RESEARCH PROPOSAL.

Verified

Added on 2023/04/21

AI Summary

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

RESEARCH PROPOSAL
TOPIC: MANAGING DATA SECURITY AND RISKS
CONSIDERING PCI DSS
Programme: MSc in Information Security and Digital Forensic
Year: 2018/2019
Term: B
Student ID: U1336039
Author: Michael Akubueze
Supervisor: Dr Shareeful Islam

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Executive Summary
A Card Payments have become a very common sight in every Business association and
organisation that a person comes across in day to day life. It becomes very convenient to the business
associations to fulfil their business aims as well easier for the customer to carry the transaction. These
associations permit the client utilizing different bank cards including charge and Visa for this reason.
In any case, such associations need to agree to the payment card industry (PCI) security standard
before incorporating bank card framework into the current business process. This proposition
examines the information security and dangers for the PCI. We consider the PCI standard to
comprehend the Requirements and utilize different instruments, for example, Nmap to assess the
similarity of the requirements. PCI was set up by these Banks’ or the companies of Credit Card
namely MasterCard, Visa, American Express, JCB and Discover. The name given to this association/
Consortium was Payment Card Industry Security Standards Council (PCI). The function of this
association was to set up Data Security Standards (PCI DSS). They expected the industry locals to
meet these conditions and terms. The PCI Security Standards Council issued direction on the most
proficient method to ensure card information when taking installments via phone. Some portion of this
direction was data on the best way to deal with phone brings utilizing voice over IP. The main reason
is that, there exists incredibly ease to eject the data of the cardholder from the VoIP approaches the
remote possibility that you approach the data stream. The most adored device of any person who
works with frameworks is Wire shark, a free and extremely astonishing resource. Wire shark enables
to viably get sort out data and to expel voice calls from that data. So, we choosing wire shark is best
tool to eject the data of the cardholder from the VoIP approaches the remote possibility that you
approach the data stream.

Table of Contents
Chapter 1: Introduction.............................................................................................................................1
1.1 Requirement for Businesses to have a Payment Card...............................................................1
1.2 Understanding the term “PCI DSS”...........................................................................................2
1.3 Why it is Obligatory for the Business Organizations?..............................................................4
1.4 Research Aim and Objectives....................................................................................................5
1.5 Problem Domain and Challenges..............................................................................................6
1.6 Research Question.....................................................................................................................6
Chapter 2: Literature review.....................................................................................................................8
2.1 Payment Card Industry..............................................................................................................8
2.2 Control of Security...................................................................................................................12
2.2.1 Security threat or risks in PCI DSS..................................................................................18
2.3 Tools........................................................................................................................................19
2.3.1 NMAP...............................................................................................................................19
2.3.2 Wincap..............................................................................................................................21
2.3.3 Wireshark.........................................................................................................................22
Chapter 3: PCI DSS................................................................................................................................27
3.1 PCI DSS...................................................................................................................................27

3.1.1 Building and Maintaining a Secure Network...................................................................28
3.1.2 Protecting Cardholder’s Data...........................................................................................30
3.1.3 Implement Strong Access Control Measures...................................................................33
3.1.4 Frequently Monitoring and Testing Networks.................................................................36
3.1.5 Maintaining Information Security Policy.........................................................................38
Chapter 4: Methodology/approach.........................................................................................................41
4.1 PCI DSS Methodology............................................................................................................41
4.1.1 Data security issues..............................................................................................................42
4.1.2 Risks.....................................................................................................................................47
Chapter 5: Implementation.....................................................................................................................50
5.1 NMAP..................................................................................................................................54
5.2 Win Cap...............................................................................................................................60
5.3 Wire shark............................................................................................................................61
Conclusion..............................................................................................................................................64
References..............................................................................................................................................65

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Chapter 1: Introduction
1.1 Requirement for Businesses to have a Payment Card
The payment card industry commands to ensure cardholder information and counteract extortion.
Yet, numerous associations keep on attempting to accomplish consistence with PCI DSS (Payment
Card Industry Data Security Standard). Five noteworthy payment card organizations have figured the
standard to accommodate their individual projects into a solitary arrangement of Requirements.
Different updates with the latest variant 3.1 w.e.f April 2015 has since been issued by the PCI SSC
(PCI Security Standards Council). The consistence is frequently unquestionably increasingly costly,
mistake inclined and asset escalated, than would normally be appropriate. Despite the fact that, with its
12 Requirements and supporting guidance, the standard is more prescriptive than most government or
industry security orders. The normal expenses can reach past a huge number of dollars every year
relying upon your association's level dimension, given the push to physically gather and break down
log information, aggregate reports, and keep up and approve security controls and strategies through
wasteful work serious procedures. Strategies, for example, get to control, information security and
arrangement the executives are more diligently to keep up and hard to actualize, oversee and authorize
practically speaking. In the present powerful business conditions, consistence and security techniques
are resolute and too moderate to even consider responding. On the off chance that the controls are
physically and inadequately executed, it will be blunder inclined, exorbitant and really obstruct
business productivity without improving security significantly.To "simply complete it", Departments
and even people may evade approach. Because of this, real information ruptures have happened in
associations that were in fact PCI DSS agreeable (Bosworth, Kabay and Whyne, n.d.). An effective,
repeatable and practical security program that fulfils at both the dimensions of cardholder information
protection for which the standard was made and for their technical necessities of their PCI
commitments. Concentrating on the basic, yet tricky zones that contain a significant part of the core of
the necessities, the white paper clarifies the fundamentals of a PCI consistence program:
 Protect from unapproved use cardholder information
1

 Strong controls around advantaged clients and information get to
 Centralized, computerized job based access control, approval, and verification to be actualized
 Database action observing and framework and database examining to be given
1.2 Understanding the term “PCI DSS”
PCI DSS (Payment Card Industry Data Security Standard) is a standard association that
regulates the data customer’s Credit card data security, which enables the security and breach of trust.
The data has to be confidential and not to be misused by external forces and elements. American
Express, Discover, Visa and MasterCard came together to form this association and set the rules and
guidelines. They started this in 2004 and the industry soon followed these guidelines. The basic
guidelines and the notes for this Association are explained in brief as below (Solarwindsmsp.com,
2019):
Data of Cardholder’s (customers) has to be protected. This was the highest priority in this agenda.
This data should be encrypted and/or coded so that it cannot be breached by outsiders. These becomes
more paramount in today’s world where most of the transactions happen online and are exposed to the
outside world where it can be easily breached by anyone having access to the internet.
Advanced coding is required by the companies to avoid this type of breaching. Exposed
software’s used by the companies may be suspected for external malicious attacks and programs. Bugs
infused in the systems have to be flushed out using advanced and up-to-date software’s. The software
companies have to keep updating their software so that they stay updated with the latest viruses and
bugs that can creep into the system. Spyware, Malware, Phishing are some of the elements that can
affect the system and server (Chan, n.d.).
Client Data has to be kept up-to-date in the sense that passwords and pin numbers for the system
inputs have to be kept changing. This will prevent hackers and abusive programmers to attack the
system by cracking the passwords and pin numbers. Use of strong and layered Firewalls will help to
nullify these outside attacks and hackers from entering the system. Time to time update and thorough
checking including long scanning of the system for malicious viruses and bugs have to be taken
2

(Infosec Resources, 2019). This should take care of all the attacks and unlawful entry that can creep in
the server and the protected software.
A strong strategy that includes a structured Data analysis for Security and also for any breach in
this security should be given in step by step instructions. Any breach or attempt to breach the security
should be punished and same should be part of this Security structure. It is also the duty of every card
holder to protect the Card as well as keep updating his software and all the platforms from where he is
accessing the system to pay/transfer money (Christianson, 2011). The PCI DDS process is illustrated
as below.
Figure 1 PCI DSS Process
3

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards
designed which is used to ensure that ALL companies that accept process, store or transmit credit card
information maintain a secure environment.
1.3 Why it is Obligatory for the Business Organizations?
As Internet and data access become more and more easy in today’s wired world, people from
any part of the world can access the system and misuse the information that can be accessed by these
types of people. There is a vast increase in the number f transactions that take place on the internet and
it becomes difficult to track for the company to make sure that the system is maintained perfectly. But,
it has to. It is the responsibility and the duty of the company to make sure that the System is breach-
proof. As per, WPR (World Payments Report) 2018, the online transactions identifies that, the global
e-wallet market has been growing drastically, with the transaction volume estimated as a total of 41.8
billion, and it is nearly 8.6% of the global non-cash transactions. Here, the PCI DSS role becomes
very important and crucial. It is an umbrella body that sets the standards and rules for the companies
as to how the data by the customer should be used. It includes the privacy policy and the terms and
conditions as to how a customer’s Name, Address, Account information, Security ID etc. has to be
taken care of (Conti, 2007). They have set a guideline for the industry and the banking sector to follow
that is these confidential and high value data should not fall in the wrong hands. The organisation also
places responsibility and requires that the Card holders, Business firms, Customers, Online Traders,
Small Industries etc. and anyone using online network for monetary transactions should be aware of
all the possible ways in which there Data and information can be breached. They have time and again
emphasised the importance of these vital functions. And the serious results when they have been not
followed. The recursions for not following the advice may lead to losses and theft in unimaginable
ways (ComputerWeekly.com, 2019).
While organizations bear the weight of gathering multi-layered PCI DSS conventions, the
expense of consistence is far not exactly the option. Ramifications for resistance include:
4

 Suspension of Merchant Accounts: Card suppliers, for example, Visa and MasterCard can
deny to work with associations who don't meet consistence Requirements and dealers,
decreasing your capacity to execute down to a money just premise.
 Fines: Fine culpable traders up to $500,000 per security episode, and up to $50,000 every
day for consistently a business is working disregarding security measures by Banks and
MasterCard establishments may, at their watchfulness (Cole, Krutz and Conley, 2009).
 Loss of Reputation, Customers and Business: When shoppers lose certainty, they change to
different administrations or brands, bringing about benefit loss.It takes a very long time to
construct a tenable notoriety however just a couple of minutes to demolish one, and lost
validity makes an interpretation of legitimately to an association's main concern.
 Public Notification: Currently 38 states have laws necessitating that information ruptures
uncovering client data (counting cardholder information) be accounted for to clients
influenced.
 Litigation: because of cardholder information being uncovered without approval,
association that neglect to verify cardholder data may confront common suits, harms and
other expensive legitimate procedures. 31 percent of respondents ended their association
with an association subsequent to accepting warning of a rupture of information security
according to an ongoing report by the Ponemon Institute.
1.4 Research Aim and Objectives
Main objective of this project is to research the managing data security and risks considering
PCI DSS. A Card Payments have become a very common sight in every Business association and
organisation that a person comes across in day to day life. It becomes very convenient to the business
associations to fulfil their business aims as well easier for the customer to carry the transaction. These
associations permit the client utilizing different bank cards including charge and Visa for this reason.
In any case, such associations need to agree to the payment card industry (PCI) security standard
before incorporating bank card framework into the current business process. This proposition
5

examines the information security and dangers for the PCI. We consider the PCI standard to
comprehend the Requirements and utilize different instruments, for example, Nmap to assess the
similarity of the requirements. The name given to this association/ Consortium was Payment Card
Industry Security Standards Council (PCI). The function of this association was to set up Data
Security Standards (PCI DSS). Data of Cardholder’s has to be protected. This was the highest priority
in this agenda. This data should be encrypted and/or coded so that it cannot be breached by outsiders.
These becomes more paramount in today’s world where most of the transactions happen online and
are exposed to the outside world where it can be easily breached by anyone having access to the
internet.
1.5 Problem Domain and Challenges
The intentions of each were roughly similar: to create an additional level of protection for card
issuers by ensuring that merchants meet minimum levels of security when they store, process, and
transmit cardholder data. To cater out the interoperability problems among the existing standards, the
combined effort made by the principal credit card organizations resulted in the release of version 1.0
of PCI DSS in December 2004. PCI DSS has been implemented and followed across the globe. All
companies that process transmit, or store payment card data are required to maintain compliance with
the PCI DSS security standard to ensure the protection of cardholder data and avoid fraud. Achieving
PCI DSS compliance should not be viewed as an insurmountable challenge, but dedicated attention is
needed to the processes involved in its validation.
Challenges
 All requirements are Mandatory
 Competency Gap
 Correct Scope Definition
 There is a lot of organizational pressure involved in certification
6

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

1.6 Research Question
The payment card industry commands to ensure cardholder information and counteract
extortion. Yet, numerous associations keep on attempting to accomplish consistence with PCI DSS
(Payment Card Industry Data Security Standard). Five noteworthy payment card organizations have
figured the standard to accommodate their individual projects into a solitary arrangement of
Requirements. Despite the ongoing advances in point-of-sale systems and technologies, data breaches
remain a very real threat to the average small and medium sized business (SMB). That’s because SMB
owners often place their full trust in the technology solution to protect them. In reality, all businesses
must understand and adhere to the PCI Data Security Standard in order to be fully secure.
 The Procedure for storing Data of Customers and how it is kept Secured?
 How to maintain the PCI DSS?
 How to Build and Maintaining Secure Network and Systems?
 How to Build and Maintain a Secure Network?
 What are the risks in PCI DSS?
 What are the privacy concerns for PCI DSS?
7

