Search

The Importance Of PCI ; Data Security Standard (DSS)

As the world moves towards digital means of payments and transactions, there has also been concerns over the security and protection of cardholder information. According to the PCI Security Standards Council, more than 500 million card holder records with confidential information have been breached since 2005. Merchants, who accept digital forms of payments, are at the centre of digital payments, and can become a victim of financial fraud at multiple points, including: • The point-of-sale device or machine • Wireless hotspots • Connected computer or any other device • Transmission of the cardholder data to the service provider. Risk factors According to a business survey conducted by Forrester Consulting, a majority of businesses conduct activities increase the risk of card fraud, including storage of card number, expiration date, any verification code, and customer date. Introduction to Data Security Standard (DSS) The Payment Card Industry’s Data Security Standard (PCI-DSS) is a security standard mandatory for organizations that handle payments using cards, issued from major card types including MasterCard, Visa, and American Express. This PCI standard is mandatory for all card brands and is administered by the PCI Security Standards Council. The sole aim of the PCI standards is to protect cardholder data and to reduce card frauds. Objectives The objective of PCI-DSS course is the protection of cardholder data during storage, processing, and transmission. Cardholder account information includes the unique primary account number (PAN) printed in the front of every card. Merchants or any service provider, who process card payments, must never store sensitive information about the transaction after the authorization. This includes confidential data that is stored in the magnetic stripe of the card, along with any personal identification information entered by the cardholder. Requirements The PCI Data Security Standards specifies a list of 12 mandatory requirements, which are grouped under 6 control objectives, as listed below: 1) Build and maintenance of a high-security network, which includes: * Installation of a secure firewall to protect cardholder data. This restricts (or blocks) all traffic from untrusted networks, and prohibit direct public access between the Internet and the cardholder data environment. * Changing of the vendor-provided default password and other security measures. This is important as most card fraudsters are able to break into the cardholder’s internal network using the default passwords. 2) Protection of cardholder information, which includes: * Encryption of cardholder information that is transmitted over public networks. Encryption technology renders the transmitted data unreadable by any unauthorized person. Use of cryptography and security protocols such as SSL/TLS or IPSec can be used to safeguard customer data. * Protection of the stored cardholder data. Sensitive data on the magnetic chip of the card must not be stored. In case the PAN needs to be stored, it must be stored in an unreadable format. Limit the duration of storage of cardholder data. 3) Maintenance of a vulnerability management program, which includes: * Use and regular updates of anti-virus software programs on all systems. Harmful viruses can enter the user network through email and other online activities. Anti-virus software is an effective tool to protect computer systems from external attacks. * Development and maintenance of secure systems and applications. Security vulnerabilities in the system and applications can enable cyber criminals to access PAN and other secure data. Ensure that all the systems and application are updated with the latest security patch from the vendor. 4) Secure access control measures, which includes: * Restricting business access to cardholder information. Limit access to confidential cardholder data to only those users whose work requires this information. Additionally, restrict the access to the least amount of data required for business purpose. * Assigning of a unique ID to every person with computer access. This is important to be able to trace if the access to critical data has been executed by only authorized persons. 5). Restricting of the physical access to cardholder data. Physical access to cardholder data must be restricted to all onsite personnel, visitors, and all paper and electronic media. 6) Regular monitoring and testing of networks, which includes: * Tracking and monitoring of all access points to network resources and cardholder data. Use of logging mechanisms and tracking of user activities are included. * Regular testing of security procedures and processes. Periodic testing of security controls is important, along with internal and external network scans. 7) Maintaining of an information security policy, which includes: * Maintenance of a company policy that addresses information security. This includes establishing a security policy that addresses all the PCI-DSS requirements, along with an annual process to detect any vulnerability. These set of requirements is mandatory for companies that manufacture devices that accept and process PIN-based transactions or any other type of digital payments. Financial institutions, merchants, and service providers must ensure that they only use devices, approved for PTS (PIN transaction security).
Rated 4.5/5 based on 20 customer reviews

The Importance Of PCI ; Data Security Standard (DSS)

621
The Importance Of PCI ; Data Security Standard (DSS)

As the world moves towards digital means of payments and transactions, there has also been concerns over the security and protection of cardholder information. According to the PCI Security Standards Council, more than 500 million card holder records with confidential information have been breached since 2005.

