The main target of the PCI DSS is to protect cardholder data. The PCI DSSv3.2.1 standard targets all systems those are involved in storing, processing or transmission of the cardholder data or any other sensitive information while making digital transactions and all systems that are related to the processing of card payments like merchants, card issuing party, payment gateways, processing systems etc. (Calder & Williams, 2019).
The PCI Security Standards Council (PCI SSC) is responsible for administration and management of the PCI-DSS. PCI SSC is a council that was formed by the famous payment card brands including MasterCard, Visa, JCB International, Discover Financial Services and American Express in the year 2006. The main objective of this council is the proper management and administration of the Payment Card Industry Data Security Standard (Calder & Williams, 2019).
For compliance assessments, the payment card brands and acquirers are responsible for ensuring compliance. There are two areas in which compliance assessments are conducted:
Compliance Assessment at Merchant’s Side
There are two types of compliance assessments that can be carried out at merchant’s side. First one is self-assessment that involves filling up a questionnaire for self-assessment that is called the PCI Self-Assessment Questionnaire. Self-assessment tool is only for the Level 2 and Level 3 merchants. Second method is Full On-Site Compliance Assessment. This method involves use of the PCI DSS Requirements and Security Assessment Procedures(Seaman, 2020).
Compliance Assessment at Acquirer & Service Provider’s Side
There are two kinds of Acquirer & Service Providers: Compliant and Non-compliant. A Compliant Acquirer & Service Provider’s side also has two kinds of compliance assessments, Self –assessment and On-site assessment. Both the Self-assessment and the On-site assessments procedures are same as those conducted at Merchant’s side but in addition the Attestation of Compliance document is also submitted in both assessments(Seaman, 2020).
In case of non-compliant Acquirer and Service Provider, a signed request letter is needed along with completed prioritized Approach for PCI DSS worksheet or the “Action Plan for Non-Compliant Status” section of the Attestation of Compliance(Seaman, 2020).
The penalties for non-compliance of the PCI DSS are huge. The penalty amounts for various levels of merchants are given below:
In the compliance process, compliance assessments are carried out for merchants. In case of identification of any gap, it should be rectified on immediate note else could lead to extra penalties as following:
PCI DSS is not a framework but is only a ‘point’ standard. The reason is that PCI DSS defines the minimal requirements needed to protect the cardholder’s data and the other related sensitive information. PCI DSS is not a replacement for the local-laws, legal issues or governmental regulations(Wilson, Roman & Beierly, 2018)..
The firewalls selected for the network are stateful inspection firewalls. The static filtering firewall is placed at the network layer of the OSI model. It is packet oriented filtering as it examines each data packet independently without considering the previous passed packets or their connection with the current packet. It requires manual opening and closing of filtering. The static filtering firewall is unable to differentiate between various application protocols. It examines the IP and protocol headers of the data packet passing through it(Pradhan, Nayak &Pradhan, 2020).
The dynamic filtering firewall provides tighter security than the static filtering. It is connection oriented firewall that monitors the connections that are active at a given time to. Using the information from the active connections, the firewall allows or blocks the flow of data packets through it. It also examines the IP header of the data packet trying to pass through it. Dynamic filtering firewalls are placed at levels 3 and 4 of the TCP/IP protocol, filtering TCP and UDP packets(Pradhan, Nayak & Pradhan, 2020)..
Stateful Inspection firewall examine the address of the source and destination of the incoming data packets and also examine the relationship of the data packet with the previously allowed packets in order to block any unauthorized access to the network. These firewalls employ a combination of packet inspection as well as TCP handshake verification. The security provided by the stateful inspection is very satisfactory (Pradhan, Nayak& Pradhan, 2020).
Proxy firewalls work at the application layer of the OSI model. This firewall works same as stateful inspection by examining both the packets as well as TCP handshake. In addition to this these firewalls carry out data inspection that enables to detect and prevent any possible intrusion trial. In proxy firewalls, the connection is made to the source of the incoming data before starting packet examination(Pradhan, Nayak & Pradhan, 2020)..