Chapter 2: Literature review
2.1 Payment Card Industry
One of the most important tools in the hands of the Customers, Banks, Organisations and
Industries in general is the use of update software’s and Anti-Malwares. Use of highly layered and
highly secured Firewall will be the first barrier against the viruses, bugs, and crack codes for
protecting the vital and confidential reports and data (Marsella, 2019). Hence for all these security
related issues, PCI DSS has come up with standard procedures and guidelines which help in protecting
the online system, servers and all the platforms that are exposed to the internet. WPA/WPA2 is one
such example where wired protection keys are used to detect any activity in the framework which is
susceptible in nature (Baxter, 2014).
Twelve necessities for consistence indicated by The PCI Data Security Standard, composed into
six intelligently related gatherings called "control targets". The six gatherings are
(Entrustdatacard.com, 2019),
 Maintaining the Information Security Policy.
 Maintaining the Program related to Vulnerability Management.
 Building and Maintaining Secure Network and Systems
 Implementing measures that are strong for controlling the access.
 Protect Cardholder Data
 Regularly Monitor and Test Networks
The “12 Abnormal” state Requirements have not changed since the commencement of the standard but
rather every variant of PCI DSS has isolated these 6 necessities into various sub-necessities in an
unexpected way. Every Requirement/sub-Requirement is moreover expounded into three areas.
8

 Testing Processes: For the affirmation of appropriate execution, the procedures and
strategies did by the assessor (Beasley., 2008).
 Requirement Declaration: The support of PCI DSS is done on the correct execution of
the requirements. It characterizes the fundamental portrayal of the Requirement.
 Guidance: Guidance clarifies the centre motivation behind the Requirement and the
comparing content which can aid the best possible meaning of the Requirement.
For structure and keeping up a safe system and frameworks the twelve necessities can be outlined as
pursues (SISA Information Security, 2019):
1. The data of the customer, Banks, Dealers, and Industries in general is always in risk of
getting breached and compromised. This is because the exposure to the net where
malicious and hackers are waiting for any instance to lay hands on this information. So
setting up a strong firewall will be the first and the best way to stop this.
2. Scanning of the online system in addition to the off line network for any bugs, viruses,
software’s, codes will help in protecting the password and pin numbers of the end user of
his system. Malicious people can without much of a stretch find these passwords through
open data to increase unapproved access to the frameworks.
3. Protecting put away cardholder information. Concealing, truncation, Encryption and
hashing are techniques used to ensure card holder information (Papagalos, 2019).
4. Encrypting the information and data transmitted from the customers over an open end
systems. Solid encryption, including accreditations and utilizing just trusted keys lessens
danger of being focused through hacking by malignant people.
5. Protecting each framework against the malwares and to perform standard update of hostile
to infection programming. Forward-thinking against infection programming or
supplemental enemy of malware programming will decrease the danger of misuse by
means of malware. Malware can enter a system through various ways, including Internet
use, representative email, cell phones or capacity gadgets (Calder and Williams, 2016).
9

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

6. Day to Day and Tim-to-Time updating of this system helps in checking the malware and
hacker software’s in entering the system. Companies have to develop strong and secured
software’s to prevent any of such incidents from happening. Framework and servers in use
have to be identified which are vulnerable and same have to be given extra protection and
additional passwords and firewall to make them stringent to any outside attacks.
7. Identifying and validating access to framework segments. An extraordinary distinguishing
proof (ID) has to be allotted for every individual with access to the framework segments
which enables responsibility of access to basic information frameworks (Danielyan and
Knipp, 2002).
8. Restricting access to the cardholder information for just the approved faculty. For
confining access to cardholder information in "need to know" location, the procedures and
frameworks should be utilized.
9. Cardholders must check the passwords and pin numbers before they can access their
information. This helps in preventing any outsider to lay hands on the card and misuse it.
Any unapproved access or doubts regarding the identity of the card holder has to be
stopped immediately and thorough background check with security related questions has to
be undertaken.
10. Monitoring and following all the entrances for organizing the cardholder information and
assets. Logging systems ought to be set up to identify or limit effect of information
bargains and track client exercises that are basic to avoid (Crouthamel, n.d.).
11. Security frameworks and procedures ought to be tried consistently. Frameworks,
procedures and programming should be tried habitually to reveal vulnerabilities that could
be utilized by malignant people. New vulnerabilities are consistently found.
12. Information Security strategy for all work forces to be maintained. Making staff
comprehend the affectability of information and their obligation to ensure it are
incorporated into security approach (Digital Guardian, 2019).
10

However there are further results of not securing touchy cardholder information, the Financial
after-effects of this misrepresentation alone are overwhelming, which includes the below points:
 Confidence losing by customer
 New payment and cards reissuing cost
 Higher consequent for expenses of consistence
 Settlements, Decisions and Legitimate expenses
 Penalties and Fines
 Termination of your Customer's capacity to acknowledge Payment Cards
 Jobs lost
 Going Bankrupt or even insolvency
PCI DSS has to ensure that the customer passes through a series of security related queries and
pin codes before it can access the system and the network. This will help in stopping data hacks and
thefts by individuals who have access to the customer’s information which they may have been able to
get by unfair means. Principles and proposed guidelines have to be followed so as not to risk the
important and confidential data of the customers. The guidelines give a detailed view and points as to
how the data has to be collected, sorted, used, transferred and even deleted from the servers and the
systems. All these under the overall guidelines of PCI DSS, who has the overall authority for making
standards of information and for security related issues (Gollmann, 2011).
The PCI SSC does not implement consistence: singular securing banks or payment brands are
in charge of guaranteeing consistence.
PCI DSS is expected to secure the organizations, secure the cardholder information and then
further proceed with that data, store it and transmit the same.
Who Does PCI DSS Affect?
All the organizations which store, transmit cardholder information, process and additionally
touchy confirmation information, the PCI DSS is a material. The business is in charge of guaranteeing
11

that the record information is satisfactorily ensured by that outsider as required by PCI DSS
Requirements, if a business re-appropriates its payment preparing to an outsider.
Impacts of PCI DSS
PCI DSS is intended for the individuals and frameworks that get to the information to have
satisfactory controls around their utilization and to secure cardholder's delicate data by guaranteeing
the procedures. Cardholder information and delicate validation information is characterized as
pursues:
Cardholder Data includes Cardholder’s Name, PAN (Primary Account Number) and the
Expiration Date with the Service Code. Delicate Authentication Data incorporates PINs or PIN
squares, full track information (attractive stripe information or the proportional information present in
a chip) and CAV2/CVC2/CVV2/CID.PAN is the most Critical component which is related to the card
holder as it contains the vital information about the holder which includes, name, address, code and
important dates So these important and confidential data has to be protected as per the guidelines and
rules laid out by PCI DSS.
The Points and Positions where there is a loss of Sensitive Data. Cardholder information and fragile
affirmation information and the misfortunes that could take place in various districts and also in
different circumstances, including (Hudson and Hudson, 2008):
 The compromised card perusal
 Point of offer system
 Storage frameworks
 Database
 Online entries
 Wireless switches
 Differing electronic spying techniques.
 Filing agency
12

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

2.2 Control of Security
PCI DSS 12 Requirements are a great deal of security controls that associations are required to
realize to guarantee charge card data and consent to the PCI DSS. The Requirements were made and
are kept up by the PCI Security Standards Council (NewVoiceMedia, 2019).
There are some guidelines that have been set up and the association and the industry have to
adhere to that. There are no compensations or allowances allowed in case there is a security breach
and data gets stolen. It has to be taken as per the case and what the circumstance’s and evidences
point to. These have to be taken up by PCI QSA. The failure of not meeting the PCI DSS 12
Requirements might result in penalty or end of charge card preparing benefits (HUTCHENS, 2017).
The PCI SSC Council invigorated PCI DSS’s benchmarks to oblige rising risks and new
methods for information preparing and capacity. Associations that participate in control card trades
will be depended upon to be in consistence with the revived standards. These overall Requirements are
spread out in PCI DSS are seen as data security’s best practice by all the genuine real MasterCard
organizations for dealing with fragile payment data and are classified into six regions (Shaw, 2015).
Associations are seen as reliable with the measures of PCI DSS by realizing the strict controls
incorporating the limit, transmission and treatment of cardholder’s data, and keeping up adequate
checking, testing and reporting the results on a yearly basis.
12 Steps for PCI DSS’s Requirement Checklist:
1) Objective: To develop and maintain a secure network and systems.
 Keep up a firewall setup for verifying the cardholder’s data.
 Make an effort not to utilize the vendor provided defaults to structure the passwords or other
parameters of security.
2) Objective: Protect the data of the Cardholder
 Guarantee set away cardholder’s data.
 Encoding the cardholder’s data transmission through open and open frameworks.
13

3) Objective: To ensure maintenance of vulnerability management through a program (Kotenko and
Skormin, 2012).
 Guarantee all the structures against the malware and reliably update unfriendly to
contamination programming or undertakings.
 Make and keep up the applications and secure systems.
4) Objective: Implementing Strong Access Control Measures
 Limiting the access of the cardholder’s data with the help of business barrier (for instance,
"need to know").
 Perceive and affirm accessing to the system parts.
 Farthest point physical access of cardholder’s data.
5) Objective: On a regular basis monitor and test the networks (Lehtinen and Sr, 2011).
 Ensure tracking and screening all the passageways for arranging the resources and cardholder’s
data.
 Ordinarily test the security structures and the strategies.
6) Objective: To maintain the information security policy.
 Keep up a methodology which watches out the information security for all the work powers.
 Extra PCI DSS needs for the Shared Hosting Providers: The shared encouraging providers
should verify the data condition of the cardholder.
Accomplishing Compliance for PCI DSS
For being inconsistence with the current PCI DSS’s necessities, associations should complete
the controls which are centred on accomplishing 6 utilitarian abnormal state destinations. The goals
are disconnected into 12 significant advances. At a point when all these controls are executed, a
system should be set up for screening, testing, reporting and for remediating the outcomes of the
client's PCI DSS consistence tried (SearchSecurity, 2019).
Assembling and Maintaining a Secure Network and System
The underlying necessities explain how the firewall must be executed, kept up, and regulated.
14

a. Introduce and keep up the firewall setup for securing the cardholder’s information
 The firewalls are referred as basic portion of any PC organize and are also the main line
for watching the Internet traffic.
 Firewall recognizes all the framework traffic and ruins any transmissions which do not
meet the foreordained security criteria of the business. All the frameworks should be
secured from unapproved accesses from the untrusted frameworks who pay less regards to
the technique (for instance, Internet web-based business, worker Internet get to,
representative email get to, B2B associations or the remote system).
b. Avoid using the merchants given defaults for the passwords of framework or for other
security parameters
 Offenders and data culprits utilize the trader default passwords including the default
settings for the bargain framework (Lesca, 2013).
 It is in a general sense basic to change trader gave the default passwords or settings and
empty/debilitate unnecessary default accounts prior to bringing the new structures into
your condition.
Secure Cardholder’s Data
 The 3rd and 4th necessities explain how to guarantee the data of the cardholder, in the midst of
taking care of, transmittal and limit.
 When the direct money based expense was 145 million over the two years, the roundabout toll
was stunning i.e., 110 million clients.
c. Protect put away cardholder’s information
 There exists various methods to guarantee the client's sensitive data such as encryption,
disguising, truncation, and hashing could transform into a fundamental section of data
protection plan for the business cardholders. Besides, doesn't store cardholder data aside from
if Requirement, and don't send unprotected information through email (Lin, Tsudik and Wang,
2011).
15

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

 Guaranteeing cardholder's data is Requirement for different instant and circuitous money based
reasons. During the period 2013 to 2014, the target stores contained tremendous data break,
when the immediate cash associated cost was one hundred and forty five million over the two
years, the distorted toll was dazzling with 110 million customers.
d. Encoding cardholder’s information during transmission through the open, open systems
The sensitive data as well as the confirmation information of the cardholder should be encoded in
the middle of the transmissions through over open, open systems. All such frameworks engage with
the individuals who mistreat open and clear framework nature to increment the framework that is
unapproved (Marsh, 2010).
Maintaining Vulnerability Management
5th as well as 6th requirements incorporate making, to keep up and to verify all in-scope payment
frameworks using administration weakness for ensuring the present helplessness is inclined and
amended.
e. Secure all the frameworks against the malware and update the hostile for the infection
program or project
The malwares refer to a malignant programming which could be brought into the framework in
the midst of any ordinary business activity, for instance, staff email, Internet use, using singular
specialist PCs, and telephones or by utilizing a defiled amassing device, for instance, USB drive. The
antivirus programming should be presented and chipping away at all business frameworks for
guaranteeing the client's environment. Security programming should be viably orchestrated and kept
up as there exits some risks of ceaselessly advancing malignant programming which is found on a
daily basis.
f. Creating and keeping up protected framework and application
In the applications and frameworks, the interlopers use the security vulnerabilities for building
extraordinary access to the sensitive data of the cardholder. All such vulnerabilities of security are
16

remediated with security patches (often given by the vendor), and should be presented by the one who
manages such frameworks. It is needed for all the applications and frameworks for having fitting,
current programming patches, then for verifying against the abuses and bargain the cardholder’s
information (McClure, Scambray and Kurtz, 2012).
Implement Strong Access Control Measures
 The 7th and 8th necessities need the access and ways for the influenced frameworks, information
to be safe, and the access must be comparative with the asset’s job.
 All the entrance should be kept just to favour the assets, consolidate the framework access and
access the physical areas (Nmap, 2012).
g. Limit accessing Cardholder information
Information Access must be surrendered depending on the need of knowing the premise, thus the
frameworks and methods should be set up for ensuing the confined access. Need to know coordinates
that get to be permitted exactly at the base dimension, and just if vital, for playing out an occupation.
Representative slip-up is the primary wellspring of information breaks beginning at 2015. The
best method to decrease this problem is by containing strong accessing control set-up for each
influenced frameworks.
h. Distinguishing and confirming access to the framework segments
It is fundamental to distribute an interesting ID set of accreditations for each person to access the
sensitive information. This makes sure that each person is in-charge of his/her actions and that an
element of recognisability is present (Orloff, 2008).
i. Bind physical access of cardholder information
The physical access of all the frameworks and information must be bound.
 On a regular basis monitor and test the networks
o The 9th and 10th necessities contain the preceding measures and checks all the entrance
for arranging the assets and information of the cardholder, along with customary testing
of frameworks, procedures and controls.
17

