RESEARCH PROPOSAL.
Added on 2023-04-21
79 Pages23010 Words344 Views
RESEARCH PROPOSAL
TOPIC: MANAGING DATA SECURITY AND RISKS
CONSIDERING PCI DSS
Programme: MSc in Information Security and Digital Forensic
Year: 2018/2019
Term: B
Student ID: U1336039
Author: Michael Akubueze
Supervisor: Dr Shareeful Islam
TOPIC: MANAGING DATA SECURITY AND RISKS
CONSIDERING PCI DSS
Programme: MSc in Information Security and Digital Forensic
Year: 2018/2019
Term: B
Student ID: U1336039
Author: Michael Akubueze
Supervisor: Dr Shareeful Islam
Executive Summary
A Card Payments have become a very common sight in every Business association and
organisation that a person comes across in day to day life. It becomes very convenient to the business
associations to fulfil their business aims as well easier for the customer to carry the transaction. These
associations permit the client utilizing different bank cards including charge and Visa for this reason.
In any case, such associations need to agree to the payment card industry (PCI) security standard
before incorporating bank card framework into the current business process. This proposition
examines the information security and dangers for the PCI. We consider the PCI standard to
comprehend the Requirements and utilize different instruments, for example, Nmap to assess the
similarity of the requirements. PCI was set up by these Banks’ or the companies of Credit Card
namely MasterCard, Visa, American Express, JCB and Discover. The name given to this association/
Consortium was Payment Card Industry Security Standards Council (PCI). The function of this
association was to set up Data Security Standards (PCI DSS). They expected the industry locals to
meet these conditions and terms. The PCI Security Standards Council issued direction on the most
proficient method to ensure card information when taking installments via phone. Some portion of this
direction was data on the best way to deal with phone brings utilizing voice over IP. The main reason
is that, there exists incredibly ease to eject the data of the cardholder from the VoIP approaches the
remote possibility that you approach the data stream. The most adored device of any person who
works with frameworks is Wire shark, a free and extremely astonishing resource. Wire shark enables
to viably get sort out data and to expel voice calls from that data. So, we choosing wire shark is best
tool to eject the data of the cardholder from the VoIP approaches the remote possibility that you
approach the data stream.
A Card Payments have become a very common sight in every Business association and
organisation that a person comes across in day to day life. It becomes very convenient to the business
associations to fulfil their business aims as well easier for the customer to carry the transaction. These
associations permit the client utilizing different bank cards including charge and Visa for this reason.
In any case, such associations need to agree to the payment card industry (PCI) security standard
before incorporating bank card framework into the current business process. This proposition
examines the information security and dangers for the PCI. We consider the PCI standard to
comprehend the Requirements and utilize different instruments, for example, Nmap to assess the
similarity of the requirements. PCI was set up by these Banks’ or the companies of Credit Card
namely MasterCard, Visa, American Express, JCB and Discover. The name given to this association/
Consortium was Payment Card Industry Security Standards Council (PCI). The function of this
association was to set up Data Security Standards (PCI DSS). They expected the industry locals to
meet these conditions and terms. The PCI Security Standards Council issued direction on the most
proficient method to ensure card information when taking installments via phone. Some portion of this
direction was data on the best way to deal with phone brings utilizing voice over IP. The main reason
is that, there exists incredibly ease to eject the data of the cardholder from the VoIP approaches the
remote possibility that you approach the data stream. The most adored device of any person who
works with frameworks is Wire shark, a free and extremely astonishing resource. Wire shark enables
to viably get sort out data and to expel voice calls from that data. So, we choosing wire shark is best
tool to eject the data of the cardholder from the VoIP approaches the remote possibility that you
approach the data stream.