Merchants, who accept digital forms of payments, are at the centre of digital payments, and can become a victim of financial fraud at multiple points, including:

• The point-of-sale device or machine

• Wireless hotspots

• Connected computer or any other device

• Transmission of the cardholder data to the service provider.

Risk factors

According to a business survey conducted by Forrester Consulting, a majority of businesses conduct activities increase the risk of card fraud, including storage of card number, expiration date, any verification code, and customer date.

Introduction to Data Security Standard (DSS)

The Payment Card Industry’s Data Security Standard (PCI-DSS) is a security standard mandatory for organizations that handle payments using cards, issued from major card types including MasterCard, Visa, and American Express.

This PCI standard is mandatory for all card brands and is administered by the PCI Security Standards Council. The sole aim of the PCI standards is to protect cardholder data and to reduce card frauds.

Objectives

The objective of PCI-DSS course is the protection of cardholder data during storage, processing, and transmission. Cardholder account information includes the unique primary account number (PAN) printed in the front of every card.

Merchants or any service provider, who process card payments, must never store sensitive information about the transaction after the authorization. This includes confidential data that is stored in the magnetic stripe of the card, along with any personal identification information entered by the cardholder.

Requirements

The PCI Data Security Standards specifies a list of 12 mandatory requirements, which are grouped under 6 control objectives, as listed below:

1) Build and maintenance of a high-security network, which includes:

* Installation of a secure firewall to protect cardholder data.

This restricts (or blocks) all traffic from untrusted networks, and prohibit direct public access between the Internet and the cardholder data environment.

* Changing of the vendor-provided default password and other security measures.

This is important as most card fraudsters are able to break into the cardholder’s internal network using the default passwords.

2) Protection of cardholder information, which includes:

* Encryption of cardholder information that is transmitted over public networks.

Encryption technology renders the transmitted data unreadable by any unauthorized person. Use of cryptography and security protocols such as SSL/TLS or IPSec can be used to safeguard customer data.

* Protection of the stored cardholder data.

Sensitive data on the magnetic chip of the card must not be stored. In case the PAN needs to be stored, it must be stored in an unreadable format. Limit the duration of storage of cardholder data.

3) Maintenance of a vulnerability management program, which includes:

* Use and regular updates of anti-virus software programs on all systems.

Harmful viruses can enter the user network through email and other online activities. Anti-virus software is an effective tool to protect computer systems from external attacks.

* Development and maintenance of secure systems and applications.

Security vulnerabilities in the system and applications can enable cyber criminals to access PAN and other secure data. Ensure that all the systems and application are updated with the latest security patch from the vendor.

4) Secure access control measures, which includes:

* Restricting business access to cardholder information.

Limit access to confidential cardholder data to only those users whose work requires this information. Additionally, restrict the access to the least amount of data required for business purpose.

* Assigning of a unique ID to every person with computer access.

This is important to be able to trace if the access to critical data has been executed by only authorized persons.

5). Restricting of the physical access to cardholder data.

Physical access to cardholder data must be restricted to all onsite personnel, visitors, and all paper and electronic media.

6) Regular monitoring and testing of networks, which includes:

* Tracking and monitoring of all access points to network resources and cardholder data.

Use of logging mechanisms and tracking of user activities are included.

* Regular testing of security procedures and processes.

Periodic testing of security controls is important, along with internal and external network scans.

7) Maintaining of an information security policy, which includes:

* Maintenance of a company policy that addresses information security.

This includes establishing a security policy that addresses all the PCI-DSS requirements, along with an annual process to detect any vulnerability.

These set of requirements is mandatory for companies that manufacture devices that accept and process PIN-based transactions or any other type of digital payments.

Financial institutions, merchants, and service providers must ensure that they only use devices, approved for PTS (PIN transaction security).