 Consistently Monitor and Test the Networks
o The 9th and 10th Requirements consolidate the preceding measures and checks all the
entrance for arranging the assets and information of the cardholder, along with standard
tests related to frameworks, techniques and controls.
j. Tracking & screening all the entrances for arranging the cardholder information and assets
The log record and frameworks follow any devices that enables the preceding access to sensitive
information is Requirement to hinder, perceive or constrain the information break. The logs
availability engages the following, forewarning and examination when interference occurs. It is for all
intents and purposes hard to recognize and investigate a crack without framework logs (PCI DSS,
2011).
k. Routinely test the security frameworks and its procedures
The vulnerabilities of framework are always found, and based on that capacity, all the product,
procedures and frameworks must be tested.
Maintain Information Security Policy
The customers should actualize and keep-up the arrangement for all the staff that address data
security.
l. Keep-up method allows security of data for the workforce
It is common practice to guarantee that each worker comprehends what is desired by the person in
question with respect to security of the customer's sensitive information. The staff must know the
information's affectability, including to check whether the individual’s collecting obligations are
ensured or not. The PCI DSS is a security arrangement that verifies the PCI DSS-perused framework,
and it sets the standards of necessary expectations from the staff. The security approach is basic for
valid justifications: advanced attacks are terrible and lightning-smart. When another malware is
released, it just takes 82 seconds for an individual to inadvertently transform into an injured individual
(Petersen, 2008).
18

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

2.2.1 Security threat or risks in PCI DSS
The PCI DSS security threats are illustrated as below,
1. Account tampering - Maintain a vulnerability management program
2. Merchant Web site outage - Build and maintain a secure network
3. Account or identity theft - Protect cardholder data
4. Internal theft - Implement strong access control measures
5. "Ghost" attacks - Regularly monitor and test networks
2.3 Tools
2.3.1 NMAP
Nmap (Network Mapper) is one mind blowing resource, which can be interfaced with any
system and gives completely versatile announcing structure. The yield conveyed by Nmap can be
utilized to imagine the risk on the constant premise. The graphical observation is open which makes
the review less complex and following is useful. Substance and codes can be made which can interface
with Nmap to ensure consistence of PCI DSS and perceive any interruptions (Nmap.org, 2019).
Nmap it is free open-source device for defencelessness checking and organize disclosure. The
framework chairman utilizes Nmap for perceiving what devices run on their frameworks, its findings
and the administrations offer to find the open ports and distinguishes the security threats (Calderón
Pale, 2012).
Nmap could be utilized for screening, similarly as immense systems it incorporates enormous
contraptions and gigantic subnet quantities (Duarte et al., 2014).
Despite the way Nmap is created consistently, it is incredibly versatile, on a basic dimension
it's a port-check device, which collects information by sending rough bundles to the framework ports.
It tunes the responses and selects based on whether the ports are open, close or filtered, for instance,
firewall. Different terms are utilized for port examining which incorporates port disclosure (Calderon,
n.d.).
19

The adaptability and power Nmap helps it to emerge. It has wide scope of free system
checking utilities just like free open-source powerlessness scanners accessible to the security
reviewers, including the system managers. Nmap takes into consideration an assortment of related
abilities despite the fact that its usefulness is port examining. The capacities include:
 OS location: Nmap could distinguish the working frameworks that run on the system gadgets
(additionally known as the OS fingerprinting) giving concealed working framework, seller
name, product form and guarding the devices’ uptime (Lyon, 2010).
 System mapping: Nmap could identify the gadgets on a system (likewise known as the host
revelation), along with the routers and switches, servers, and their physically associated
circumstance.
 Administration disclosure: Nmap could identify the framework, despite they go as email, web
or through the server names, then a particular applications and associated adjustments are
written in computer programmes that they run (Pale, 2012).
 OS detection: Nmap can recognize the working frameworks that run on the framework devices
(which are knowns as OS fingerprinting), providing the shipper name, basic working system,
the interpretation of item and checking the devices' uptime.
 Administration revelation: Nmap has the capability of recognizing the frameworks, yet
whether they're sent as mail, web or name servers, and specific applications and various
computer programmes that they write and run (POOLE, 2017).
 Security examining: If a system administrator gets an alarm about powerlessness in a specific
form of application, for instance, it is possible to check the system to recognize whether the
product adaptation is running on the system or not, and find a way to fix the hosts. Making
sense of what working frameworks and applications’ variants are run on the system contains
organized directors who take decision of their powerlessness to explicit flaws. Contents can
likewise robotize errands, for example, distinguishing explicit vulnerabilities.
20

Using Nmap for hacking, paying little mind to whether all around expected to "right a wrong" can
provoke both normal and criminal issues. Generally speaking, Nmap can't be used to truly manhandle
frameworks and frameworks so its genuine use isn't what prompts normal or criminal issues, however
rather what is done with the results of the Nmap analyse or if Nmap is run so compellingly that
framework or host power outages are caused. I take the necessary steps not to recognize great
programmers and awful programmers while looking at Nmap, in light of the fact that consistently time
even "great" hacking can offer climb to common claims. At whatever point the activity goes from
understanding a framework is powerless against abusing the powerlessness moves the activity into
hacking activity (Stallings and Brown, 2018).
Associations that acknowledge credit and platinum cards must pass assessments finished by
inspectors avowed by the Payment Card Industry- - an association made by the card brands to
coordinate the business by comparable benchmarks. The PCI DSS should be met by such associations.
As a noteworthy part of the PCI DSS unstable shows are not permitted. One such show that gives
various associations issue on the PCI DSS appraisal is adaptation 2 of the Secure Socket layer (SSL)
show.
2.3.2 Wincap
Wincap is contains a driver who creates the working structure and gives low-level framework and
a library which is used to easily get into the low-level framework layers (Winpcap.org, 2019). This
library in like manner has the Windows type of the prominent libcap Unix API. In this game plan of
features, Wincap has been the group catch and filtering engine for some open source and business sort
out instruments, including show analysers, compose screens, and orchestrate interference revelation
structures, sniffers, traffic generators and framework analysers. A part of these frameworks
organization devices, as Wireshark, Nmap, Snort, and Ntop are notable and are utilized by the
frameworks organization arrange. Wincap is empowering customers to get and transmit compose
groups bypassing the show stack, and including segment level bundle filtering, a framework
estimations engine and sponsorship for remote package get and has been seen as the business standard
21

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

instrument for association layer orchestrate access in Windows conditions, WinDump can be used to
watch, find out and extra to plate sort out traffic according to various complex guidelines.Winpcap.org
is additionally the home of well-known Windows rendition of tcpdump apparatus, WinDump. Wincap
offers broad security and setup alternatives to arrange the framework with the best possible budgetary
and information approval controls to securely disperse undertakings and data access to other locale the
executives and program employees. Wincap is intended to be in excess of a business office
information handling framework. It is a ground-breaking and adaptable area wide data the executives’
framework (Wincap.com, 2019).
 The Microsoft Windows® gauges that are utilized in other prominent windows-based
applications are utilized in Wincap.
 With instrument tips, reliable application device bars, for all framework capacities.
 Each client can modify their workplace by utilizing User-characterized apparatus bars inside
WinCap for the reports and capacities that they can utilize more often than not.
 Multi-window, visual condition gives snappy access to information by whatever estimation is
needed for sales: by vender, by purchase demand, by spending code, by delegate, etc.
 User-described report and information request "profiles" empower each individual customer to
save their settings/choice criteria for habitually utilized solicitations.
 Integrated with Crystal Report Writer®, the industry-standard report author; with an
information word reference to support the usage of framework kept up information as required.
Mix with Microsoft Office® items (Wright, 2009).
2.3.3 Wireshark
Wireshark is the framework show analyser which is world's boss and extensively used. It will permit
you see what is happening to your structure at a little estimation and is the substantial (and typically
by law) standard transversely over different business and non-advantage endeavours, government
affiliations, and edifying the establishments. The Wireshark improvement succeeds by goodness of
system volunteer’s obligations association with specialists around the globe, and this continuation of
22

undertaking began in 1998, by Gerald Combs. Wireshark contains rich rundown of capacities that
joins the following (Chappell, 2012):
 Deep examination of various conventions, with all being involved continuously.
 Live disconnected and catch examinations.
 Standard three-sheet bundle program.
 Multi-stage: Runs on Linux, FreeBSD, Windows, NetBSD, Solaris, macOS, and so on.
 Collected and organized information could be checked using the GUI, or with the TTY-
mode TShark utility.
 Highly dominant presentation channels in the business (global.jcb, 2019).
 Investigation of Rich VoIP (Voice over IP).
 Capture the records packed with gzip could be decompressed.
 Live information could be checked using Ethernet, PPP/HDLC, IEEE 802.11, FDDI, ATM,
USB, Token Ring, Bluetooth, Frame Relay and so on.
 Decryption support for some, conventions, along with ISAKMP, Kerberos, (Internet
Protocol Security) IPsec, SSL/TLS, SNMPv3, WPA/WPA2 and WEP (Wired Equivalent
Privacy).
 Colouring principles could be associated with the parcel list for instant, instinctive
investigation
 Output could be sent out to PostScript®, XML, CSV, or plain content.
One of the best ways to protect itself from the cybercrimes is to submit to and comply with
data security of PCI DSS. Basically, there are 5 major credit card networks (Visa Inc., American
Express, MasterCard Worldwide, JCB and Discover Financial Services) and they have evolved and
implemented the PCI DSS standard. Such standards are a set of security measures that companies
must undertake, especially when setting up their IT environment and payment processing. It is
important to first understand these requirements (Blackwell, 2018). Some companies will need to use
their IT department to meet these requirements before necessary gestures to attest to their conformity.
23

The protection of cardholder information is everyone's job. This is an investment that will be
profitable for the business in several ways: Protecting the brand's reputation, reduce fraud and losses,
reduction of unnecessary expenses, investor and stakeholders’ safety and above all safety and security
of its customers (Ahmed, 2018).
Building customer loyalty by building trust with the customers will help to consolidate the
vigilant customers with regard to security. The company would be able to retain the customers in
terms of loyalty. To achieve this, a company needs to do to comply with PCI DSS. Companies must
take the two steps, if applicable, to validate their compliance to the standard PCI DSS. Answer self-
Assessment questionnaire (SAQ) as most companies need to assess their IT environment and the next
step is processing payments using the appropriate questionnaire. In the PCI security site,
questionnaires are presented which are related to PCI safety standards.
Another important aspect is the analysis of the network vulnerability. Depending on how
payments are processed, a vulnerability analysis may be undertaken, which requires the use of an
approved analytics provider. An obvious question is that what would happen if one does not care
about PCI compliance. In the worst case, the ability to accept credit card payments may be suspended
or revoked. Failure to comply with this ecommerce requirement might result in data breaches, loss of
customer confidence, and also termination of the agreement that allows an organization to accept card
payments. In addition, the company may be liable to credit card issuers for card replacement and for
damages. Though, 80% of data breaches or hacking occurs in small and medium-sized merchants, but
virtually every organization is under threat (Wilson, Roman & Beierly, 2018). The severity of
occurrence is very high for mission critical application and therefore their risk level is too high. But,
the good news is that, no organization that adheres to PCI security standards has ever been tampered
with in payments or payment data (Desharnais & Desharnais, 2018).
Although compliance has increased by 167% since 2012, some 80% of organizations still do not
meet standards (Elluri, Nagar & Joshi, 2018). To obtain PCI accreditation, the ecommerce company
24

