BISM7213 Payment Card Industry Assignment Sample

• Subject Code : BISM7213
• University : The University of Queensland My Assignment Services is not sponsored or endorsed by this college or university.
• Subject Name : Management

Securing Business Information

PCI-DSS Overview

Targets

The main target of the PCI DSS is to protect cardholder data. The PCI DSSv3.2.1 standard targets all systems those are involved in storing, processing or transmission of the cardholder data or any other sensitive information while making digital transactions and all systems that are related to the processing of card payments like merchants, card issuing party, payment gateways, processing systems etc. (Calder & Williams, 2019).

PCI-DSS Administration

The PCI Security Standards Council (PCI SSC) is responsible for administration and management of the PCI-DSS. PCI SSC is a council that was formed by the famous payment card brands including MasterCard, Visa, JCB International, Discover Financial Services and American Express in the year 2006. The main objective of this council is the proper management and administration of the Payment Card Industry Data Security Standard (Calder & Williams, 2019).

Compliance Assessment

For compliance assessments, the payment card brands and acquirers are responsible for ensuring compliance. There are two areas in which compliance assessments are conducted:

Compliance Assessment at Merchant’s Side

There are two types of compliance assessments that can be carried out at merchant’s side. First one is self-assessment that involves filling up a questionnaire for self-assessment that is called the PCI Self-Assessment Questionnaire. Self-assessment tool is only for the Level 2 and Level 3 merchants. Second method is Full On-Site Compliance Assessment. This method involves use of the PCI DSS Requirements and Security Assessment Procedures(Seaman, 2020).

Compliance Assessment at Acquirer & Service Provider’s Side

There are two kinds of Acquirer & Service Providers: Compliant and Non-compliant. A Compliant Acquirer & Service Provider’s side also has two kinds of compliance assessments, Self –assessment and On-site assessment. Both the Self-assessment and the On-site assessments procedures are same as those conducted at Merchant’s side but in addition the Attestation of Compliance document is also submitted in both assessments(Seaman, 2020).

In case of non-compliant Acquirer and Service Provider, a signed request letter is needed along with completed prioritized Approach for PCI DSS worksheet or the “Action Plan for Non-Compliant Status” section of the Attestation of Compliance(Seaman, 2020).

Penalties for Non-Compliance

The penalties for non-compliance of the PCI DSS are huge. The penalty amounts for various levels of merchants are given below:

• Level 1 Merchants- USD 25,000 per month
• Level 2 Merchants- USD 20,000 per month
• Level 3 Merchants- USD 5,000 per month
• Level 4 Merchants- not subject to fines(Wilson, Roman &Beierly,2018).

In the compliance process, compliance assessments are carried out for merchants. In case of identification of any gap, it should be rectified on immediate note else could lead to extra penalties as following:

Level 1 & 2 Merchants

• I Violation : Assessment Amount up to USD 25,000
• II Violation : Assessment Amount up to USD50,000
• III Violation : Assessment Amount up to USD 100,000
• IV Violation : Assessment Amount up to USD 200,000

Level 3 Merchants

• I Violation – Assessment Amount up to USD 10,000
• II Violation – Assessment Amount up to USD 20,000
• III Violation – Assessment Amount up to USD40,000
• IV Violation – Assessment Amount up to USD80,000

PCI DSS is Described as A ‘point’ Standard and Not as A Framework

PCI DSS is not a framework but is only a ‘point’ standard. The reason is that PCI DSS defines the minimal requirements needed to protect the cardholder’s data and the other related sensitive information. PCI DSS is not a replacement for the local-laws, legal issues or governmental regulations(Wilson, Roman & Beierly, 2018)..

Compatibility Issues

Firewalls

The firewalls selected for the network are stateful inspection firewalls. The static filtering firewall is placed at the network layer of the OSI model. It is packet oriented filtering as it examines each data packet independently without considering the previous passed packets or their connection with the current packet. It requires manual opening and closing of filtering. The static filtering firewall is unable to differentiate between various application protocols. It examines the IP and protocol headers of the data packet passing through it(Pradhan, Nayak &Pradhan, 2020).

The dynamic filtering firewall provides tighter security than the static filtering. It is connection oriented firewall that monitors the connections that are active at a given time to. Using the information from the active connections, the firewall allows or blocks the flow of data packets through it. It also examines the IP header of the data packet trying to pass through it. Dynamic filtering firewalls are placed at levels 3 and 4 of the TCP/IP protocol, filtering TCP and UDP packets(Pradhan, Nayak & Pradhan, 2020)..

Stateful Inspection firewall examine the address of the source and destination of the incoming data packets and also examine the relationship of the data packet with the previously allowed packets in order to block any unauthorized access to the network. These firewalls employ a combination of packet inspection as well as TCP handshake verification. The security provided by the stateful inspection is very satisfactory (Pradhan, Nayak& Pradhan, 2020).