KnowledgeHut

KnowledgeHut

Author

KnowledgeHut is a fast growing Management Consulting and Training firm that is a source of Intelligent Information support for businesses and professionals across the globe.


Website : http://www.knowledgehut.com/

Join the Discussion

Your email address will not be published. Required fields are marked *

5 comments

Jerry Bertelson 02 Feb 2017

It's the best time to make a few plans for the future and it is time to be happy. I've learn this submit and if I may I want to recommend you some fascinating issues or suggestions. Maybe you could write subsequent articles relating to this article. I want to read more issues about it!

Christina 27 Jun 2017

Thanks for the terrific guide

KnowledgeHut 28 Jun 2017

Thanks Christina

Naomi 28 Jun 2017

I enjoy the article

Antwan 05 Jul 2017

Thanks, it is very informative

Suggested Blogs

Learning Ethical Hacking Can Be A Disaster If You Neglect These 7 Rules

Attacking one’s own self defence systems to check for vulnerabilities was considered to be a major war strategy even 1500 years ago. Attacking one’s own systems to check for resilience against attacks may have helped many of our ancestors win wars by fortifying their weak spots. The trend continues to this day in the name of ‘ethical hacking’ where in vulnerabilities in cyber systems are sniffed out and systems are fortified against attacks. A new kind of battle is being waged upon us this day, not in the battlefield but in the digital world. Cybercrime is the fastest growing area of crime and nobody is safe. The internet has brought a lot of anonymity to its users and hackers and cyber criminals take advantage of this anonymity to perpetrate crime. Ethical hacking was created out of a need to proactively counter cyber threat, and improve defences to protect the interests of vulnerable parties. Ethical Hacking is big business today. Google, Facebook, Twitter and other big companies spend millions on ‘white hat hacking’ to sniff out vulnerabilities in their systems. Bug bounty programs, where hackers will be compensated for reporting vulnerabilities, will be a norm in the future. Organizations trust individuals who have been certified as Ethical Hackers as they are aware of the code of conduct to be followed during ethical hacking courses. But even the sincerest ethical hacker may stumble and get into situations that may harm the hacker or the organization. Even certified ethical hackers need to understand some rules before practising white hat hacking. • You are a white hat hacker but you still need permission before hacking into a user’s system: White hat hacking may be ethical but hacking into a user’s system without explicit permission from them will land you in trouble. In fact hacking, even for ethical purposes without explicit permission from the owners is a criminal offence in most countries. • Understand your client’s business and organizational set up: Before you start off on ethical hacking it is important that you understand your client organisation’s business and system. This will give you a background on the sensitivities of their network and how you need to handle any sensitive information that you might encounter. • Do not exceed limits imposed by the client: Even if your client has given you full access to their network, there might still be a limit to how much you can dig. Do not dig deeper than you have been told to as you might be breaching client trust. • Make sure you do your job properly so that you do not compromise the client’s defence systems: Your job is to sniff out holes and ensure that those holes are fixed to strengthen the IT security system. Give a detailed report of your findings and ensure that you do not overstep any limits or violate any laws or regulations.Plan out before you perform ethical hacking tests as time and patience are of utmost importance for sensitive results. • Be transparent with your clients: Open communication with your client will not only help your client but also you, by increasing your trustworthiness. You must disclose all discoveries that you have made to your client so that they can take necessary precautions to safeguard their systems. Your client should be aware of what’s going on at all times. • Be confidential and ethical: You should maintain confidentiality during and even after the job is done. You are an ethical hacker and work ethics come topmost for you and this includes client confidentiality. Disclosing secrets of your clients to third parties will defeat the very purpose of ethical hacking. Uphold the values and goals of the company and respect their privacy. • Cover your tracks: You have penetrated the systems and you have suggested detailed clean-ups. But as you exit, you must ensure that you do not leave any footprints and thus protect the system from future attacks. Ethical hacking is a sensitive and sometimes dangerous job. But every ethical hacker must follow the commandments of ethical hacking as there is a very thin line between black hat and white hat hacking. Stay focused and true to yourself and you will be successful
Rated 4.0/5 based on 28 customer reviews
21205
Learning Ethical Hacking Can Be A Disaster If You ...