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

must demonstrate that it meets many security requirements, for instance, the company must certify that
they:
1. A quest to build a strong and secure network
a. Set up a computer firewall
b. Do not use usernames and passwords assigned by the provider, for example
2. A quest to keep a surveillance of cardholder data
a. A way to keep the data protected of cardholder.
b. A way to encrypt and a necessary check on transmission of data.
3. A quest for a special program to keep the vulnerability in-check.
a. A way to keep antivirus software updated.
b. A way to design and maintain trustworthy secure systems.
4. A quest to monitor control measures and its access.
a. A way which keep away cardholder data from employees reach.
b. A way to designate a ID to every single user who is operating on systems.
c. A way, which keep away physical access to data of the cardholder.
5. A quest to run regular test and monitor networks in-check.
a. A way, which can easily locate the access for network resources and cardholder data.
b. A way, which ensures consistent testing of security systems including procedures.
6. A quest to keep security policy up to the minute
a. A way to keep a structured organizational policy on information security
Expected Practical Element Output (e.g. software tool, simulation, framework)
Nmap is a powerful tool which can be interfaced with any system and provides very flexible
reporting structure. The output produced by nmap can be used to visualize the threat on the real time
basis. Advantage of nmap is that it can actually facilitate the process to follow and meet the standards.
In effect it can assist to comply with the standard, which is different for the data on transit and the
“rest” data, which is possibly stored on a server residing at premises. It is obvious that data on move is
25

much more vulnerable than “rest” data. The latter may be bit secure as the company may have fortified
its network with firewall and other security tools and equipment. PCI DSS, therefore, as more
stringent outlook for data in “transit”. The graphical visualization is available which makes the
viewing easier and tracing is convenient. Nmap has been used successfully by forensic experts and has
a very high rate of success in a mission critical application.
Here is one code snippet which shows the power and versatility of the tool:
$ nmap -sV -A -oX nmap-report.xml --script=vulscan/vulscan.nse snippets.aktagon.com
$ xsltproc nmap-report.xml -o nmap-report.html
The snippet scans the network and reports any vulnerability.
Besides, nmap can report network congestions as well new software like vulscan can easily interface
with nmap to enhance its capabilities. The vulnerabilities are easily reported and stored in a repository
and this can be actually compared with the guidelines as provided by PCI DSS. Even if the guidelines
change in future, it can accommodate the changes as there is no hard coding done. An output form
vulscan and nmap interface is shown below.
Required Resources
As such no specialist equipment is required, except that a machine, which has a popular linus version
like Ubuntu 18, installed over it. The software nmap and other interfaces can be installed easily. Lot of
26

forums and even third party open source tools are available which can be used with nmap with the
necessary changes. The behaviour of the operations of the software can also be changed with the
configuration files. The config files are accompanied and whichever changes are required can be
specified. The software interface for scanning would work accordingly and only thing is just security
administrator needs to refresh the instance before the changes could be incorporated on the real time
basis. It has to be ensured that the proper and secured Internet access is required as well as the access
to the gateway and the network is provided. Appropriate definitions and configurations can be done at
firewall, router and the gateway software level so as to permit the normal operations of the tool. A
standard repository can be used to save the data on the system that can be retrievable.
Requirement Knowledge/skills Required
A thorough knowledge of scripting would be required. Working knowledge of shell or Ubuntu
software and basic system administration is required. Expert knowledge of nmap is pre-requisite and
lots of manuals and training are available to refresh on these technologies. Knowledge as to how to
install software on the system, how to work in a network environment and if it is a cloud based
environment basic DevOps knowledge may be required for the understanding of cloud operations. A
good knowledge of working with files and storing as well as retrieving data is handy. Knowledge on
PCI DSS standards is a must. Compliance knowledge is required which is to be implemented over the
system.
27

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Chapter 3: PCI DSS
3.1 PCI DSS
PCI DSS’s aim includes guaranteeing the data of the cardholders anywhere it is readied,
transmitted or secured. Security controls and methods needed by the PCI DSS indicate the key points
to guarantee the account data of the cardholder, along with their PAN which is a basic record number
engraved on the card’s exterior part (library.educause.edu, 2019). Sellers and some other authority
associations required with portion card taking care of should never store sensitive check data, post
endorsement. This joins tricky data which is engraved on the card, or set away on a card's alluring
chip, and individual unmistakable evidence number filled by the cardholder. Such area demonstrates
the PCI DSS’s objectives and associated twelve necessities (Ataya, 2010).
3.1.1 Building and Maintaining a Secure Network
Eventually, various portion card trades, (for instance, charge in the United States. Additionally, in
Europe "chip and stick") utilize PIN section device and PCs related with the frameworks. With the
help of framework’s security controls, the components can keep evildoers from Requiremently getting
to portion structure frameworks and stop them from taking the data of the cardholder. Beforehand, the
28

burglary associated records need a criminal to physically enter the affiliation's business site (Ortiz,
2014).
Requirement 1: Installing and keeping up firewall and switch design, for ensuring cardholder
information
Firewall value may moreover appear in other system portions. Switches are gear or
programming that interfaces something like two frameworks. Each and every such device is in degree
to assess the first Requirement at whatever point utilized inside cardholder’s a data condition. The
firewalls are referred as devices which control the PC traffics that is permitted in and out of the
framework’s association, and into fragile locales inside its inside framework (Bonner, O' Raw and
Curran, 2011).
 Establish firewall and switch plan standards that formalize testing at whatever point setups
change; that perceive all relationship with cardholder data (tallying remote); that use
distinctive specific settings for different use; and mention the configuration rule set’s review
some place around at customary interims.
 Build firewall and switch courses of action that limit traffic from the "untrusted"
frameworks and hosts, other than to show Requirement data condition of cardholders.
 Prohibiting direct network among Internet and any system part in data condition of the
cardholder.
 Installing singular firewall programming on any adaptable just as delegate guaranteed PCs
with direct accessibility to the Internet which are utilized to get framework’s relationship.
Requirement 2: Never utilize the Vendor/ Seller Passwords or the Default Passwords for
Security/ Systems.
The least requesting course for a software engineer to get to your inside framework to
endeavour the default passwords or experiences subjected to the default system programming settings
in your portion card establishment. Awfully, the consistent sellers don't modify their passwords or
settings on course of action. This scenario can be compared to leaving your store open throughout the
29

night, when you go back home. The default passwords as well as the settings for most of the
framework contraptions are extensively familiar (Coburn, 2010). Such information, united with the
software engineer mechanical assemblies that show what devices are on your framework can make
unapproved entry an Requirement endeavour – in case you fail to modify/ make changes to the
defaults.
 Often hint at change trader gave the defaults prior to presenting the structure on a
framework. This joins the remote contraptions which are related to the data condition of
the cardholder or are utilized for transmitting the cardholder data.
 Developing structure standards for all the parts of the system which addresses all the
familiar security vulnerabilities, and unsurprised with the industry-recognized definitions.
The updating structure plan’s standards are perceived as new defencelessness problems.
 Encryption with the help of strong cryptography, where all the non-console administrative
access is implemented, for instance, program/online the board instruments (Colley, 2008).
 Shared encouraging providers must verify each component's encouraged condition and
data of the cardholder (nuances are in the PCI DSS Appendix An: "Additional PCI DSS
Requirements for Shared Hosting Providers.")
3.1.2 Protecting Cardholder’s Data
Substances enduring portion cards are required for verifying the data of the cardholder and for
balancing their unapproved usage, paying little mind to check that the data is printed or transmitted via
open framework to the remote server or set away locally (Bsigroup.com, 2019). Data insinuates some
information that is printed, arranged, transmitted or set away in the structure on in the portion card
(Fernandes, 2015).
Requirement-3: Protecting stored data of the Cardholder
Generally speaking, no cardholder data should be secured aside from if it is critical to address
the business issues. Sensitive data on the appealing stripe or chip ought to never be secured. If your
affiliation stores PAN, it is basic for rendering it mixed up.
30

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

 Limiting the data of the cardholder to accumulate and support the time that is needed for the
business, legitimate, and authoritative purposes, as detailed in your data upkeep technique.
Scrub unwanted set away data at any rate on a quarterly basis (Hartley, 2009).
 Don’t store fragile affirmation data post endorsement (paying little mind to check as though
it is mixed or not). Underwriters and related components might store sensitive data
confirmation if it requires business support, and whether the data is secured or not.
 When the Mask PAN appeared; starting 6 and last 4 digits are most extraordinary digits that
might appear. Not material for endorsed individual with genuine business needs for seeing
full PAN. It doesn’t displace any stricter needs other than introduction to cardholder’s data,
for instance, on a point-of-offer receipt (Everett, 2009).
 The render PAN jumbled wherever it’s secured, along with advantageous propelled media,
fortification media, in logs and the data got from the set away with remote frameworks.
Development answers for this need may consolidate strong single heading hash components
of the whole PAN, list tokens that have securely secured pads, truncation/ a strong
cryptography (Kedgley, 2014).
 Protecting some keys which are utilized for encrypting the cardholder’s data from misuse
and data disclosure.
 Completely record and execute all the correct key organization systems and procedures of
cryptographic keys are utilized to encrypt the data of the cardholder (Hallberg, 2013).
Requirement-4: Encryption of transmitting the data of the cardholder through open or public
networks
Keep up the Vulnerability Management Program. The vulnerability is administered using a
methodology which is productively and reliably finds the inadequacies in a component's portion card
establishment structure. Such thing consolidates the security techniques, structure plan, execution, or
the internal controls which can be mishandled for ignoring the security approach of a system (Kidd,
2008).
31

Computerized guilty parties may probably catch transmissions of data of the cardholder using
the open, open frameworks. Thus, it is a basic step to maintain a strategic distance from its capacity to
see such data. The encryption refers to a development that is utilized for rendering the transmitted data
muddled with the support of any unapproved individual.
 Usage of security measures and strong cryptography, for example, SSL/TLS, SSH or
IPSec for ensuring the sensitive data of the cardholder in the middle of the transmission
via open, open frameworks (for instance Web, remote developments, GSM
correspondences, GPRS. Certification remote frameworks transmits the data of the
cardholder or related to the data condition of the cardholder the industry uses effective
practices (example, IEEE 802.11i) for executing strong encryption to get approved and
transmitted. The usage of the WEP like the security control has been denied.
 Don’t ever send any PANs that are unprotected by the end customer advising propels.
Requirement 5: Use and normally update against infection programming or projects
Numerous vulnerabilities and pernicious infections enter the system by means of clients' email
and other online exercises. Hostile to infection programming must be utilized on all frameworks
influenced by malware to shield frameworks from current and advancing pernicious programming
dangers (Fernandes, 2015).
 Deploy against infection programming on all frameworks influenced by vindictive
programming (especially PCs and servers).
 Ensure that all enemy of infection systems are current, effectively running, and creating
review logs.
Requirement 6: Developing and keep up secure applications and frameworks
In structures and applications, the security vulnerabilities might empower law breakers for getting
the chance to other cardholder data and PAN. A noteworthy number of such vulnerabilities are
abstained by presenting the vendor given security patches that play out a smart fix work to a particular
piece of program code. Each fundamental structure should contain most starting late released
32

programming patches for neutralizing the abuse. Components must apply the patches to the less-
Requirement structures like fast as time licenses, in perspective on a danger based weakness the load
up programs. A secure coding practice to make applications, change control techniques and other
secure programming headway rehearses must constantly be sought after (Gikas, 2010).
 Ensure that all structure portions and writing computer programs are secured from
acknowledged vulnerabilities by having the latest dealer presented security patches. Pass
on Requirement fixes inside 3o days of the release.
 Establishing a methodology for recognizing as well as distributing a danger situating for
recently explored security vulnerabilities. Peril rankings must be established on industry’s
best guidelines and best practices. Situating vulnerabilities can be regarded as an effective
practice which will finish up being a need on 2012’s July 1.
 Developing the programming applications according to the PCI DSS as well as the subject
to the industry’s best approaches. Join the information security all through item
improvement’s life cycle.
 Following the change control systems as well as the methodologies for each movement to
structure the parts.
 Developing the applications subject to verify the guidelines of coding and reviewing the
custom application code for perceiving the vulnerabilities of coding. Pursue cutting edge
business best practices to recognize and direct vulnerabilities (McShane, Gregory and
Wilson, 2016).
 Ensure all open standing up to web applications are verified against known strikes, either
by performing code defencelessness reviews at any rate each year or by presenting a web
application firewall before open going up against web applications (Marïen, 2010).
3.1.3 Implement Strong Access Control Measures
Accessing should be yielded on a business requirement for knowing the premise. The physical
access control includes, usage of the locks or limited access of paper-based cardholder records or
33

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

structure hardware. The access control empowers dealers to allow or keep the usage from asserting the
physical or particular expects to get the chance to PAN and other cardholder data. Cognizant access
control allows verifying the PIN section devices, remote framework, PCs as well as the distinctive
devices. Then, it controls the access of automated records that contain the data of the cardholder (New
PCI DSS hurdles loom, 2010).
Requirement 7: Restricts accessing the cardholder information by business requirements
Guaranteeing the basic information must be gotten to be approved faculty, the procedures and
frameworks should set up from restraining to get dependent on the requirement to know as indicated
by employment obligations. Need to know is when get to rights are allowed to just minimal measure
of information and benefits expected to play out a vocation (pcidss, 2019).
 The limit access for the cardholder information and framework segments to just such
people whose activity needs similar access.
 Establishing entrance control framework for the framework’s segments using different
clients who limits get to dependent on a client's must know, and is set to "deny all"
except if explicitly permitted (Morse and Raval, 2008).
Requirement 8: Assign an exceptional ID to every individual with PC
Selecting a novel distinctive confirmation for every single individual with the access makes sure
that the moves made on the system and Requirement data are performed by, thus could be pursued to
known and endorsed customers. Necessities applied to each record, along with motivation behind offer
records, with administrative capacities and all records with access to secure cardholder data.
 Assign all customers a novel customer name already empowering them to get to system
fragments or cardholder data (Kaufman, 2013).
 Employ no short of each of these for checking all the customers: something that you know,
for instance, a mystery key or passphrase; something you have, for instance, a token
contraption or clever card; or something you are, for instance, a biometric.
34

