Introduction Payment Card Industry Data Security Standard (PCI DSS) is a compliance standard that helps prevent private data breaches in companies.

Introduction Payment Card Industry Data Security Standard (PCI DSS) is a compliance standard that helps prevent private data breaches in companies.

Introduction Payment Card Industry Data Security Standard (PCI DSS) is a compliance standard that helps prevent private data breaches in companies. Before PCI DSS was drafted, each credit card company had its own security requirements. Any merchant wanting to accept that company’s credit card would need to comply with the company’s security requirements. Merchants wanting to accept multiple credit cards grew frustrated by having to comply with multiple sets of requirements. To assist merchants, card companies sought a solution.

The solution began with the major credit card companies collaborating to form a representative group, now called the PCI Security Standards Council. Commonly called the PCI Council, they drafted and approved the standard, the PCI DSS. It’s important to remember that the PCI Council is a group of companies, not a government agency. While the PCI Council is a group, only the individual credit card company can enforce PCI DSS on its own card. Instances of noncompliance are dealt with through penalties.

In this lab, you will review a real-world case study that involves a PCI DSS noncompliance scenario, and you will recommend mitigation remedies to prevent the loss of private data for similar organizations.

Learning Objectives Upon completing this lab, you will be able to:

• Relate a real-world case study on the Payment Card Industry Data Security Standard (PCI DSS) standard noncompliance and its implications.

• Distinguish how the Payment Card Industry Data Security Standard (PCI DSS) is a standard and not a law, and how it defines requirements for information systems security controls and countermeasures.

• Review a case study on a credit card transaction-processing company’s noncompliance with the Payment Card Industry Data Security Standard (PCI DSS) and identify the privacy data breach that occurred.

• Recommend PCI DSS-compliant mitigation remedies to prevent the same loss from occurring again at a similar organization.

Lab #3 Case Study on PCI DSS Noncompliance: CardSystems Solutions

© Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

19

Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual

Deliverables Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. Lab Report file; 2. Lab Assessments file.

Instructor Demo The Instructor will present the instructions for this lab. This will start with a general discussion about the PCI DSS standard and the required security controls and security countermeasures that the standard defines. PCI DSS is a standard, not a law. PCI DSS directly impacts information systems security given that it defines requirements. The Instructor will then present an overview of the case study in this lab.

© Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

20 | LAB #3 Case Study on PCI DSS Noncompliance: CardSystems Solutions

Hands-On Steps

Note: This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft® Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab deliverable files.

1. On your local computer, create the lab deliverable files.

2. Review the Lab Assessment Worksheet. You will find answers to these questions as you proceed through the lab steps.

3. Review the Payment Card Industry Data Security Standard (PCI DSS) overview in Figure 1.

PCI Data Security Standard—High-Level Overview

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update antivirus software.

Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

© Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

21

Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.

Figure 1 PCI DSS v1.2 information systems security requirements

4. In your Lab Report file, explain how PCI DSS is a standard and not a law and discuss how it defines requirements for information systems security controls and countermeasures.

Note: Upon review of the PCI DSS supporting documents repository (link provided in below step), you will see a “Prioritized Approach v2.0” document. This document details the 12 requirements of PCI DSS and prioritizes them in a to-do list resembling a Gantt chart. Highly recommended.

5. Review the following case study on PCI DSS noncompliance:

External hackers managed to breach a credit card transaction-processing firm, resulting in the theft of privacy information. You can find more information on this case against the company, CardSystems Solutions, by visiting the Federal Trade Commission’s (FTC’s) Web site at http://www.ftc.gov/news-events/press-releases/2006/02/cardsystems- solutions-settles-ftc-charges. You can find information about the PCI DSS standard and PCI DSS requirements documents by visiting https://www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml Case Study: CardSystems Solutions

CardSystems Solutions, a third-party payment processor, collected thousands of transactions of small and medium businesses. These transactions were then processed as batches and sent to credit card providers (such as Visa and MasterCard). The company’s collection and processing of private information and financial data made it a prime target of potential hackers. Because of this, the company had to meet the data security standards that the federal, state, and industry standards require. Compliance is not optional for companies such as CardSystems Solutions.