Attacking one’s own self defence systems to chec... Read More

Top Principles of COBIT 5 Foundation – IT Security

COBIT is created by international professional association (ISACA), which is a non-profit independent association. The COBIT (Control Objectives for Information and Related Technologies) provide a business framework for the governance and management of IT. COBIT supplies globally accepted principles, practices, and analytical tools, and a growth road map that influences proven practices. All of these are encompassed within a logical framework of IT-related processes. COBIT 5 consolidates COBIT 4.1, and following are the reasons for the transition from COBIT 4.1 to COBIT 5: • There was a need to have an all-through scope of business/organisation that covers all the IT and business functions. • There was a need to have a rational understanding of analysing the existing standards, methods, tools, and practices that relate and supplement each other. • There was a need for COBIT to be rigidly assimilated with other ISACA frameworks. • There was a need to have an improvised guidance on emerging technologies and enterprise architecture. • There was a need for COBIT to be closely bound by the external standards and frameworks. COBIT 5 is generic and proves to be useful for all the enterprises, whether small-scale or large-scale and whether commercial or non-profit. Wherever there is a dependency on technology for reliable information or a need to provide quality and control of information, COBIT 5 is used exclusively for all the business processes. COBIT 5 benefits organization and is majorly used by top-level executives and consultants in an enterprise covering the following areas of business: • IT Operations • Security and Risk Management • Audit • Governance • Compliance Following are the principles of COBIT 5: COBIT 5 Principle 1: Meeting the Needs of the Stakeholder COBIT 5 enables the transformation of the needs of the stakeholders into a more practical and achievable strategy. COBIT 5 strives to maintain a balance between the use of available resources and the realisation of the benefits of keeping in consideration the associated risks. This principle focuses on the governance, negotiation, and decision making about the various conflicting needs of the stakeholders. This assures that whenever the benefit, resources, and risk-assessment decisions are made for delivering the value, the needs of the stakeholders is taken into consideration. It uses a mechanism called the COBIT 5 Goals Cascade, which translates the needs of the stakeholder into more specific and manageable approach which are then mapped to specific processes and practices. COBIT 5 Principle 2: Covering the entirety of the Project In this approach, COBIT performs the integration of IT governance and enterprise governance and includes all the processes used to manage information and technology. Considering the latest views and developments in the governance and with the integration of IT governance into the enterprise governance, COBIT can combine both the form of governance at the same time. The overall business processes and IT services are included in the COBIT 5. The four main elements of this end-to-end approach are as follows: • The objective of governance for creating value • The enablers, which can individually or collectively decide what will work • Deciding the scope • Assigning roles, responsibilities, and activities COBIT 5 Principle 3: Applying a Single Integrated Framework The continuous changes in the technology and added pressure from customers and suppliers have led to a challenging task for the organisations to manage and govern its information and related technology. The COBIT 5 enables the organisations to have a single Integrated Framework, providing an enterprise coverage and consistency, and it also can be customised as per the needs of the organisation. COBIT 5 can retain the position of a single Integrated Framework due to the following reasons: • COBIT 5 acts as a single integrated source of direction, even for the non-technical terms of language. • COBIT 5 aligns itself with relevant standards and frameworks such as ITIL and ISO standards. • Taking into account the latest standards and frameworks, COBIT 5 composes itself as a ‘Superstructure’ by aligning all the management and governance activities. COBIT 5 Principle 4: Enabling Holistic Approach We need to have a complete view of the organisation, including the management and governance structures and processes, while making important decisions concerning the organisation. COBIT 5 facilitates effective management and governance of IT across the organisation by the means of ‘enablers.’ Enablers are the factors driving the outcome of activities that are governance and management related. Enablers can be applied across the entire organisation, including all the internal and external resources relevant to the governance and management of IT. There are five categories of Enablers defined in COBIT 5, and they’re as follows: • Principles and Policies: Performs day-to-day activities of translating the required behaviour into a logical guidance. • Processes: It consists of applications required to achieve objectives which, in turn, produce outputs required to achieve IT-related goals. • Structures in an Organisation: Are responsible for making informed decisions in an organisation. • Information: It is the key product of an enterprise itself and keeps an organisation the organisation operating successfully and well governed. • People’s skills and competencies: Links people with the right skills for successful completion of work, along with taking corrective steps and making corrective decisions. COBIT 5 Principle 5: Separating Governance from Management COBIT 5 clarifies that the governance and management each serve different purpose, have different responsibilities, require different types of activities, and need different supportive organisation structures. COBIT 5 uses EDM (evaluate, direct, and monitor) for governance, while PBRM (plan, build, run, and monitor) for management as follows: • Governance or EDM ensures that the needs of the stakeholders are evaluated by identifying and agreeing on objectives to be achieved, which is directed by prioritisation and are also monitored for performance against objectives. • Management or PBRM ensures to monitor the activities and confirm that they are in alignment with those described in the governance set.
Rated 4.0/5 based on 20 customer reviews
Top Principles of COBIT 5 Foundation – IT Se...