 Implementing two-factor approval for the remote access framework by agents, executives,
and outcasts. For instance, using the developments, for instance, the remote affirmation as
well as dial in organization using tokens; the terminal access controller gets the chance to
control structure using the tokens; or the diverse headways that empower two-factor check.
Using one factor twice (for instance usage of a couple of unique passwords) isn't seen as
two-factor approval (New version of PCI DSS makes only minor changes, 2010).
 Render all passwords jumbled in the midst of limit and transmission, for each structure
sections, with the use of strong cryptography.
 Ensuring suitable customer unmistakable evidence and approval the officials for non-client
customers and heads on all structure sections (Kurose and Ross, n.d.).
Requirement 9: Restricting physical access to the data of the cardholder
Any kind of physical access of data or system which addresses the cardholder data permits the
individual to get or possibly clear contraptions, structures or printed variants, data, and must be
correctly constrained. "On area staff" is full-and low upkeep delegates, brief labourers, transitory
specialists, and consultants who are physically present on the substance's premises. "Visitors" are
venders and guests that enter the workplace for a concise term - generally speaking up to one day.
"Media" is all paper and electronic media containing cardholder data (PCI DSS appears to reduce
breaches, 2011).
 Use appropriate office segment controls the limit and screens the physical access of systems
in data condition of the cardholder.
 Developing the frameworks to adequately perceive adjacent staff and visitors, particularly in
zones where the cardholder data can be accessed.
 Making sure that all the visitors are affirmed before entering zones where cardholder data is
readied or 20 kept up; given a physical token that slips and that perceives visitors as not on
area work compel; and are drawn nearer to surrender the physical token before leaving the
workplace or at the date of end (MacDonald and Beech, 2008).
35

 Using visitor log to keep up the physical survey trail of the activity and visitor information,
including the name of the visitor and companions, along with one area work constrain
endorsing physical access. Holding log for something like 3 months aside from if for the
most part limited by law.
 Storing media back-ups in a protected territory, in a perfect world off site.
 Physically securing all the media.
 Maintaining extreme expert through the inward or outside course of different media.
Portraying the media where the data’s affectability could be settled.
 Ensuring the organization to confirm any kind of media moved from the checked region,
particularly when the media is passed on to people (PCI DSS survey shows encryption is
tops when it comes to end-to-end security, 2010).
 Maintain demanding direction through the limit as well as receptiveness of media.
 Destroying the media while it is never again required for the business/legitimate purposes.
3.1.4 Frequently Monitoring and Testing Networks
The physical and remote frameworks are the partners which all the endpoints and servers in the
portion system have. The vulnerabilities in a framework contraption and the present systems open
entryways to guilty parties to increment unapproved accessing to portion card applications, including
the data of the cardholder. To envision misuse, affiliations ought to routinely screen and test
frameworks to find and fix vulnerabilities (searchcompliance.techtarget.com, 2019).
Requirement 10: Tracking and screening all the entrance to organize cardholder information
and assets
The logging part as well as the ability of pursuing the customer practices are fundamental for
the effective criminology and frailty administrators. The proximity of logs in all circumstances
licenses have to be cautious after an examination if something turns out gravely. Choosing the
explanation behind an exchange off is troublesome without system development logs (Peterson, 2010).
36

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

 Establishing a methodology for associating all the passageways to system parts for every
single customer – particularly get too completed with the definitive advantages.
 Implementing robotized audit trails for all the system portions to reproduce such events: all
individual customer gets to cardholder data; all moves made by any individual with root or
administrative advantages; access to all survey trails; invalid reasonable access tries; use of
recognizing verification and affirmation parts; instatement of the survey logs; creation and
deletion of structure level things (Rees, 2010).
 Recording the audit trail areas for all the structure parts of every single event, along with
any event: customer conspicuous verification, sort of event, date and time, accomplishment
or dissatisfaction sign, beginning of event, and identity or name of affected data, system
fragment or resource (Mishra, n.d.).
 Utilizing the time synchronization advancement, which synchronizes all the fundamental
structure timekeepers and times and realizes the controls to pick up, scattering, and securing
the time.
 Securing the survey trails so that they can't be changed.
 Reviewing the logs for all the structure parts associated to security works in any occasion
step by step.
 Retaining the audit trail’s history for something like one year; no not exactly a fourth of a
time of history must be rapidly open for examination.
Requirement 11: Regularly test security structures and methods
Vulnerabilities are being found continually by malicious individuals and authorities, and being
displayed by new programming. Structure portions, systems, and custom programming should be
attempted as frequently as conceivable to ensure security is kept up after some time. The testing of
security controls is particularly crucial for any kind of common change, for instance, sending new
programming or to change the structure plans (Olups, 2010).
37

 Test for the proximity of remote paths and recognize unapproved remote sections on a
quarterly reason. Ordinary methods are remote framework channels, physical/genuine
audits of structure sections and establishment, mastermind get the opportunity to control
(NAC), or remote IDS/IPS (Williams, 2010).
 Run inside and external framework shortcoming checks in any occasion quarterly and after
any important change in a framework. In the wake of passing yield for the first PCI DSS
consistence, a component should, in resulting years, pass 4 consecutive quarterly ranges as
an Requirement to have consistence. The quarterly outside ranges should be conducted by
an ASV. Yields coordinated after framework changes may be performed by internal staff.
 Performing the external and the internal passageway testing, along with the framework and
application-layer invasion tests, in any occasion yearly and later any significant structure or
application update/ change.
 Using mastermind intrusions revelation system just as interference abhorrence structures to
screen all the traffic at the fringe of the cardholder’s data condition similarly like in the
Requirement concentrations within the cardholder’s data condition, moreover the prepared
staff to have suspected exchange offs. Baselines, IDS/IPS engines, and imprints should be
kept awake with the most recent (Singh, 2010).
 Deploy archive reliability watching instruments to alert staff to unapproved change of
fundamental structure records, setup records or substance reports. Mastermind the item to
perform fundamental record connections at any rate consistently.
3.1.5 Maintaining Information Security Policy
The security approach that is strong sets the security impact on the affiliation's whole
association, and it exhorts agents in regards to their typical commitments associated to security. Thus,
all the specialists must think about affectability of the cardholder’s data and the obligations they have
to follow with respect to verifying it. Need. Maintain a methodology that watches out for information
security for all work compel. Establish, disperse, keep up, and spread a security plan that keeps an eye
38

on all PCI DSS requirements, joins a yearly strategy for perceiving vulnerabilities and formally
studying threats, and fuses a review at any rate once consistently and when nature changes.
Developing step by step operational security systems which are relentless with the requirements in
PCI DSS. The developed usage procedures for the fundamental advances and for portraying their
genuine usage by all the work powers. Such consolidate remote access, remote, PCs, tablets, email,
handheld devices, internet and removable electronic media. Ensuring that the security approach and
techniques unquestionably portray the information security commitments in regards to all work
compel. Assigning an individual or gathering information security obligations portrayed with the
subsections. Implementing a formal security care program for making all the work powers aware of
centrality of the cardholder’s data security. The screening potential personnel before contract to
confine the peril of strikes from inward sources. Point of reference screening joins past business’s
history, money related record, criminal record, and the reference checking (Vazão, Freire and Chong,
2008).
3.2 Requirements for Data in Rest and Data in Transit
Meaning of Data in Transit versus Information at Rest
Information in development, or information being developed, is information enough moving
start with one area then onto the accompanying, for example, over the web or through a private
system. Confirming sensitive information both in development still is fundamental for present day
attempts as aggressors find ceaselessly imaginative approaches to manage bargain systems and take
information.
The Role of Encryption for Data Protection in At Rest and Transit
There exists numerous distinctive ways to deal with ensuring information in travel and very
still. Encryption assumes a noteworthy job in information insurance and is a famous device for
verifying information both in travel and at rest. Data can be presented to dangers both in travel and
very still and requires security in the two states. For securing information very still, undertakings can
basically encode delicate documents preceding putting away them and additionally scramble the
39

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

capacity drive itself. For ensuring information in travel, ventures regularly scramble touchy
information before moving as well as use scrambled associations (HTTPS, SSL, TLS, FTPS, and so
forth) to secure the substance of information in travel.
Best Practices for Data Protection in Transit and At Rest
 Unprotected information leaves endeavours defenceless against joined, paying little heed to
whether in movement or very still. In any case, there are incredible wellbeing endeavours
that offer solid data protection transversely over endpoints and frameworks to guarantee
data in the two states. As referenced above, data encryption is a champion among the best
data protection methods for the two data in movement and data extremely still.
 Underneath fuse additional recommended systems for lively data affirmation for data in
movement and data exceptionally still:
 Implementation of controls for enthusiastic framework security to help guarantee data in
travel. To help secure the frameworks used to transmit data against malware attacks or
interferences, mastermind security courses of action like firewalls and framework get the
opportunity to control are significant.
 Reactive security to guarantee your gainful association data should not be exchanged.
Proactive security endeavours that recognize in risk data and execute effective data
protection for data in movement still should be used.Choose information confirmation
courses of action with methodologies that engage customer inciting, blocking, or
customized encryption for delicate information in movement, for instance, when records
are appended to an email message or moved to distributed storage, removable drives, or
traded elsewhere.
 Create strategies for ordering and grouping all organization information efficiently,
irrespective of whether it abides to ensure the assurance measure of information meet or
not, and whether it is initiated when the information appointed in risk is obtained to be
used, or traded.
40

 At long keep going, in case you utilize an open, private, or creamer cloud provider to put
away the information or the applications, circumspectly evaluate cloud shipper's reliant on
the wellbeing endeavours they offer – yet don't rely upon the cloud organization to confirm
your information. Who approaches your information, how is it encoded, and how normally
your information is supported up are generally Requirement things to inquire.
While there might be slightly different chance profiles are there for information in travel and
information very still, the natural hazard pivots basically on the affectability and estimation of your
information; programmers will endeavour to access profitable information whether it's very still, in
movement, or effectively being used, contingent upon which state is simplest to break. That is the
reason a proactive technique including arranging and classifying information joined with substance,
customer, and setting mindful security shows is the most secure and best way to deal with guarantee
your most touchy information in each state.
Chapter 4: Methodology/approach
4.1 PCI DSS Methodology
The Methodology for PCI DSS is illustrated as below.
41

Figure 2 PCI DSS Methodology
The PCI DSS methodology has following steps such as,
 Step 1: Identify data security issue
 Step 2: Secure data in transit and rest
 Step 3: Identify and analysis risks
 Step 4: Analysis traffic
 Step 4: Identify suitable controls
These are discussed in below.
4.1.1 Data security issues
 Under PCI DSS's Requirement 3, sellers and cash related foundations are addressed
guarantee their client's near and dear data with strong cryptography. Safe courses of action
42

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

won't pass the survey. An average hazard the executives program can be composed in 3
phases (Purehacking.com, 2019):
 Perceive every single known hazard and record/portray them in a risk register. For
instance, Hardware security modules (HSM) that are utilized in the cryptographic key
association technique could show their own exceptional risks at whatever point traded off,
paying little regard to whether physically or reasonably. HSMs make a base of trust inside
in the System. Regardless, while it is unlikely, if the HSM is undermined, this could deal
the whole system (Secureworks.com, 2019).
 Develop a hazard the organization program is to isolate every single seen risk. Merged into
this examination ought to be a blend of enthusiastic and quantitative structures to
comprehend what chance treatment procedures to be utilized to lessen the likelihood of
hazards. For instance, a connection may eviscerate the danger of utilizing a cloud HSM
versus a physical contraption that they utilize close-by (Federal Trade Commission, 2019).
 Treat the dangers in light of the hazard examination that was starting late performed. For
instance, utilizing obvious treatment to confirm customer data set away in a cloud HSM as
opposed to guaranteeing security both physically and dependably for an on region HSM,
this could join acknowledging controls or acquiring affirmation to keep up an agreeable
part of peril (PCI DSS, 2011). Tireless watching and study are a bit of the path toward
decreasing PCI DSS cryptography threats. This joins bolster plans and predefined elevating
and recovery plans when security inadequacies are found (Data security handbook, 2008).
Cryptography was initially created to verify interchanges, i.e., information in travel (on the
other hand, information in movement). To guarantee that messages traded among senders and
collectors were protected from undesirable capture. Was and still is the focal target of any
cryptographic framework. Be that as it may, the utilization cases and necessities for encryption have
significantly extended in the course of the most recent couple of decades, in huge as a result of the
43

development of IP organizing when all is said in done, and of divisions, for example, online business
specifically (SecurityMetrics, 2019).
Usually it is no longer adequate to just shield this information while traveling for everybody
from retailers to human services associations. Information very still ought to similarly be checked to
meet the necessities of standards, for instance, the Payment Card Industry Data Security Standard, or
to streamline consistence with country express enactment like the Health Insurance Portability and
Accountability Act in the U.S. Also, affiliations must do all things considered even as the arrangement
and volume of information exchange continues growing firmly (Caldwell, 2013).
Data encryption very still and in movement is two unique errands, each with its very own
arrangement of best practices and devices, despite the fact that there is some cover. It must be noticed
that open key foundation (PKI) and believed personality biological systems are significant
arrangements with regards to data security, and guaranteeing that your data is eventually as secure as
conceivable regardless of where it seems to be (itgovernance.co.uk, 2019).
Data in Transit: Encrypting Assets as They Traverse Networks
Data verifying in travel is basically verifying data as it disregards a system. The IP suite is
loaded with conventions – HTTP, FTP and Telnet, to give some examples of the most ordinarily
utilized ones – that transmit data in plaintext, which implies that there is the likelihood of somebody
checking or catching messages and having the capacity to peruse their substance, which is the genuine
test here. This could prompt unapproved access to touchy assets thus, just as expensive data ruptures.
The indispensable instrument for shutting these liabilities is encryption. The conventions referenced
most importantly have scrambled reciprocals, to be specific HTTPS, FTPS and SSH (Secure Shell),
individually first of all. As of late, the development of HTTPS traffic has been particularly
pronounced. As announced by Google alone, 77 percent solicitations sent to its servers worldwide
were encoded as of February 2016, up from 52 percent toward the year’s end 2013 (Ubuntu Netbooks,
2010).
44