Possible and better alternative could be proxy firewalls. One reason is that the proxy firewalls are faster than stateful firewalls. The stateful firewalls apply heavy load on the resources due to which the system gets slow. Other reason is the deep-layer packet inspections, that is, examining the datain packet to verify that there is no malware present.
The intrusion detection systems are of two types based on the position of the IDS sensors:
An intrusion detection system in which the IDS sensors are placed in network is called a Network Intrusion Detection System or NIDS. A network intrusion detection system uses NIDS sensors for monitoring and analyzing the incoming data. The NIDS sensors are placed such that data from all the devices that are present in the network can be examined (Vinayakumar, Alazab, Soman, Poornachandran, Al-Nemrat &Venkatraman, 2019).
Advantages:
Disadvantages:
An intrusion detection system in which the IDS sensors are placed in host is called a Host Intrusion Detection System or HIDS. A host-based intrusion detection system uses HIDS sensorsfor monitoring and analyzing the application activity and the system configuration for all the devices connected to the network. The HIDS sensors can be placed on any device in the network (Hodo, Bellekens, Hamilton, Tachtatzis &Atkinson, 2017).
Advantages
Disadvantages
I have selected NIDS because it provides more assurance of the intrusion detection than HIDS. Moreover, I didn’t want to degrade the network performance. As we know the HIDS need complex management while NIDS are easy to implement and manage as well as provide faster response whenever the intrusion is detected. These are also cost effective.
Both IDS and firewall work for providing security to the network. While the firewall examines the network traffic coming from other networks by limiting the access between networks, the Intrusion Detection system (IDS) examines the intrusions that originate from within the network. It also checks the suspected packet and generates an alarm if intrusion takes place(Hodo, Bellekens, Hamilton, Tachtatzis & Atkinson, 2017).
In our network, we have placed NIDS at the entrance point of Cardholder data environment. The Cardholder Data Environment is the most crucial part of our whole network consisting of the Web Server and the Database server. It is the place where all the sensitive data will be stored. We know that there is a single point of entry in the Cardholder data environment and hence we placed the NIDS at the entrance of CDE to detect any incoming intrusion or unauthorized access to the servers.
A cardholder data environment (CDE) is an entity that contains all the cardholder data or sensitive payment information. A CDE can include servers or other components directly related to the card payment processing. Most of the data breaches occur due to some sort of security compromising with the CDE part. The PCI DSS requirements define a various security controls for data protection in this part as this is the most crucial part of the whole system (McWhirr, 2015).
In short, the CDE involves
Yes, Kerberos should be added to the network diagram. It should be added to the Ethernet monitoring all the network accesses and trials. Kerberos works as an authentication tool that will be used by all the users of the network to verify themselves as authorized users of the system. It will also be used by the corporate remote workers connecting via the VPN. For all the users Kerberos offer an authentication process to identify and block any unauthorized access. The Kerberos server generates tickets for every user that wants access using encryption-decryption process. After the user is verified only then he is allowed to communicate in the network.
The compliance design provided is completely up to the mark in terms of strength. These are the following things implemented in order to obtain overall network strength:
For smooth functioning of the system and to prevent the breaking of the connection, Kerberos protocol has been employed into the network. While it helps in preventing any unauthorized access to the network, it also helps in establishing a smooth communication after the verification is done and the connection is established.
The PCI DSS audit scope can be defined as all the PCI DSS security requirements that are applicable to the components of the network that are directly or indirectly connected to the cardholder data environment (CDE). This means all the people, technical components, and processes that are involved in or related to cardholder data of transaction processing, come under PCI DSS audit scope.