Table of Contents
Chapter 1: Introduction.............................................................................................................................1
1.1 Requirement for Businesses to have a Payment Card...............................................................1
1.2 Understanding the term “PCI DSS”...........................................................................................2
1.3 Why it is Obligatory for the Business Organizations?..............................................................4
1.4 Research Aim and Objectives....................................................................................................5
1.5 Problem Domain and Challenges..............................................................................................6
1.6 Research Question.....................................................................................................................6
Chapter 2: Literature review.....................................................................................................................8
2.1 Payment Card Industry..............................................................................................................8
2.2 Control of Security...................................................................................................................12
2.2.1 Security threat or risks in PCI DSS..................................................................................18
2.3 Tools........................................................................................................................................19
2.3.1 NMAP...............................................................................................................................19
2.3.2 Wincap..............................................................................................................................21
2.3.3 Wireshark.........................................................................................................................22
Chapter 3: PCI DSS................................................................................................................................27
3.1 PCI DSS...................................................................................................................................27
Chapter 1: Introduction.............................................................................................................................1
1.1 Requirement for Businesses to have a Payment Card...............................................................1
1.2 Understanding the term “PCI DSS”...........................................................................................2
1.3 Why it is Obligatory for the Business Organizations?..............................................................4
1.4 Research Aim and Objectives....................................................................................................5
1.5 Problem Domain and Challenges..............................................................................................6
1.6 Research Question.....................................................................................................................6
Chapter 2: Literature review.....................................................................................................................8
2.1 Payment Card Industry..............................................................................................................8
2.2 Control of Security...................................................................................................................12
2.2.1 Security threat or risks in PCI DSS..................................................................................18
2.3 Tools........................................................................................................................................19
2.3.1 NMAP...............................................................................................................................19
2.3.2 Wincap..............................................................................................................................21
2.3.3 Wireshark.........................................................................................................................22
Chapter 3: PCI DSS................................................................................................................................27
3.1 PCI DSS...................................................................................................................................27
3.1.1 Building and Maintaining a Secure Network...................................................................28
3.1.2 Protecting Cardholder’s Data...........................................................................................30
3.1.3 Implement Strong Access Control Measures...................................................................33
3.1.4 Frequently Monitoring and Testing Networks.................................................................36
3.1.5 Maintaining Information Security Policy.........................................................................38
Chapter 4: Methodology/approach.........................................................................................................41
4.1 PCI DSS Methodology............................................................................................................41
4.1.1 Data security issues..............................................................................................................42
4.1.2 Risks.....................................................................................................................................47
Chapter 5: Implementation.....................................................................................................................50
5.1 NMAP..................................................................................................................................54
5.2 Win Cap...............................................................................................................................60
5.3 Wire shark............................................................................................................................61
Conclusion..............................................................................................................................................64
References..............................................................................................................................................65
3.1.2 Protecting Cardholder’s Data...........................................................................................30
3.1.3 Implement Strong Access Control Measures...................................................................33
3.1.4 Frequently Monitoring and Testing Networks.................................................................36
3.1.5 Maintaining Information Security Policy.........................................................................38
Chapter 4: Methodology/approach.........................................................................................................41
4.1 PCI DSS Methodology............................................................................................................41
4.1.1 Data security issues..............................................................................................................42
4.1.2 Risks.....................................................................................................................................47
Chapter 5: Implementation.....................................................................................................................50
5.1 NMAP..................................................................................................................................54
5.2 Win Cap...............................................................................................................................60
5.3 Wire shark............................................................................................................................61
Conclusion..............................................................................................................................................64
References..............................................................................................................................................65
Chapter 1: Introduction
1.1 Requirement for Businesses to have a Payment Card
The payment card industry commands to ensure cardholder information and counteract extortion.
Yet, numerous associations keep on attempting to accomplish consistence with PCI DSS (Payment
Card Industry Data Security Standard). Five noteworthy payment card organizations have figured the
standard to accommodate their individual projects into a solitary arrangement of Requirements.
Different updates with the latest variant 3.1 w.e.f April 2015 has since been issued by the PCI SSC
(PCI Security Standards Council). The consistence is frequently unquestionably increasingly costly,
mistake inclined and asset escalated, than would normally be appropriate. Despite the fact that, with its
12 Requirements and supporting guidance, the standard is more prescriptive than most government or
industry security orders. The normal expenses can reach past a huge number of dollars every year
relying upon your association's level dimension, given the push to physically gather and break down
log information, aggregate reports, and keep up and approve security controls and strategies through
wasteful work serious procedures. Strategies, for example, get to control, information security and
arrangement the executives are more diligently to keep up and hard to actualize, oversee and authorize
practically speaking. In the present powerful business conditions, consistence and security techniques
are resolute and too moderate to even consider responding. On the off chance that the controls are
physically and inadequately executed, it will be blunder inclined, exorbitant and really obstruct
business productivity without improving security significantly.To "simply complete it", Departments
and even people may evade approach. Because of this, real information ruptures have happened in
associations that were in fact PCI DSS agreeable (Bosworth, Kabay and Whyne, n.d.). An effective,
repeatable and practical security program that fulfils at both the dimensions of cardholder information
protection for which the standard was made and for their technical necessities of their PCI
commitments. Concentrating on the basic, yet tricky zones that contain a significant part of the core of
the necessities, the white paper clarifies the fundamentals of a PCI consistence program:
Protect from unapproved use cardholder information
1
1.1 Requirement for Businesses to have a Payment Card
The payment card industry commands to ensure cardholder information and counteract extortion.
Yet, numerous associations keep on attempting to accomplish consistence with PCI DSS (Payment
Card Industry Data Security Standard). Five noteworthy payment card organizations have figured the
standard to accommodate their individual projects into a solitary arrangement of Requirements.