To ensure data in travel, both symmetric and topsy-turvy encryption might be utilized.
Symmetric isn't excessively concentrated as far as the computational assets it requires and of being
moderately quick, which is the preferred standpoint Symmetric has. Be that as it may, Asymmetric
often includes exponential activities henceforth requires more prominent execution since it Widely
utilized encryption instruments, for example, SSL/TLS use both symmetric (for mass data) and uneven
(for key trades) types (blog.pcisecuritystandards.org, 2019).
Different types of encryption past SSL/TLS that are used to additionally secure in-travel
information, for example, email. S/MIME and Open PGP are only two models; the exact standards
combination will be equivalent to the similarity necessities and explicit email benefits in play. With
verification and advanced marks, start to finish email encryption through a PKI-based arrangement is
additionally an engaging alternative for associations with stringent tenets for email integrity. How
information in movement is verified will depend upon the sort of correspondence – internal, business-
to-business, etc – and the focal points of the information being exchanged (e.g., is it favoured?).
Data at Rest: Protecting Payment Card Data and Other Stored Assets
Data sitting on a hard circle drive some place is presumably the most relatable case of
information very still. Additional, the type of insurance if the physical gadget lodging is lost or stolen
and that is the encryption for this type of information (blog.pcisecuritystandards.org, 2019).
For assailants, the easiest course of action frequently implies following information very still,
since quite a bit of it has generally been decoded and of high-esteem. Payment card numbers for web
based business exchanges, alongside other budgetary data sitting in your organization databases are for
the most part the regular very still things (Raggi, Thomas and Vugt, 2011).
Encoding data very still shows a few huge difficulties:
 The information base questioned truly a large number of times each day now and again is
very still information, for example, charge card database. The execution of very still
information, for example, Visa information bases can be debased by the nearness of
cryptography.
45

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

 Usually saw as an expensive and complex endeavour in actualizing full PKI to secure
records, envelopes and whole circles (onlinetech.com, 2019).
 PCI DSS guidelines, for example, it stipulates what kinds of information may and may not
be put away, and what assurances ought to be reached out to them. This sort of information
putting away puts a framework in degree (Pcisecuritystandards.org, 2019).
 What is as of late risen as of late is full-circle encryption answers for stages and different
open cloud benefits as encryption of information very still has turned into a greater worry
for organizations. Numerous organizations still forego this important measure. To seek
after a security technique that uses demonstrated precepts, for example, encryption,
verification, advanced marks and believed personalities is the perfect route forward.
 For naturally ensuring the whole substance of a hard plate from unapproved access without
affecting client profitability, solid client validation, approval and full circle encryption will
be useful. Information must be protected from prying eyes and kept elite for its proposed
beneficiaries and appropriately approved people whether it is in travel or very still
(searchfinancialsecurity.techtarget.com, 2019). Your association can guarantee it agrees to
pertinent standards and guidelines and dodges the harm of an information rupture by
verifying advanced characters and information with demonstrated security arrangements.
Encryption of Data at Rest
A scrambled document framework can be made by you so the entirety of your metadata and
information is encoded very still utilizing an industry-standard AES-256 encryption calculation.
Unscrambling and encryption are automatically and straightforwardly dealt with, so you don't need to
change your applications. We prescribe making an encoded document systemif your business is liable
to corporate or administrative arrangements that require encryption of information and metadata very
still (pcicompliance.stanford.edu, 2019).
Encryption of Data in Transit
46

Utilizing the Transport Layer Security 1.2 (TLS, once called Secure Sockets Layer [SSL]) with
an industry-standard AES-256 figure, you can mount a document framework so all NFS traffic is
scrambled in transit.The encoding data that is traded over the wire utilizes the TLS as a lot of industry-
standard cryptographic conventions. For the information transmission in TLS, AES-256 (a 256-piece
encryption figure) is utilized. We suggest setting up of encryption in travel for each customer getting
to the record framework on the off chance that your association is liable to corporate or administrative
strategies that require encryption of information and metadata in travel (searchsecurity.techtarget.com,
2019).
Using Encryption of Data in Transit
We can that require encryption of information in travel. To add another dimension of security
to the framework, the Encryption and decoding is arranged at the association level. To keep up a TLS
1.2 passage between the customer and the Amazon EFS administration and for steering all the NFS
traffic over the encoded passage, the File System is mounted utilizing the EFS mount aide to set up.
Amazon Certificate Authority (CA) joins the authentication which is utilized to build up the scrambled
TLS association and these endorsements are trusted by most present day Linux circulations. For
checking all the safe passages to each record framework and to guarantee that they are running, the
EFS mount partner is utilized as a guard dog process. No other client info or setup is required once the
EFS mount aide is utilized for the encryption and for connections to the Amazon EFS (clearent.com,
2019). For client associations and applications getting to the record framework, the Encryption will be
transparent. The yield of a mount order demonstrates the document framework is mounted and a
scrambled passage has been set up utilizing the local host when the fruitful mounting and setting up of
an encoded association with the EFS document framework by utilizing the EFS mount partner is
finished (PCI Compliance Guide, 2019).
47

4.1.2 Risks
Hacking's specialists have numerous years’ experience working with PCI DSS and different
hazard evaluation approaches. This implies we can rapidly set up a hazard evaluation process lined up
with your business and consistence necessities (imperva.com, 2019).
Our adaptable administration can be custom fitted to associations all things considered and
industry types, and incorporates(Pale, 2012):
 Use of industry-acknowledged systems. We will work with you to recognize and prescribe the
system that is most appropriate to your association. Our advisors have skill with numerous
techniques including ISO 27005, ISO 31000 (which has supplanted AS/NZS 4360), OCTAVE,
FAIR, and NIST 800-30.
 Identification of all advantages inside the CDE
 Identification of dangers to those advantages
 A Business Impact Analysis to comprehend the estimation of the advantages
 Identification and appraisal of vulnerabilities that could possibly uncover the advantages
 A formal hazard appraisal report that records the aftereffects of the hazard evaluation
 A Risk Register of the outcomes that can be brought into your current hazard the executives
framework, or utilized for progressing hazard the board
 A Risk Remediation Plan. For any resistant PCI DSS necessities, remediation things will be
organized by the Prioritized Approach to PCI DSS. We can likewise join security controls
from principles other than PCI DSS, if extra controls are vital
 A record Risk Management Methodology that characterizes the full procedure(Ferranti, 2019).
The rules notice a similar three hazard appraisal procedures incorporated into the PCI DSS itself and
furthermore clarify that different structures, for example, the Factor Analysis of Information Risk and
the Australian/New Zealand Standard AS/NZS 4360, may likewise be utilized (legalvision.com.au,
2019). It proceeds to diagram some centre exercises that ought to be incorporated into any hazard
appraisal (pcicomplianceguide.org, 2019):
48

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

 Enumerating an association's basic data resources
 Identifying dangers that exist to those benefits
 Identifying vulnerabilities that, when joined with a danger, may make a hazard to the
association
 Developing danger the executive’s methodologies for every one of the dangers recognized in
the evaluation
Any procedure that incorporates these centre components ought to effectively fulfil the investigation
of an inspector, so shippers are allowed to pick a hazard evaluation approach that best suits their
business Requirements and hierarchical culture (securitymetrics, 2019).
Documenting risk assessment
The rules propose that the hazard appraisal should yield a formal composed hazard evaluation
report. Obviously, the PCI review techniques require that QSAs "survey hazard evaluation rules to
check that the hazard appraisal process is performed at any rate every year," so this recommendation is
extremely a command. Consistence experts should give specific consideration to the components that
the chamber recommends to incorporate into the report (pcicompliance, 2019):
 Scope of hazard appraisal
 Asset stock
 Threats
 Vulnerabilities
 Risk assessment
 Risk treatment
 Version history
 Executive synopsis
Similarly, as with any proposal from the committee, it would be insightful for dealers to pursue
this configuration in their associations, maybe going as far to name the areas with these titles in
49

exactly the same words. No inspector can remark that the report does exclude the required components
if the association pursues the chamber's suggestion practically verbatim.
Joining the rules into a consistence program
Numerous associations as of now have formal hazard evaluation forms ordered by corporate
administration necessities or different business rehearses. PCI DSS isn't expecting organizations to
rethink the wheel or play out an exceptional procedure devoted to meeting this Requirement. The rules
really permit a lot of adaptability. On the off chance that an association is as of now directing danger
appraisals, it ought to just find a way to guarantee that its evaluation satisfactorily covers Visa
information hazard and meets the documentation necessities (bigcommerce.com, 2019).
Then again, organizations setting out upon their first formal hazard evaluation ought to think
about expanding their degree to cover a more extensive scope of hierarchical resources. This will help
convey additional incentive to the association and give a way to organize PCI DSS-related endeavours
with regards to a bigger hazard condition.
An expression of caution, in any case, for those reasoning that the hazard appraisal procedure
may spare some work: As the rules bring up, the hazard evaluation procedure may not be utilized to
maintain a strategic distance from PCI DSS security necessities or sidestep the remunerating control
process. In contrast to some different laws and guidelines, (for example, the HIPAA Security Rule),
the PCI DSS contains no "addressable" necessities that can be skipped if a hazard evaluation
demonstrates that they may not be justified. Associations looking for an exclusion from at least one
Requirement should at present experience the formal repaying control endorsement process.
Generally speaking, the recently discharged hazard appraisal rules don't force any new
commitments on dealers looking to consent to the PCI DSS. Or maybe, they illuminate the current
necessities and furnish shippers with a few obviously reported choices to fulfil chance appraisal
commitments in an adaptable way that meets business Requirements (squareup.com, 2019).
50

Chapter 5: Implementation
In this chapter, we are implementing the method in Mountain ware house case study which is
based on UK Retails Company. The Implementation of case study is discussed in below.
Since the presentation of the PCI Data Security Standard, an ever increasing number of
associations that store, process or transmit cardholder information are looking towards consistence of
the standard.
With the progression of time the PCI DSS Standard has developed and turned out to be
perceived as a structure with a strong base in data security best practice.
There are as yet numerous associations that not yet completely consistent with the standard.
Research led by Verizon in 2011 demonstrated that the associations that endured a rupture of security
were almost certain those that were not yet consistent to the standard, with a more modest number that
were observed to be agreeable in their past appraisal. It is Requirement to note here that consistence in
not a one-time process. It is a continuous procedure and associations need to keep themselves
consistent during the time as opposed to simply approve for the consistence at one specific purpose of
time. Just thusly they can successfully shield their client information from conceivable rupture and
guarantee its uprightness and security.
Yearly PCI DSS appraisal is just a sign of how well an association is agreeing at the time the
evaluation is made. It's anything but a pointer of the time span between two yearly evaluations. So as
to reliably conform to the PCI DSS Requirements, an association needs a formal security set up that
works consistently and stays executed consistently.
Coming up next are probably the prescribed procedures an association needs to receive, to
viably execute and keep up PCI DSS consistence:
Decide the Scope of PCI DSS Compliance
Before actualizing PCI DSS in to your association, it is Requirement to decide the extension
execution. As a base you should distinguish framework that is identified with the putting away,
51

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

handling and transmitting of cardholder information, and recognize all installment channels, areas and
information streams.
Most associations will limit execution of PCI Controls to simply the distinguished framework,
anyway thought ought to be given to the way that regularly the gatherings endeavoring to exfiltrate
card holder information will utilize the associations weakest connect to enter the system, utilizing it as
an a dependable balance for horizontal spread. It is a lot simpler to assault vulnerabilities of inward
frameworks on the off chance that you are as of now inside the associations foundation.
Lead a Gap Analysis
For each element that goes under the extent of PCI DSS consistence, measure its present
dimension of consistence against the standard Requirements. This should be possible with the
assistance of the PCI Self Assessment Questionnaire (SAQ) which will empower you to figure out
which of your apparatuses and frameworks are set up and which are falling behind.
Create Policies and Procedures
A lot of formal strategies and techniques must be created to conform to the standard necessities
and ought to be controlled and authorized inside the association.
Train the Personnel
It is significant that each individual engaged with taking care of cardholder information ought
to be very much aware of the PCI DSS Requirements and for this reason customary trainings ought to
be completed to new just as old representatives.
Scramble Sensitive Data
Installment card information ought to never be left decoded whether it is being put away or
transmitted by means of any medium. Touchy information should dependably be encoded with the
assistance of an approved encryption program.
Guarantee Physical Security of Data
Physical security of information is as significant for what it's worth on an electronic
framework. Just approved work force ought to be permitted to physically get to the information.
52

Scramble Track Data
Encoded information at the back of the Visa on the attractive strip is known as track
information. This information can be perused by Point-of-offers frameworks and ought not be put
away, as certain POS frameworks gather this data without illuminating the traders. Programmers can
without much of a stretch access and endeavour this data. Henceforth, it is significant for POS sellers
to scramble the track information so as to make it garbled for outsiders.
Use Secured Wireless Connections
Remote associations ought to dependably be verified with a security key to limit any potential
intercession of an outside client.
Audit Logs Regularly
Framework review and security logs ought to be routinely evaluated to recognize any
conceivable resistance issues. After a seemingly endless amount of time after year the Verizon break
report has expressed that signs of a rupture were reliably found in the bookkeeping and review logs of
associations that lost card holder information. Normally just about the vast majority of breaks had
signs of trade off inside the review logs, on the off chance that someone was looking the ruptures
could have been identified and upset.
Limit the Scope
To make the way toward actualizing the PCI DSS simpler, it is imperative to limit the
underlying extent of consistence. This will decrease both the expense and the endeavors required to
accomplish the consistence. Degree can be diminished by limiting the cardholder information
condition (CDE). Anything that is identified with putting away, handling or transmitting cardholder
information frames a piece of the CDE. You can accomplish this either through system division or
through tokenization.
Stage two could then take a gander at stretching out the PCI controls to other hierarchical
framework.
Routinely Update the Software
53