COBIT is created by international professional ass... Read More

How To Get Knowledge About The Certified Ethical Hacker

Certified ethical hacker training is commonly denoted as the course that teaches you to break through your own or your company’s computer/s in a legitimate and official manner to find out the existent vulnerabilities and to assess the safety bearing of the target system. Certified ethical hackers use the same tools and knowledge that malicious attackers exploit and execute the indicated defensive, counteractive and protective actions to protect the system from any breach in future. The ethical hacking course is vendor-neutral certification, so you would be able to safeguard different systems irrespective of their make. The course gives you an opportunity to delve into various hacking approaches and techniques. Globally, CEH certification is provided by EC-council through their authorized training centres. Several universities and private computer colleges offer courses and programs featuring CEH training that align with the certified ethical curriculum prescribed by EC-Council. Knowledge about Certified ethical hacker training The course is a combination of academic material and practical skills enabling you to discover the working and activities of a hacker. The training commences with theoretical explanations of particular techniques incorporated in the subject followed by a hands-on illustration in the art lab. The objective of the ethical hacking course is to: Ascertain and administer basic standards for licensing professional information security experts in the ethical hacking process. Notify the agencies or employers that certified individuals fulfil or surpass the basic standards. Strengthen awareness about ethical hacking as a self-governing and distinctive profession. Train students to classify and break several kinds of passwords, and successfully neutralize password hacking. Teach encryption and cryptography techniques, and confidential/communal key infrastructure. Inform about widespread cyber-attacks, for instance, phishing, social engineering, identity breach, URL obfuscation, insider attacks, Trojans, dumpster pitching, etc. Instruct learners to abide by the code of ethics regulating professional demeanour and the correctness of hacking. What are the prerequisites for this certification? The ethical hacker training certification is aimed at fortifying the functional knowledge of security officials, auditors, site managers, and professionals who are involved in maintaining the integrity of the infrastructure network. Although there are no prerequisites for this certification but, basic knowledge of telecommunications, networking and computer systems is greatly recommended. The minimum age for appearing for the exam or applying for the training is restricted to no less than 18 years. Thus, candidates who fall in the right age category and possess relevant networking knowledge can apply for the course and complete their certification. The ethical hacking credential is one of the most sought-after certifications of EC-Council. The certified experts can seek a wide scope of job titles including network security specialist, penetration tester, ethical hacker, security specialist, site manager and auditor. In addition to the important business job opportunities, CEH certification opens gateways to rewarding security recruitments to the government run IT sector positions. The credential is an acknowledgement of your skills to work as an ethical hacker independently or with companies by having privileged access to vulnerable information.
Rated 4.0/5 based on 17 customer reviews
How To Get Knowledge About The Certified Ethical H...

Certified ethical hacker training is commonly deno... Read More

Useful links

5% Discount