Different updates with the latest variant 3.1 w.e.f April 2015 has since been issued by the PCI SSC
(PCI Security Standards Council). The consistence is frequently unquestionably increasingly costly,
mistake inclined and asset escalated, than would normally be appropriate. Despite the fact that, with its
12 Requirements and supporting guidance, the standard is more prescriptive than most government or
industry security orders. The normal expenses can reach past a huge number of dollars every year
relying upon your association's level dimension, given the push to physically gather and break down
log information, aggregate reports, and keep up and approve security controls and strategies through
wasteful work serious procedures. Strategies, for example, get to control, information security and
arrangement the executives are more diligently to keep up and hard to actualize, oversee and authorize
practically speaking. In the present powerful business conditions, consistence and security techniques
are resolute and too moderate to even consider responding. On the off chance that the controls are
physically and inadequately executed, it will be blunder inclined, exorbitant and really obstruct
business productivity without improving security significantly.To "simply complete it", Departments
and even people may evade approach. Because of this, real information ruptures have happened in
associations that were in fact PCI DSS agreeable (Bosworth, Kabay and Whyne, n.d.). An effective,
repeatable and practical security program that fulfils at both the dimensions of cardholder information
protection for which the standard was made and for their technical necessities of their PCI
commitments. Concentrating on the basic, yet tricky zones that contain a significant part of the core of
the necessities, the white paper clarifies the fundamentals of a PCI consistence program:
Protect from unapproved use cardholder information
1
Strong controls around advantaged clients and information get to
Centralized, computerized job based access control, approval, and verification to be actualized
Database action observing and framework and database examining to be given
1.2 Understanding the term “PCI DSS”
PCI DSS (Payment Card Industry Data Security Standard) is a standard association that
regulates the data customer’s Credit card data security, which enables the security and breach of trust.
The data has to be confidential and not to be misused by external forces and elements. American
Express, Discover, Visa and MasterCard came together to form this association and set the rules and
guidelines. They started this in 2004 and the industry soon followed these guidelines. The basic
guidelines and the notes for this Association are explained in brief as below (Solarwindsmsp.com,
2019):
Data of Cardholder’s (customers) has to be protected. This was the highest priority in this agenda.
This data should be encrypted and/or coded so that it cannot be breached by outsiders. These becomes
more paramount in today’s world where most of the transactions happen online and are exposed to the
outside world where it can be easily breached by anyone having access to the internet.
Advanced coding is required by the companies to avoid this type of breaching. Exposed
software’s used by the companies may be suspected for external malicious attacks and programs. Bugs
infused in the systems have to be flushed out using advanced and up-to-date software’s. The software
companies have to keep updating their software so that they stay updated with the latest viruses and
bugs that can creep into the system. Spyware, Malware, Phishing are some of the elements that can
affect the system and server (Chan, n.d.).
Client Data has to be kept up-to-date in the sense that passwords and pin numbers for the system
inputs have to be kept changing. This will prevent hackers and abusive programmers to attack the
system by cracking the passwords and pin numbers. Use of strong and layered Firewalls will help to
nullify these outside attacks and hackers from entering the system. Time to time update and thorough
checking including long scanning of the system for malicious viruses and bugs have to be taken
2
Centralized, computerized job based access control, approval, and verification to be actualized
Database action observing and framework and database examining to be given
1.2 Understanding the term “PCI DSS”
PCI DSS (Payment Card Industry Data Security Standard) is a standard association that
regulates the data customer’s Credit card data security, which enables the security and breach of trust.
The data has to be confidential and not to be misused by external forces and elements. American
Express, Discover, Visa and MasterCard came together to form this association and set the rules and
guidelines. They started this in 2004 and the industry soon followed these guidelines. The basic
guidelines and the notes for this Association are explained in brief as below (Solarwindsmsp.com,
2019):
Data of Cardholder’s (customers) has to be protected. This was the highest priority in this agenda.
This data should be encrypted and/or coded so that it cannot be breached by outsiders. These becomes
more paramount in today’s world where most of the transactions happen online and are exposed to the
outside world where it can be easily breached by anyone having access to the internet.
Advanced coding is required by the companies to avoid this type of breaching. Exposed
software’s used by the companies may be suspected for external malicious attacks and programs. Bugs
infused in the systems have to be flushed out using advanced and up-to-date software’s. The software
companies have to keep updating their software so that they stay updated with the latest viruses and
bugs that can creep into the system. Spyware, Malware, Phishing are some of the elements that can
affect the system and server (Chan, n.d.).