It is Requirement to normally refresh all your organization programming to keep up your
protection against outside dangers. Vulnerabilities in existing programming usage is a characteristic
focus for those endeavouring to get to your cardholder information. Fixing ought to be an ordinary
movement on working framework, databases, iMIS, and other PCI affirmed payment applications.
Actualize a Layered Security System:
A layered Security System accomplishes a more elevated amount of insurance provided that
one barrier instrument falls flat, the assault can even now be ceased by the following layer, etc.
Various sellers are supported for various layers, for instance the utilization of various Firewall
merchants at each layer will repress horizontal spread in the event that one of the seller arrangements
is undermined.
Pursue the Mobile Payment Acceptance Guidelines
These rules given by PCI SSC are really for organizations that have effectively actualized a
PCI DSS consistent framework inside their structure. They enable shippers and application designers
to pursue a lot of best practices to acknowledge and process payment through a cell phone. By
following these rules, account information can't be gotten to when it is gone into a gadget, or when it
is being put away or prepared.
Receive Best Practices for Skimming Prevention
In the least complex of terms, skimming is a procedure through which cheats take your credit
or check card data, and use it for their own criminal reason. Skimming for the most part happens at
retail outlets or ATM's the place lawbreakers take your data utilizing sorted out apparatuses and
innovation. The PCI Security Standards Council has issued a lot of best practices for counteractive
action of skimming because of offenders. It exhaustively characterizes various circumstances and
procedures of skimming and how these can be forestalled.
To make things more obvious and execute, the PCI Security Standards Council has discharged
various records of Best Practices and Guidelines that can help through and through in the usage of PCI
DSS in to your association. These incorporate, however are not restricted to, the accompanying:
54

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

• Skimming Prevention Best Practices
• Risk Assessment Guidelines
• Cloud Computing Guidelines
• PCI Compliance Maintenance Best Practices
• Tokenization Guidelines
5.1 NMAP
First, user needs to download and install the Nmap on the system. To install the nmap by using the
below command,
sudo apt-get install nmap
Once installation is completed, user needs to enter the nmap on terminal. It is illustrated as below.
Then, do the simple scans with Nmap by enter the IP address it is illustrated as below.
55

The simple scan report is used to display the host is up and is running a web service in port 80,
the port for http traffic. It is illustrated as below.
56

To scan the two addresses like host1 and host2 at a time by using the Nmap and it will take
some time and the speed of scanning will depend on your internet connection.
57

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Basically, the Nmap accepts text file input, we can enter the IP addresses in a text file and use
it as input for Nmap.
Type sudo su to be root and write hostnames, each host in a new line,
58

Save the text file and use it like shown in below.
The, the target operating system determination is most important because various exploits are
specific to a specific platform. To determine the host operating system by using the fingerprinting. It is
illustrated as below.
59

To determine the vulnerability in most popular ports for web servers and SSH like 22 and 80
Run ‘nmap -p 22, 80 127.0.0.1/24‘
Nmap can help rapidly discover all frameworks running form 2 of the convention as this compressed
yield from such a sweep appears.
# nmap -sV -p 443 --script sslv2 192.168.1.0/24
Starting Nmap 5.21 ( http://nmap.org ) at 2011-03-26 14:15 CDT
NSE: Script Scanning completed.
60

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Nmap scan report for wx001.internal.net (192.168.1.7)
Host is up (0.019s latency).
PORT STATE SERVICE VERSION
443/tcp closed https
Nmap scan report for wx002.internal.net (192.168.1.17)
Host is up (0.063s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http IBM HTTP Server (Based on Apache)
|_sslv2: server still supports SSLv2
Nmap scan report for wx768.internal.net (192.168.1.77)
Host is up (0.058s latency).
PORT STATE SERVICE VERSION
443/tcp filtered https
5.2 Win Cap
To find the vulnerabilities in credit card fraud detection in wincap by using below steps,
First download and install the wincap. After choose the network to capture the packets. It is illustrated
as below.
61

Identified the packets are illustrated as below which is represent the vulnerabilities information.
5.3 Wire shark
Prior this year the PCI Security Standards Council issued direction on the most proficient method
to ensure card information when taking installments via phone. Some portion of this direction was
data on the best way to deal with phone brings utilizing voice over IP.
To find the vulnerabilities in credit card fraud detection in Wireshark by using below steps,
First download and install the wire shark. After choose the network to capture the packets. It is
illustrated as below.
62

Once packets are captured, after, click the capture to stop. Then, we will see the Identified the packets
are illustrated as below which is representing the vulnerabilities information for credit card fraud
detection.
63

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

PCI Security Standards Council issued direction on the most proficient method to ensure card
information when taking installments via phone. Some portion of this direction was data on the best
way to deal with phone brings utilizing voice over IP which is illustrated as below.
Based on the analysis, the PCI DSS requires to protect by using the below steps such as,
 Do not use VoIP - It is the easiest protection and it do not use VoIP for agents taking card
holders payments otherwise use the analog telephone line instead as they are just harder to
extract and tap the data from.
 Protect the network access - It is very difficult to do as agents and many other people will
have the physical access to the network and can plug in any device they want. So, user can
attempt to mitigate by using the MAC filtering on the network.
64

 Use strong encryption - It is possible to use SRTP to encrypt the all audio streams for the
voice calls and TLS which is used to encrypt the whole voice call. It supports the TLS and
SRTP from the all equipment providers yet and progress on this seems to be slow.
 Encrypt the all communication - PCI DSS requires the user authenticate with site over a TLS
connection which is used to protect the network traffic as it travels across the internet
connection. But, the PCI DSS is internally the authentication process can be performed against
the encrypted LDAP server. So, we are using the LDAPS for the internet traffic and not relying
on the fact that internet network is secure. The Wireshark the valuable tool to capture the
server to server transmissions and it discovers the password in plaintext. Encrypt traffic
everywhere.
Conclusion
The PCI DSS was designed for enhancing and encouraging data security for the cardholders, and it
is even used for globally facilitating a broad adoption of consistent security measures for the data. It is
used to provide a baseline for the technical as well as the operational requirements that are developed
for protecting the account’s data which is applied to all the entities that are involved in the process of
payment card processing along with the processors, merchants, acquirers, service providers and
issuers. It even can be applied to all the other entities which stores, processes or transmits the
cardholder data (CHD) and/or sensitive authentication data (SAD). It has the high-level overview of
the 12 PCI DSS requirements. The requirement of PCI DSS security is apply to all system components
included in or connected to the cardholder data environment. The cardholder data environment (CDE)
is comprised of people, processes and technologies that store, process, or transmit cardholder data or
sensitive authentication data. “System components” include network devices, servers, computing
devices, and applications (phoenixnap.com, 2019). They have set a guideline for the industry and the
banking sector to follow that is these confidential and high value data should not fall in the wrong
hands. The organisation also places responsibility and requires that the Card holders, Business firms,
Customers, Online Traders, Small Industries etc. and anyone using online network for monetary
65

transactions should be aware of all the possible ways in which there Data and information can be
breached. They have time and again emphasised the importance of these vital functions. And the
serious results when they have been not followed. The rules notice a similar three hazard appraisal
procedures incorporated into the PCI DSS itself and furthermore clarify that different structures, for
example, the Factor Analysis of Information Risk and the Australian/New Zealand Standard AS/NZS
4360, may likewise be utilized. The PCI Security Standards Council issued direction on the most
proficient method to ensure card information when taking installments via phone. Some portion of this
direction was data on the best way to deal with phone brings utilizing voice over IP. The main reason
is that, there exists incredibly ease to eject the data of the cardholder from the VoIP approaches the
remote possibility that you approach the data stream. The most adored device of any person who
works with frameworks is Wire shark, a free and extremely astonishing resource. Wire shark enables
to viably get sort out data and to expel voice calls from that data. So, we choosing wire shark is best
tool to eject the data of the cardholder from the VoIP approaches the remote possibility that you
approach the data stream.
References
Ahmed, H. U. (2018). PCI DSS 3.2-A Comprehensive Understanding to Effectively Achieve PCI DSS
Compliance.s
Ataya, G. (2010). PCI DSS audit and compliance. Information Security Technical Report, 15(4),
pp.138-144.
Baxter, J. (2014). Wireshark Requirements. Birmingham, U.K: Packt Pub.
66

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Beasley. (2008). Networking. Pearson India.
bigcommerce.com. (2019). PCI Compliance: Requirements Explained + PCI DSS Checklist ....
[online] Available at: https://www.bigcommerce.com/blog/pci-compliance/ [Accessed 2019].
Blackwell, J. (2018). Best Practices to Obtain and Maintain PCI Compliance.
blog.pcisecuritystandards.org. (2019). PCI DSS: Looking Ahead to Version 4.0. [online] Available at:
https://blog.pcisecuritystandards.org/pci-dss-looking-ahead-to-version-4.0 [Accessed 2019].
Bonner, E., O' Raw, J. and Curran, K. (2011). Implementing the Payment Card Industry (PCI) Data
Security Standard (DSS). TELKOMNIKA (Telecommunication Computing Electronics and Control),
9(2), p.365.
Bosworth, S., Kabay, M. and Whyne, E. (n.d.). Computer security handbook.
Bsigroup.com. (2019). Payment Card Industry Data Security Standard | India. [online] Available at:
https://www.bsigroup.com/en-IN/PCIDSS/ [Accessed 24 Apr. 2019].
Calder, A. and Williams, G. (2016). PCI DSS. Ely: IT Governance Publishing.
Calderón Pale, P. (2012). Nmap 6. Birmingham, UK: Packt Pub.
Calderon, P. (n.d.). Nmap.
Caldwell, T. (2013). Security at the data level. Network Security, 2013(5), pp.6-12.
Chan, K. (n.d.). Network security and communication engineering.
Chappell, L. (2012). Wireshark network analysis. San Jose, Calif.: Chappell University.
Christianson, B. (2011). Security protocols. Berlin: Springer.
clearent.com. (2019). What is PCI DSS Compliance? | Clearent. [online] Available at:
https://www.clearent.com/insight/pci-dss-compliance/ [Accessed 2019].
cloud.google.com. (2019). PCI DSS - Compliance | Google Cloud. [online] Available at:
https://cloud.google.com/security/compliance/pci-dss/ [Accessed 2019].
Coburn, A. (2010). Fitting PCI DSS within a wider governance framework. Computer Fraud &
Security, 2010(9), pp.11-13.
Cole, E., Krutz, R. and Conley, J. (2009). Network security bible. Indianapolis, Ind.: Wiley Publishing,
Inc.
67

Colley, J. (2008). Managing both careers and risks. Network Security, 2008(5), pp.7-9.
ComputerWeekly.com. (2019). Business case for PCI compliance using a risk-driven approach.
[online] Available at: https://www.computerweekly.com/tip/Business-case-for-PCI-compliance-using-
a-risk-driven-approach [Accessed 24 Apr. 2019].
Conti, G. (2007). Security data visualization. San Francisco: No Starch Press.
Crouthamel, A. (n.d.). Mastering Wireshark 2.
Danielyan, E. and Knipp, E. (2002). Managing Cisco network security. Rockland, Mass.: Syngress
Media.
Data security handbook. (2008). Chicago, Ill.: ABA Section of Antitrust Law.
Desharnais, Y. B., & Desharnais, F. (2018). PCI DSS made easy:(PCI DSS 3.2.
Digital Guardian. (2019). Data Protection: Data In transit vs. Data At Rest. [online] Available at:
https://digitalguardian.com/blog/data-protection-data-in-transit-vs-data-at-rest [Accessed 18 Apr.
2019].
Duarte, F., Sikansi, F., Fatore, F., Fadel, S. and Paulovich, F. (2014). Nmap: A Novel Neighborhood
Preservation Space-filling Algorithm. IEEE Transactions on Visualization and Computer Graphics,
20(12), pp.2063-2071.
Elluri, L., Nagar, A., & Joshi, K. P. (2018, December). An Integrated Knowledge Graph to Automate
GDPR and PCI DSS Compliance. In 2018 IEEE International Conference on Big Data (Big Data) (pp.
1266-1271). IEEE.
Entrustdatacard.com. (2019). Protecting Data in Transit Versus at Rest | Entrust Datacard. [online]
Available at: https://www.entrustdatacard.com/blog/2016/august/protecting-data-in-transit-versus-at-
rest [Accessed 18 Apr. 2019].
Everett, C. (2009). PCI DSS: Lack of direction or lack of commitment?. Computer Fraud & Security,
2009(12), pp.18-20.
Federal Trade Commission. (2019). Data Security. [online] Available at: https://www.ftc.gov/tips-
advice/business-center/privacy-and-security/data-security [Accessed 24 Apr. 2019].
Fernandes, J. (2015). Get ready for PCI DSS 3.0 with real-time monitoring. Computer Fraud &
Security, 2015(2), pp.17-18.
68

