Analysis of PCI DSS Noncompliance: CardSystems Solutions Lab 3

Verified

Added on 2023/06/03

AI Summary

This assignment presents a case study analysis of CardSystems Solutions' PCI DSS noncompliance, examining the events leading up to a significant data breach. The analysis delves into the company's failures, including inadequate security measures, the impact of an SQL injection attack, and the negligence of involved parties. The document assesses the auditor's findings, explores legal implications, and determines whether the company's actions constitute an unfair trade practice. It also offers recommendations for security policies, controls, and countermeasures to achieve PCI DSS compliance, along with the consequences of the data loss and the parties responsible for the noncompliance. Finally, it investigates the potential mitigation strategies for preventing similar incidents and evaluates the role of ongoing monitoring and testing in maintaining compliance.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

25
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Student Lab Manual
Lab #3 - Assessment Worksheet
Case Study on PCI DSS Noncompliance: CardSystems Solutions
Course Name and Number: _____________________________________________________
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you reviewed a real-world case study that involved a PCI DSS noncompliance
scenario, and you recommended mitigation remedies to prevent the loss of private data for
similar organizations.
Lab Assessment Questions & Answers
1. Did CardSystems Solutions break any federal or state laws?
2. In June 2004, an external auditor certified CardSystems Solutions as Payment Card Industry Data
Security Standard- (PCI DSS-) compliant. What is your assessment of the auditor’s findings?
3. Can CardSystems Solutions sue the auditor for not performing his or her tasks and deliverables
with accuracy? Do you recommend that CardSystems Solutions pursue this avenue?
4. Who do you think is negligent in this case study and why?
5. Do the actions of CardSystems Solutions warrant an “unfair trade practice” designation as stated
by the Federal Trade Commission (FTC)?
The violation of the Act 15 U.S.C $$ was done by the CardSystems solution. These are the standards that
are placed for determining the cause of the SQL injection attack. The data of the customers needed to be
secured and it did not happen as the attacker stole significant amount of data.
After the assessment of the security auditor, it was discovered that the security measures that were
implemented and utilized by the company were not PCI-DSS compliant. The main reason was that the
company did not meet all the six requirements of the PCI-DSS compliance requirements.
The CardSystems solution cannot sue the auditor because the company was not meeting all the six
requirements of the PCI-DSS compliance. It is advised to not pursue this avenue by the company.
The company is negligent in this case study as the requirements of the compliance clauses are not fulfilled
by the company and this led to the attack on the company and it lead to the theft of the data that was
unencrypted and the proper security firewalls were not implemented.
Yes, the actions of the CardSystems solution warrants a trade practice that is unfair as it is stated by the
FTC or Federal Trade Commision as it did not follow the rule that states proper security measures needs to
be implemented for preventing the loss of data of the customers.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

26 | LAB #3 Case Study on PCI DSS Noncompliance: CardSystems Solutions
6. What security policies do you recommend to help with monitoring, enforcing, and ensuring PCI
DSS compliance?
7. What security controls and security countermeasures do you recommend for CardSystems
Solutions to be in compliance with PCI DSS requirements?
8. What was the end result of the attack and security breach to CardSystems Solutions and its
valuation?
9. What are the possible consequences associated with the data loss?
10. Who do you think is ultimately responsible for CardSystems Solutions’ lack of PCI DSS
compliance?
11. What should CardSystems Solutions have done to mitigate possible SQL injections and data
breaches on its credit card transaction-processing engine?
12. True or false: Although CardSystems Solutions had proper security controls and security
countermeasures, it was not 100 percent PCI DSS-compliant because the company failed to
properly implement ongoing monitoring and testing on its development and production systems.
The implementation of proper security firewall for preventing any cyber attack and the constant updating of
the anti-virus that are placed for detecting the entry of any malware in the systems.
Security controls that is recommended for CardSystems Solutions for being in compliance with the PCI-DSS
compliance is the implementation and utilisation of the firewalls. The security countermeasures that are
recommended are the detection software for detecting the malware in the system.
The company lost huge data of credit card of the customers from the database and the impact of this attack
was that the reputation of the company was damaged so severely that the company almost went out of
business.
The possible consequence that are associated with the loss of data are the loss of trust among the
company and the customers, huge capital loss that is required for retrieval of data, and the damage to the
reputation of the companies that can make the company bankrupted.
The responsible departments of the lack of the compliance of PCI-DSS are the IT department of the
company, the senior manager staff and the technician department of the company.
The possible mitigation techniques for the SQL injections and the data breaches are the implementation of
rigid firewall in the system, the utilization of updated antivirus, the database created with proper prepared
statements combined with parameterised queries and the use of stored procedures.
True, the company did not properly implement the ongoing monitoring and the testing of the development
and production systems, which led to the undetected SQL injection attack on the database of the company
and the company suffered the loss of credit card data of the customers.

1 out of 2

Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support