Client Data has to be kept up-to-date in the sense that passwords and pin numbers for the system
inputs have to be kept changing. This will prevent hackers and abusive programmers to attack the
system by cracking the passwords and pin numbers. Use of strong and layered Firewalls will help to
nullify these outside attacks and hackers from entering the system. Time to time update and thorough
checking including long scanning of the system for malicious viruses and bugs have to be taken
2
(Infosec Resources, 2019). This should take care of all the attacks and unlawful entry that can creep in
the server and the protected software.
A strong strategy that includes a structured Data analysis for Security and also for any breach in
this security should be given in step by step instructions. Any breach or attempt to breach the security
should be punished and same should be part of this Security structure. It is also the duty of every card
holder to protect the Card as well as keep updating his software and all the platforms from where he is
accessing the system to pay/transfer money (Christianson, 2011). The PCI DDS process is illustrated
as below.
Figure 1 PCI DSS Process
3
the server and the protected software.
A strong strategy that includes a structured Data analysis for Security and also for any breach in
this security should be given in step by step instructions. Any breach or attempt to breach the security
should be punished and same should be part of this Security structure. It is also the duty of every card
holder to protect the Card as well as keep updating his software and all the platforms from where he is
accessing the system to pay/transfer money (Christianson, 2011). The PCI DDS process is illustrated
as below.
Figure 1 PCI DSS Process
3
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards
designed which is used to ensure that ALL companies that accept process, store or transmit credit card
information maintain a secure environment.
1.3 Why it is Obligatory for the Business Organizations?
As Internet and data access become more and more easy in today’s wired world, people from
any part of the world can access the system and misuse the information that can be accessed by these
types of people. There is a vast increase in the number f transactions that take place on the internet and
it becomes difficult to track for the company to make sure that the system is maintained perfectly. But,
it has to. It is the responsibility and the duty of the company to make sure that the System is breach-
proof. As per, WPR (World Payments Report) 2018, the online transactions identifies that, the global
e-wallet market has been growing drastically, with the transaction volume estimated as a total of 41.8
billion, and it is nearly 8.6% of the global non-cash transactions. Here, the PCI DSS role becomes
very important and crucial. It is an umbrella body that sets the standards and rules for the companies
as to how the data by the customer should be used. It includes the privacy policy and the terms and
conditions as to how a customer’s Name, Address, Account information, Security ID etc. has to be
taken care of (Conti, 2007). They have set a guideline for the industry and the banking sector to follow
that is these confidential and high value data should not fall in the wrong hands. The organisation also
places responsibility and requires that the Card holders, Business firms, Customers, Online Traders,
Small Industries etc. and anyone using online network for monetary transactions should be aware of
all the possible ways in which there Data and information can be breached. They have time and again
emphasised the importance of these vital functions. And the serious results when they have been not
followed. The recursions for not following the advice may lead to losses and theft in unimaginable
ways (ComputerWeekly.com, 2019).
While organizations bear the weight of gathering multi-layered PCI DSS conventions, the
expense of consistence is far not exactly the option. Ramifications for resistance include:
4
designed which is used to ensure that ALL companies that accept process, store or transmit credit card
information maintain a secure environment.
1.3 Why it is Obligatory for the Business Organizations?
As Internet and data access become more and more easy in today’s wired world, people from
any part of the world can access the system and misuse the information that can be accessed by these
types of people. There is a vast increase in the number f transactions that take place on the internet and
it becomes difficult to track for the company to make sure that the system is maintained perfectly. But,
it has to. It is the responsibility and the duty of the company to make sure that the System is breach-
proof. As per, WPR (World Payments Report) 2018, the online transactions identifies that, the global
e-wallet market has been growing drastically, with the transaction volume estimated as a total of 41.8
billion, and it is nearly 8.6% of the global non-cash transactions. Here, the PCI DSS role becomes
very important and crucial. It is an umbrella body that sets the standards and rules for the companies
as to how the data by the customer should be used. It includes the privacy policy and the terms and
conditions as to how a customer’s Name, Address, Account information, Security ID etc. has to be
taken care of (Conti, 2007). They have set a guideline for the industry and the banking sector to follow
that is these confidential and high value data should not fall in the wrong hands. The organisation also
places responsibility and requires that the Card holders, Business firms, Customers, Online Traders,
Small Industries etc. and anyone using online network for monetary transactions should be aware of
all the possible ways in which there Data and information can be breached. They have time and again
emphasised the importance of these vital functions. And the serious results when they have been not
followed. The recursions for not following the advice may lead to losses and theft in unimaginable
ways (ComputerWeekly.com, 2019).
While organizations bear the weight of gathering multi-layered PCI DSS conventions, the
expense of consistence is far not exactly the option. Ramifications for resistance include:
4
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
Payment Card Industry Data Security Standardlg...
|5
|987
|13
PAYMENT CARD INDUSTRY.lg...
|7
|1545
|429