In June 2004, an external auditor certified the company as Payment Card Industry Data Security Standard- (PCI DSS-) compliant. The PCI DSS standards include installing a firewall and antivirus software and updating virus definitions on a consistent schedule. Companies must also encrypt privacy data elements. The company’s certification implied that it followed a high standard of security, meaning the company used encryption methods to store privacy data. However, after the breach, a security assessment was

© Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

22 | LAB #3 Case Study on PCI DSS Noncompliance: CardSystems Solutions

conducted. This assessment of the security measures used at the company proved that the company was not PCI DSS-compliant.

The hacker who performed the attack used a basic exploit known as a Structured Query Language (SQL) injection, which allows the hacker to place a snippet of code into the application. The hacker gained access through a Web application that customers used to access their data. With the code inserted into the fields of a form, the hacker was able to send SQL commands to the backend SQL server. The hacker wrote a script that gathered credit card data from the database, put it in a compressed ZIP file, and sent the credit card data to the hacker community through a File Transfer Protocol (FTP) site. The impact of the attack almost caused the company to go out of business. It had to eventually be acquired by another business.

These types of SQL injection attacks can be mitigated. Quality Web site design, secure coding, and internal firewalls all contribute to mitigating these types of attacks. The PCI DSS standard requires these types of mitigation controls and security methods. CardSystems was supposedly in compliance with the PCI DSS standard; however, if the company were in compliance, a successful SQL injection attack would mean the firewall was somehow circumvented.

Note: Implementing PCI DSS controls will not prevent the most determined hacker from successfully attacking, but they provide a calculated level of due diligence to close virtually all attack channels.

CardSystems stored unencrypted data and failed to use proper security firewalls. It also failed to maintain its antivirus definitions. As a result, the FTC found CardSystems Solutions and its predecessors negligent and in violation of the FTC Act 15, U.S.C. §§ 41-58.

Federal Trade Commission Act (15 U.S.C. §§ 41-58, as amended)

Under this act, the commission is empowered, among other things, to (a) prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce; (b) seek monetary redress and other relief for conduct injurious to consumers; (c) prescribe trade regulation rules defining with specificity acts or practices that are unfair or deceptive, and establishing requirements designed to prevent such acts or practices; (d) conduct investigations relating to the organization, business, practices, and management of entities engaged in commerce; and (e) make reports and legislative recommendations to Congress.

6. In your Lab Report file, discuss the PCI DSS requirements related to the case study on PCI DSS noncompliance. Explain which requirements weren’t met and how these violate the Federal Trade Commission Act.

7. In your Lab Report file, recommend two or three mitigation remedies to prevent the same thing from happening at another organization.

© Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

23

Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual

Note: This completes the lab. Close the Web browser, if you have not already done so.

© Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

24 | LAB #3 Case Study on PCI DSS Noncompliance: CardSystems Solutions

Evaluation Criteria and Rubrics The following are the evaluation criteria for this lab that students must perform:

1. Relate a real-world case study on the Payment Card Industry Data Security Standard (PCI DSS) standard noncompliance and its implications. – [25%]

2. Distinguish how the Payment Card Industry Data Security Standard (PCI DSS) is a standard and not a law, and how it defines requirements for information systems security controls and countermeasures. – [25%]

3. Review a case study on a credit card transaction-processing company’s noncompliance with the Payment Card Industry Data Security Standard (PCI DSS) and identify the privacy data breach that occurred. – [25%]

4. Recommend PCI DSS-compliant mitigation remedies to prevent the same loss from occurring again at a similar organization. – [25%]

© Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION.

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION


Comments are closed.