Proxy firewalls work at the application layer of the OSI model. This firewall works same as stateful inspection by examining both the packets as well as TCP handshake. In addition to this these firewalls carry out data inspection that enables to detect and prevent any possible intrusion trial. In proxy firewalls, the connection is made to the source of the incoming data before starting packet examination(Pradhan, Nayak & Pradhan, 2020)..

Possible and better alternative could be proxy firewalls. One reason is that the proxy firewalls are faster than stateful firewalls. The stateful firewalls apply heavy load on the resources due to which the system gets slow. Other reason is the deep-layer packet inspections, that is, examining the datain packet to verify that there is no malware present.

IDS

The intrusion detection systems are of two types based on the position of the IDS sensors:

Network Intrusion Detection System

An intrusion detection system in which the IDS sensors are placed in network is called a Network Intrusion Detection System or NIDS. A network intrusion detection system uses NIDS sensors for monitoring and analyzing the incoming data. The NIDS sensors are placed such that data from all the devices that are present in the network can be examined (Vinayakumar, Alazab, Soman, Poornachandran, Al-Nemrat &Venkatraman, 2019).

Advantages:

• Real-time data tracking and intrusion detection.
• Faster response time
• Easier implementation without much disruption to the existing network.
• Non-prone to attacks

Disadvantages:

• Encrypted data not analyzed
• Fragmented packets not analyzed
• For proper monitoring it requires access to all devices.
• In heavy network traffic, it sometimes fails to detect intrusion.

Host Intrusion Detection System 

An intrusion detection system in which the IDS sensors are placed in host is called a Host Intrusion Detection System or HIDS. A host-based intrusion detection system uses HIDS sensorsfor monitoring and analyzing the application activity and the system configuration for all the devices connected to the network. The HIDS sensors can be placed on any device in the network (Hodo, Bellekens, Hamilton, Tachtatzis &Atkinson, 2017).

Advantages

• Can detect encrypted data
• Can detect local intrusions undetected by NIDS.

Disadvantages

• Monitors only one device
• HIDS management is complex.
• Require larger disk space

Reason for Selecting NIDS

I have selected NIDS because it provides more assurance of the intrusion detection than HIDS. Moreover, I didn’t want to degrade the network performance. As we know the HIDS need complex management while NIDS are easy to implement and manage as well as provide faster response whenever the intrusion is detected. These are also cost effective.

IDS-Firewall Relationship

Both IDS and firewall work for providing security to the network. While the firewall examines the network traffic coming from other networks by limiting the access between networks, the Intrusion Detection system (IDS) examines the intrusions that originate from within the network. It also checks the suspected packet and generates an alarm if intrusion takes place(Hodo, Bellekens, Hamilton, Tachtatzis & Atkinson, 2017).

Reason for NIDS Position in Our Network

In our network, we have placed NIDS at the entrance point of Cardholder data environment. The Cardholder Data Environment is the most crucial part of our whole network consisting of the Web Server and the Database server. It is the place where all the sensitive data will be stored. We know that there is a single point of entry in the Cardholder data environment and hence we placed the NIDS at the entrance of CDE to detect any incoming intrusion or unauthorized access to the servers.

Additions

Cardholder Data Environment

A cardholder data environment (CDE) is an entity that contains all the cardholder data or sensitive payment information. A CDE can include servers or other components directly related to the card payment processing. Most of the data breaches occur due to some sort of security compromising with the CDE part. The PCI DSS requirements define a various security controls for data protection in this part as this is the most crucial part of the whole system (McWhirr, 2015).

In short, the CDE involves

• The system components are involved in storing, processing or transmitting cardholder information or sensitive data.
• The system components are directly connected to the cardholder data processing.
• The system components are supporting the cardholder data processing directly or indirectly.

Kerberos

Yes, Kerberos should be added to the network diagram. It should be added to the Ethernet monitoring all the network accesses and trials. Kerberos works as an authentication tool that will be used by all the users of the network to verify themselves as authorized users of the system. It will also be used by the corporate remote workers connecting via the VPN. For all the users Kerberos offer an authentication process to identify and block any unauthorized access. The Kerberos server generates tickets for every user that wants access using encryption-decryption process. After the user is verified only then he is allowed to communicate in the network.