The Notifiable Data Breaches scheme was passed by the Australian government on February 13,, 2017 and it came into effect on February 22, 2020. The new data breach regulation demands any organization that complies with Australian Privacy Law should inform the target individual or organization and the Office of the Australian Information Commissioner (OAIC) in case they detect any possible notifiable data breach(Burdon, Siganto & Coles-Kemp, 2016).. A notifiable data breach is a data breach that can cause serious harm or damage to a person or a group.
A data breach is the disclosure of the personal confidential data of a person to an environment that is not trust worthy. It can be accidental or intentional. Data Breach involves the theft or loss of one’s private confidential data such as password, credit card number, bank account details, or any other sensitive information. In case of organizations, data breach involves data leakage, data spill or intentional breach of sensitive organizational information (Solove & Citron, 2017).
Data Breach is administered and regulated by the Office of the Australian Information Commissioner (OAIC).The OAIC is responsible for the protection of t0he personal data of the citizens of Australia and promotes the privacy and freedom of information(Solove & Citron, 2017).
The main targets of data breaches are big organizations, business houses, government agencies and individuals who use internet or mobile banking facilities, online shopping etc.
A data breach is notifiable when it can cause serious harm or damage to a person or a group. Serious harm or damage could be one of the following:
In such a case, it should be notified to the Office of the Australian Information Commissioner (OAIC) (Burdon, Siganto &Coles-Kemp, 2016).
Data Breach has a huge impact on the customers of the corporate. When the customers share their information, they hold their trust on a company or organization. This means the businesses should be extra cautious while handling customer data. In case a breach occurs, customers too should be informed. They seem to be less forgiving about data breaches that are not notified to them as breaches often involve customer payment information and other sensitive data.
Burdon, M., Siganto, J., & Coles-Kemp, L. (2016). The regulatory challenges of Australian information security practice. Computer Law & Security Review, 32(4), 623-633.
Calder, A., & Williams, G. (2019). PciDss: A Pocket Guide. It Governance Ltd.
Hodo, E., Bellekens, X., Hamilton, A., Tachtatzis, C., & Atkinson, R. (2017). Shallow and deep networks intrusion detection system: A taxonomy and survey. arXiv preprint arXiv:1701.02145.
McWhirr, Jason (2015) A closer look at Requirement 1.1.2 – Cardholder Data Environment DiagramRetrieved from https://www.sysnetgs.com/wp-content/uploads/2016/01/A-closer-look-at-req-1-1-2-Cardholder-Data-Environment.pdf
Pradhan, M., Nayak, C. K., &Pradhan, S. K. (2020). Intrusion Detection System (IDS) and Their Types.In Securing the Internet of Things: Concepts, Methodologies, Tools, and Applications (pp. 481-497).IGI Global.
Seaman, J. (2020). Compliance–A Team Effort.In PCI DSS (pp. 323-358).Apress, Berkeley, CA.
Singh, V., & Rajput, A. K. (2020).An Advance Model for Network Security System Using NIDS and HIDS. Journal of Electronic Design Technology, 10(3), 42-52.
Solove, D. J., & Citron, D. K. (2017). Risk and anxiety: A theory of data-breach harms. Tex. L. Rev., 96, 737.
Vinayakumar, R., Alazab, M., Soman, K. P., Poornachandran, P., Al-Nemrat, A., &Venkatraman, S. (2019). Deep learning approach for intelligent intrusion detection system. IEEE Access, 7, 41525-41550.
Wilson, D., Roman, E., &Beierly, I. (2018). PCI DSS and card brands: Standards, compliance and enforcement. Cyber Security: A Peer-Reviewed Journal, 2(1), 73-82.
Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Management Assignment Help
1,212,718Orders
4.9/5Rating
5,063Experts
Turnitin Report
$10.00Proofreading and Editing
$9.00Per PageConsultation with Expert
$35.00Per HourLive Session 1-on-1
$40.00Per 30 min.Quality Check
$25.00Total
FreeGet
500 Words Free
on your assignment today
Doing your Assignment with our resources is simple, take Expert assistance to ensure HD Grades. Here you Go....