipesintill he/shereceives acknowledgementforatransaction. Target failedtoprotectCardholderdatabynot encryptingthe transmissionof cardholderdatafromthe POSterminal andthroughoutthe transactionprocess.Whena purchase ismade at the POSterminal,the cardholderdataisstoredtemporarilyonthe live memory of the computer,where itappearsinplaintext before passedontothe back office server.Thisisclearlyin violationof the goal thatsays “Encrypt transmissionofcardholderdataacross open,publicnetworks”.  MaintainaVulnerabilityManagementProgram 5. Use andregularlyupdate anti-virussoftwareor programs 6. Develop andmaintainsecure systems andapplications Furtheranalysisrevealedthatthe RAMscraper, or memory-parsingmalware thatinfectedTarget’s checkoutcounters(POS) wentundetected for6days.The malware startedtransmittingthe stolendata to an external FTPserver,usinganotherinfectedmachine withinthe Targetnetwork. “These transmissions occurred several times a day over a 2 week period. The cyber criminals behindthe attack useda virtual private server(VPS) locatedinRussiato downloadthe stolendata from the FTP. They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive customer information” (Jonathan, 2016). This showsfailure onthe company’sabilitytomaintainavulnerabilitymanagementprogram. 2.2.2 Fines Although,Targetdidnotlose authorizationtoprocesspaymentcardtransactions,non-compliance in termsof implementationexposedthemtofines.Targetagreedtopay$10 milliontosettle aclass-action lawsuitimposed asaresultof the breach. The proposedsettlementwouldalsorequire the Minneapolis-basedTargetCorp.toimplementchanges to itssecuritypolicieswithin10businessdaysof the settlementbecomingeffective. Those changeswouldinclude requiringthe companyto i. Appointachief informationsecurityofficer. ii. Keepa writteninformationsecurityprogram, whichwilldocumentpotential securityrisks, and developmetricstomeasure the securityof itssystems. iii. Offersecuritytrainingto"relevant"workersthateducatesthemaboutthe importance of safeguardingpersonalidentifyinginformation.(npr,2015)
  • 8. 3. Conclusion 3.1 InterestingDiscovery A commonscenarioassociatedwiththe PCIDSSoccurs whencompaniesare breachedandclaimtobe compliantatthe time of the hack. Bothcompaniesdiscussedabove,all claimtobe PCIDSS Compliantat the time of the attack. We lookat some of the discoveries; Two weekspriortothe date the paymentsystemwascompromised, HeartlandPaymentSystem was approvedbytheirQualifiedSecurityAssessor(QSA) asPCIcompliantaccordingto (SecureWorks,2012). Thissparkeda lot of debate due tothe fact thatmany companiesare believedtohave spentbillionsof dollarsimplementingPCIrequirementsandbillionsmore inmandatorythird-partycompliance assessments. Thishasn’thelpedinpreventingthemfrombeingattacked. Accordingto (Vijayan,2014),the breach at Target Corporation highlightedweaknessesinPCI Security standards.AlthoughPCImandatescheckingformalware,he stressedthatnone of the typical anti- malware productscouldfindthe TargetMalware.It isbelievedthatnothinginthe PCIstandardcould have helpedtargetdetectandblockthe intrusionbefore ithappened.He concludedbysayingPCI doesn’tmandate next-generationanti-malware securitythat’sstartingtoemerge. “The biggestproblemisthe PCIstandarddoesn'trequire companiestoencryptdatainmotion. While the PCI DSSstandard has requirementsforencryptingdataat rest,there isno suchrequirementfordata inaction duringthe entire transactionprocessingchain”.(Vijayan,2014) 3.2 Solution/ Remediation Afterextensive research,ithasbeenconcludedthatalthoughthe PCIDSSstandardsare not perfect,the standardis still verymucheffective inensuringprotectionof paymentsystemsand protecting cardholderdata. Some of the suggestionsbelow woulddefinitelyhelpreduce breachesassociatedwith paymentcard systems: i. Newupdatestothe PCI DSScompliance goalsshouldensure that encryptionof dataisnot onlydone duringtransmission.The new goal shouldindicate thatencryptionof datashould done at rest,as well asinmotion.Thiswouldclarifythe PCIDSS requirementwhichsays “Encrypt transmissionof cardholderdataacrossopen,publicnetworks” ii. The breachespointoutPCI implementationfailuresratherthana lackof controlsinthe standardsitself. The partof the PCIprocessthat needschange isthe Compliance AssessmentProcess.Implementation andvulnerabilityscanning shouldtherefore be carried out properlybycertifiedsecurityassessorsmore frequentlyinordertoreduce the number of attacksassociatedwithpaymentsystems. While PCISSCcan improve the PCIDSS infuture versionsastheyhave beendoingwitheveryrelease, ultimately,cardholderdatasecurity,andnotjustcompliance isthe responsibilityof eachorganization.
  • 9. References JonathanJaffe,K.J.(2016). 20131218-Target. Retrievedfromhttp://nc3.mobi/references/2013-detail/ Krebs,B.(2009, January20). PaymentProcessorBreach May Be Largest Ever. RetrievedfromThe WashingtonPost: http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.ht ml?hpid=topnews Krebs,B.(2013, December18). Target Investigating Data Breach.RetrievedfromKrebsonSecurity: http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/ Krebs,B.(2014, January14). A First Lookat the targetIntrusion,Malware. Retrievedfrom KrebsonSecurity:http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion- malware/ Moldes,C.J. (2009, August14). Contracting forPCIDSSCompliance. RetrievedfromSANSInstitute ReadingRoomsite:https://www.sans.org/reading- room/?utm_source=web&utm_medium=text- ad&utm_content=generic_rr_pdf_logo1&utm_campaign=Reading_Room&ref=36909 Moldes,C.J. (2015, December7). Compliantbutnotsecure: Why PIC-Certified CompaniesAreBeing Breached. RetrievedfromSANSInstituteInfoSecReadingRoom: https://www.sans.org/search/results/PCI+DSS/0/2 npr.org.(2015, March 19). Target offers$10 Million SettlementIn Data Breach Lawsuit. Retrievedfrom www.npr.org:http://www.npr.org/sections/thetwo-way/2015/03/19/394039055/target-offers- 10-million-settlement-in-data-breach-lawsuit PCISecurityStandardsCouncil.(2016). Maintaining PaymentSecurity. RetrievedfromPCISecurity StandardsCouncil: https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security PCISecurityStandardsCouncil.(2016). PCI Security.RetrievedfromPCISecurityStandardsCouncil: https://www.pcisecuritystandards.org/pci_security/ pcisecuritystandards.(2008,October). Understanding theintentsof therequirementsof PCIDSS. RetrievedfromPCISecurityStandards: https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf Perez,S.(2014, January 10). Target'sData Breach Gets Worse.RetrievedfromTechCrunch: http://techcrunch.com/2014/01/10/targets-data-breach-gets-worse-70-million-customers-had- info-stolen-including-names-emails-and- phones/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+ %28TechCrunch%29&utm_content=Netvibes SecureWorks.(2012, October25). Risk Management.Retrievedfromwww.secureworks.com: https://www.secureworks.com/blog/general-pci-compliance-data-security-case-study-heartland
  • 10. Vijayan,J.(2014, January 24). Security failuresat companiescertified as PCIcompliantsuggestsproblem in the standardsand compliance.RetrievedfromComputerWorld: http://www.computerworld.com/article/2486879/data-security/after-target--neiman-marcus- breaches--does-pci-compliance-mean-anything-.html Wikipedia.(2016,February24). AlbertGonzalez.RetrievedfromWikipedia.