Strength Analysis

The compliance design provided is completely up to the mark in terms of strength. These are the following things implemented in order to obtain overall network strength:

Deep Defense Mechanisms

• Stateful Inspection: The StatefulInspection firewall examines the address of the source and destination of the incoming data packets and examines the relationship of the data packet with the previously allowed packets in order to block any unauthorized access to the network. The security provided by the stateful inspection is very satisfactory
• NIDS:The NIDS sensors are placed such that data from all the devices that are present in the network can be examined(Singh & Rajput, 2020). The Cardholder Data Environment is the most crucial part of our whole network consisting of the Web Server and the Database server. It is the place where all the sensitive data will be stored. We know that there is a single point of entry in the Cardholder data environment and hence we placed the NIDS at the entrance of CDE to detect any incoming intrusion or unauthorized access to the servers.Connection breaking

For smooth functioning of the system and to prevent the breaking of the connection, Kerberos protocol has been employed into the network. While it helps in preventing any unauthorized access to the network, it also helps in establishing a smooth communication after the verification is done and the connection is established.

PCI DSS Audit Scope

The PCI DSS audit scope can be defined as all the PCI DSS security requirements that are applicable to the components of the network that are directly or indirectly connected to the cardholder data environment (CDE). This means all the people, technical components, and processes that are involved in or related to cardholder data of transaction processing, come under PCI DSS audit scope.

Notifiable Data Breaches

The Notifiable Data Breaches scheme was passed by the Australian government on February 13,^, 2017 and it came into effect on February 22, 2020. The new data breach regulation demands any organization that complies with Australian Privacy Law should inform the target individual or organization and the Office of the Australian Information Commissioner (OAIC) in case they detect any possible notifiable data breach(Burdon, Siganto & Coles-Kemp, 2016).. A notifiable data breach is a data breach that can cause serious harm or damage to a person or a group.

Data Breach

A data breach is the disclosure of the personal confidential data of a person to an environment that is not trust worthy. It can be accidental or intentional. Data Breach involves the theft or loss of one’s private confidential data such as password, credit card number, bank account details, or any other sensitive information. In case of organizations, data breach involves data leakage, data spill or intentional breach of sensitive organizational information (Solove & Citron, 2017).

Data Breach Administration

Data Breach is administered and regulated by the Office of the Australian Information Commissioner (OAIC).The OAIC is responsible for the protection of t0he personal data of the citizens of Australia and promotes the privacy and freedom of information(Solove & Citron, 2017).

Targets

The main targets of data breaches are big organizations, business houses, government agencies and individuals who use internet or mobile banking facilities, online shopping etc.

Data Breach Reporting

A data breach is notifiable when it can cause serious harm or damage to a person or a group. Serious harm or damage could be one of the following:

• Monetary loss through fraud
• Identity theft
• Sensitive information leakage like credit card or bank account details.
• Damage to reputation etc.

In such a case, it should be notified to the Office of the Australian Information Commissioner (OAIC) (Burdon, Siganto &Coles-Kemp, 2016).

Impact on customers

Data Breach has a huge impact on the customers of the corporate. When the customers share their information, they hold their trust on a company or organization. This means the businesses should be extra cautious while handling customer data. In case a breach occurs, customers too should be informed. They seem to be less forgiving about data breaches that are not notified to them as breaches often involve customer payment information and other sensitive data.

References for Payment Card Industry

Burdon, M., Siganto, J., & Coles-Kemp, L. (2016). The regulatory challenges of Australian information security practice. Computer Law & Security Review, 32(4), 623-633.

Calder, A., & Williams, G. (2019). PciDss: A Pocket Guide. It Governance Ltd.

Hodo, E., Bellekens, X., Hamilton, A., Tachtatzis, C., & Atkinson, R. (2017). Shallow and deep networks intrusion detection system: A taxonomy and survey. arXiv preprint arXiv:1701.02145.

McWhirr, Jason (2015) A closer look at Requirement 1.1.2 – Cardholder Data Environment DiagramRetrieved from https://www.sysnetgs.com/wp-content/uploads/2016/01/A-closer-look-at-req-1-1-2-Cardholder-Data-Environment.pdf

Pradhan, M., Nayak, C. K., &Pradhan, S. K. (2020). Intrusion Detection System (IDS) and Their Types.In Securing the Internet of Things: Concepts, Methodologies, Tools, and Applications (pp. 481-497).IGI Global.

Seaman, J. (2020). Compliance–A Team Effort.In PCI DSS (pp. 323-358).Apress, Berkeley, CA.

Singh, V., & Rajput, A. K. (2020).An Advance Model for Network Security System Using NIDS and HIDS. Journal of Electronic Design Technology, 10(3), 42-52.

Solove, D. J., & Citron, D. K. (2017). Risk and anxiety: A theory of data-breach harms. Tex. L. Rev., 96, 737.

Vinayakumar, R., Alazab, M., Soman, K. P., Poornachandran, P., Al-Nemrat, A., &Venkatraman, S. (2019). Deep learning approach for intelligent intrusion detection system. IEEE Access, 7, 41525-41550.

Wilson, D., Roman, E., &Beierly, I. (2018). PCI DSS and card brands: Standards, compliance and enforcement. Cyber Security: A Peer-Reviewed Journal, 2(1), 73-82.

Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Management Assignment Help