Fernandes, J. (2015). Get ready for PCI DSS 3.0 with real-time monitoring. Computer Fraud &
Security, 2015(2), pp.17-18.
Ferranti, M. (2019). What is Nmap? Why you need this network mapper. [online] Network World.
Available at: https://www.networkworld.com/article/3296740/what-is-nmap-why-you-need-this-
network-mapper.html [Accessed 18 Apr. 2019].
Gikas, C. (2010). A General Comparison of FISMA, HIPAA, ISO 27000 and PCI-DSS
Standards. Information Security Journal: A Global Perspective, 19(3), pp.132-141.
global.jcb. (2019). PCI DSS - Payment Card Industry Data Security Standard .... [online] Available at:
https://www.global.jcb/en/products/security/pci-dss/index.html [Accessed 2019].
Gollmann, D. (2011). Computer Security. Hoboken: Wiley Textbooks.
Hallberg, B. (2013). Networking. New York: McGraw-Hill Publishing.
Hartley, D. (2009). Secure ecommerce web application design principles, beyond PCI DSS. Computer
Fraud & Security, 2009(6), pp.13-17.
Hudson, A. and Hudson, P. (2008). Ubuntu 7.10 Linux unleashed. Indianapolis, Ind.: Sams.
HUTCHENS, J. (2017). KALI LINUX NETWORK SCANNING COOKBOOK. [Place of publication
not identified]: PACKT Publishing Limited.
imperva.com. (2019). What is PCI DSS | Compliance Levels, Certification .... [online] Available at:
https://www.imperva.com/learn/data-security/pci-dss-certification/ [Accessed 2019].
Infosec Resources. (2019). A Step-by-Step Guide to Data Security Compliance by Industry. [online]
Available at: https://resources.infosecinstitute.com/step-step-guide-data-security-compliance-
industry/#gref [Accessed 24 Apr. 2019].
itgovernance.co.uk. (2019). PCI DSS | IT Governance UK. [online] Available at:
https://www.itgovernance.co.uk/pci_dss [Accessed 2019].
Kaufman, P. (2013). Trading Systems and Methods. New York: Wiley.
Kedgley, M. (2014). PCI DSS Version 3.0: new standard, but same problems?. Computer Fraud &
Security, 2014(1), pp.5-9.
Kidd, R. (2008). Counting the cost of non-compliance with PCI DSS. Computer Fraud & Security,
2008(11), pp.13-14.
69

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Kotenko, I. and Skormin, V. (2012). Computer Network Security. Berlin, Heidelberg: Springer Berlin
Heidelberg.
Kumar, N., Ramdoss, Y. and Orzach, Y. (2018). Network Analysis Using Wireshark 2 Cookbook.
Birmingham: Packt Publishing.
Kurose, J. and Ross, K. (n.d.). Computer networking.
legalvision.com.au. (2019). What is the PCI DSS? - LegalVision. [online] Available at:
https://legalvision.com.au/what-is-the-pci-dss/ [Accessed 2019].
Lehtinen, R. and Sr, G. (2011). Computer Security Basics. Sebastopol: O'Reilly Media.
Lesca, N. (2013). Environmental Scanning and Sustainable Development. New York, NY: John Wiley
& Sons.
library.educause.edu. (2019). PCI DSS. [online] Available at:
https://library.educause.edu/topics/policy-and-law/pci-dss [Accessed 24 Apr. 2019].
Lin, D., Tsudik, G. and Wang, X. (2011). Cryptology and network security. Berlin: Springer.
Lyon, G. (2010). Nmap network scanning. Sunnyvale, CA: Insecure.Com LLC.
MacDonald, A. and Beech, M. (2008). Trolls on vacation. New York, N.Y.: Bloomsbury Children's
Books.
Marïen, A. (2010). Matchmaking between PCI-DSS and Security. Information Security Technical
Report, 15(4), p.137.
Marsella, J. (2019). Everything You Need to Know About Achieving PCI Compliance [Checklist
Included]. [online] The BigCommerce Blog. Available at: https://www.bigcommerce.com/blog/pci-
compliance/#what-is-the-pci-dss [Accessed 24 Apr. 2019].
Marsh, N. (2010). Nmap cookbook. [S.l.]: Nicholas Marsh.
McClure, S., Scambray, J. and Kurtz, G. (2012). Hacking exposed. Emeryville, Calif.:
McGraw-Hill/Osborne.
McShane, I., Gregory, M. and Wilson, C. (2016). Practicing Safe Public Wi-Fi: Assessing and
Managing Data-Security Risks. SSRN Electronic Journal.
Mishra, C. (2016). Mastering Wireshark. Birmingham, UK: Packt Publishing.
70

Mishra, C. (n.d.). Wireshark 2 quick start guide.
Morse, E. and Raval, V. (2008). PCI DSS: Payment card industry data security standards in
context. Computer Law & Security Review, 24(6), pp.540-554.
New PCI DSS hurdles loom. (2010). Infosecurity, 7(4), p.9.
New version of PCI DSS makes only minor changes. (2010). Computer Fraud & Security, 2010(11),
pp.1-3.
NewVoiceMedia. (2019). Voice over IP and PCI DSS Compliance, what are the issues? - Blog |
NewVoiceMedia. [online] Available at: https://www.newvoicemedia.com/blog/voice-over-ip-and-pci-
dss-compliance-what-are-the-issues [Accessed 18 Apr. 2019].
Nmap. (2012). [Place of publication not identified]: Book On Demand.
Nmap.org. (2019).Chapter 9.Nmap Scripting Engine | Nmap Network Scanning. [online] Available at:
https://nmap.org/book/nse.html [Accessed 18 Apr. 2019].
Olups, R. (2010). Zabbix 1.8 network monitoring. Birmingham, U.K.: Packt Pub.
onlinetech.com. (2019). What is PCI Compliance? - Online Tech. [online] Available at:
http://www.onlinetech.com/resources/references/what-is-pci-compliance [Accessed 2019].
Orloff, J. (2008). Ubuntu. Emeryville, Calif.: McGraw-Hill/Osborne.
Ortiz, J. (2014). PCI DSS 77 Success Secrets - 77 Most Asked Questions On PCI DSS - What You
Need To Know. Emereo Publishing.
Orzach, Y. (2013). Network Analysis Using Wireshark Cookbook. Birmingham: Packt Publishing.
Pale, P. (2012). Nmap 6. Birmingham: Packt Pub.
Papagalos, L. (2019). PCI Compliance: The Dangers of Noncompliance – The SiteLock Blog. [online]
Sitelock.com. Available at: https://www.sitelock.com/blog/2015/03/pci-noncompliance-dangers/
[Accessed 24 Apr. 2019].
paypal.com. (2019). The basics of PCI DSS compliance. - paypal.com. [online] Available at:
https://www.paypal.com/us/brc/article/pci-dss-compliance-basics [Accessed 2019].
PCI (nd) https://www.pcisecuritystandards.org/minisite/en/saq-v2.0documentation.php
71

PCI Compliance Guide. (2019). PCI Compliance Guide Frequently Asked Questions | PCI DSS FAQs.
[online] Available at: https://www.pcicomplianceguide.org/faq/ [Accessed 24 Apr. 2019].
PCI DSS appears to reduce breaches. (2011). Computer Fraud & Security, 2011(5), pp.3-19.
PCI DSS survey shows encryption is tops when it comes to end-to-end security. (2010). Infosecurity,
7(2), p.10.
PCI DSS. (2011). ITGP.
pcicompliance. (2019). PCI Compliance: Free Scanner => PCICompliance.com .... [online] Available
at: https://www.pcicompliance.com/ [Accessed 2019].
pcicompliance.stanford.edu. (2019). Payment Card Industry (PCI) Data Security Standard. [online]
Available at: https://pcicompliance.stanford.edu/sites/g/files/sbiybj7706/f/pci_dss_v3-2.pdf [Accessed
2019].
pcicomplianceguide.org. (2019). PCI Compliance Guide | Payment Card Industry Data Security ....
[online] Available at: https://www.pcicomplianceguide.org/ [Accessed 2019].
pcidss. (2019). PCI DSS Security and PCI DSS Supplier Directory - www .... [online] Available at:
https://www.pcidss.com/ [Accessed 2019].
Pcisecuritystandards.org. (2019). Official PCI Security Standards Council Site - Verify PCI
Compliance, Download Data Security and Credit Card Security Standards. [online] Available at:
https://www.pcisecuritystandards.org/ [Accessed 24 Apr. 2019].
Petersen, R. (2008). Ubuntu. New York, USA: McGraw-Hill Professional Publishing.
Peterson, G. (2010). From auditor-centric to architecture-centric: SDLC for PCI DSS. Information
Security Technical Report, 15(4), pp.150-153.
phoenixnap.com. (2019). PCI DSS 3.2 Compliance Requirements Guide: Updated 2019. [online]
Available at: https://phoenixnap.com/blog/pci-dss-3-2-compliance-guide [Accessed 2019].
POOLE, O. (2017). NETWORK SECURITY. [S.l.]: ROUTLEDGE.
Purehacking.com. (2019).PCI DSS Risk Assessment | Pure Hacking. [online] Available at:
https://www.purehacking.com/governance/pci-dss/pci-risk-assessment [Accessed 18 Apr. 2019].
Raggi, E., Thomas, K. and Vugt, S. (2011). Beginning Ubuntu Linux. Berkeley, CA: Apress.
72

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Rees, J. (2010). The challenges of PCI DSS compliance. Computer Fraud & Security, 2010(12),
pp.14-16.
Ron McCarty's Blog. (2019). Scanning and Nmap. [online] Available at:
https://ron.yournetguard.com/2011/06/scanning-and-nmap.html [Accessed 18 Apr. 2019].
searchcompliance.techtarget.com. (2019). PCI DSS compliance (Payment Card Industry Data
Security .... [online] Available at: https://searchcompliance.techtarget.com/definition/PCI-compliance
[Accessed 2019].
searchfinancialsecurity.techtarget.com. (2019). What is PCI DSS (Payment Card Industry Data
Security .... [online] Available at: https://searchfinancialsecurity.techtarget.com/definition/PCI-DSS-
Payment-Card-Industry-Data-Security-Standard [Accessed 2019].
SearchSecurity. (2019). Analysis: Inside the new PCI DSS risk assessment. [online] Available at:
https://searchsecurity.techtarget.com/tip/Analysis-Inside-the-new-PCI-DSS-risk-assessment [Accessed
18 Apr. 2019].
searchsecurity.techtarget.com. (2019). What is PCI DSS 12 requirements? - Definition from
WhatIs.com. [online] Available at: https://searchsecurity.techtarget.com/definition/PCI-DSS-12-
requirements [Accessed 2019].
Secureworks.com. (2019). PCI DSS Compliance Frequently Asked Questions. [online] Available at:
https://www.secureworks.com/resources/wp-pci-dss-compliance-faqs [Accessed 24 Apr. 2019].
securitymetrics. (2019). PCI Compliance Solutions | PCI DSS Validation .... [online] Available at:
https://www.securitymetrics.com/pci [Accessed 2019].
SecurityMetrics. (2019). SecurityMetrics Guide to PCI DSS Compliance. [online] Available at:
https://www.securitymetrics.com/blog/securitymetrics-guide-pci-dss-compliance [Accessed 24 Apr.
2019].
Shaw, D. (2015). Nmap Requirements.Packt Publishing.
Shimonski, R. (2013). The wireshark field guide. Amsterdam: Syngress.
Singh, V. (2010). Computer networking course. New Delhi, India: Computech Publications Ltd.
SISA Information Security.(2019). PCI Risk Assessment | Security Risk Assessment - SISA
Bangalore, Mumbai, Delhi. [online] Available at: https://www.sisainfosec.com/services/pci-risk-
assessment/ [Accessed 18 Apr. 2019].
73

Solarwindsmsp.com. (2019).12 Step PCI DSS Compliance Requirements Checklist | SolarWinds
MSP. [online] Available at: https://www.solarwindsmsp.com/content/pci-dss-requirements-checklist
[Accessed 18 Apr. 2019].
squareup.com. (2019). PCI Compliance: What You Need to Know. [online] Available at:
https://squareup.com/guides/pci-compliance [Accessed 2019].
Stallings, W. and Brown, L. (2018). Computer Security. Harlow, United Kingdom: Pearson Education
Limited.
Ubuntu Netbooks. (2010). Apress.
Vazão, T., Freire, M. and Chong, I. (2008). Information Networking. Berlin: Springer-Verlag.
Williams, B. (2010). How tokenization and encryption can enable PCI DSS compliance. Information
Security Technical Report, 15(4), pp.160-165.
Wilson, D., Roman, E., & Beierly, I. (2018). PCI DSS and card brands:
Standards, compliance and enforcement. Cyber Security: A Peer-Reviewed Journal, 2(1), 73-82.
Wincap.com. (2019). What is WinCap? :: Capital Computer Associates. [online] Available at:
https://www.wincap.com/page/what-is-wincap-74.html [Accessed 18 Apr. 2019].
Winpcap.org. (2019).WinPcap - Home. [online] Available at: https://www.winpcap.org/ [Accessed 18
Apr. 2019].
Wireshark.org. (2019). Wireshark · Go Deep.. [online] Available at: https://www.wireshark.org/
[Accessed 18 Apr. 2019].
Wright, S. (2009). PCI DSS v1. 2: A Practical Guide to Implementation. Cambs: IT Governance.
74

1 out of 79

RESEARCH PROPOSAL.

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Payment Card Industry Data Security Standard

PAYMENT CARD INDUSTRY.

+13062052269

info@desklib.com