Implementing PCI DSS: A Comprehensive Guide to Data Security

Verified

Added on 2023/04/20

AI Summary

This report provides a detailed analysis of the Payment Card Industry Data Security Standard (PCI DSS), focusing on its standards, accountability, and oversight in credit card processing. It discusses the role of the PCI Security Standards Council, the multifaceted nature of PCI DSS, and its impact on financial institutions and customers. The report also outlines the process of developing and maintaining PCI DSS requirements, the importance of selecting an effective Information Governance (IG) team, and a plan for designing and implementing an IG program to meet project requirements, including assessing the current state, involving leadership, establishing a cross-functional committee, developing a comprehensive policy, and understanding ongoing company needs. The document emphasizes the necessity of continuous monitoring and proactive measures to address data breaches and security issues. Desklib is a valuable resource for students, offering access to a wide range of past papers and solved assignments.

Running head: PAYMENT CARD INDUSTRY
PAYMENT CARD INDUSTRY
Name of Student
Name of University
Author’s Note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1PAYMENT CARD INDUSTRY
Part 1
A discussion with the IG team has been carried out regarding various associations,
organizations, agencies and affiliates that provide standard, accountability and oversight
for various organization who process credit cards the following results are obtained
a. An organization or a body that deals with setting standards, insuring
accountability for the purpose of data security as well as information governance
in the industry of credit card processing is PCI Security Standards Council. This is
a global forum for this specific industry and help organizations to come together
for enhancing, developing, assisting and disseminating with understanding of
various security standards for the security of payment accounts (Williams, 2016).
They usually work with or are linked with payment cards. These are financial
institutes, merchants, software and hardware developers who are involved in
creating as well as operating global infrastructure.
b. Payment Card Industry Data Security Standard (PCI DSS) can be described as a
multifaceted security standard which consists of requirements for the purpose of
managing information security, procedures, policies, network architecture, some
critical controls and software design. They provide their services to financial
institutes like banks, insurance companies, card processors and many more. From
the release of their version 3.2, it is clear that they have evolved in safeguarding
the payment data and it comprises of evolving requirements and clarifications
(Piazza, Fernandes&Anderson, 2016). Since their first version 1.0, their standard
had required two-step verification for the remote access to CDE. Similarly with
various versions like 8.3, 8.3.1, 8.3.2 and many more, they have improved their
services and made it available for the users.

2PAYMENT CARD INDUSTRY
c. The players who are affected by the PCI DSS include various institutes that
include financial transactions as a part of their working principles, it helps them to
carry out safe transactions and allow their customers to do the same (Wilson,
Roman&Beierly, 2018). This organization also impacts customers of various
organizations or under financial institutes to carry out secured transactions without
the risk of getting their personal data revealed.
d. Usually PCI DSS requirements and standards are developed as well as maintained
by industry standards body named PCI Security Standards Council (SSC). The
standards are enforced with the help of five brands of payment cards named Visa,
Discover, JCB International, MasterCard and American Express.
e. The data that had been acquired from PCI DSS and some more associated topics,
it would us to implement better strategies for selecting members of the IG team,
make them perform well in order to meet the requirements of the project (Porter,
2017). The evaluation of PCI DSS would help us in knowing the basic steps to
develop the project and have an idea of the future of the trial.
Part 2
The five representatives whom I would request to be a member of my team and the
reason for me to select them are as follows
 Data analyst: data analyst would work with various data sources. He would
collaborate with the compliance officer for creating information governance
regulations for data sources (Clapper & Richmond, 2016). He would also
create connection between operational rules like data quality, privacy and
rules of information governance along with transformational rules.

3PAYMENT CARD INDUSTRY
 Data architect:data analyst would help in understanding the structural as well
as physical aspects of data sources which information governance rules and
terms would be assigned to. They find assets and terms like jobs, database
tables and some more assets for assigning to the rule. They form a relationship
between various terms and the place where they are stored physically.
 Business analyst: business analyst would know the business definitions of
various terms for every entity of the business, he would receive the
requirements in order to deliver data to business audience (Gaynor,
Bass&Duepner, 2015). He would work with subject matter expert for
establishing a specific list of terms which would represent the commonly used
words which are utilized in reports, general communication and applications.
He would ensure that the goal of the team is achieved.
 Subject matter expert: subject matter expert would understand the usage of
terms in the business, their relationships to various other terms and their
dependencies. He would help in defining and creating terms.
 Data administrator: data administrator would be chosen because he would
help in importing as well as managing assets in catalogues like data files, data
bases, models and Business Intelligence reports.
Part 3
The plan that would be followed in order to design and implement the IG program
and meet the project requirements are
Step / task Task Description Time

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4PAYMENT CARD INDUSTRY
number required
Step 1 Assessing the
current state
Utilization of ARMA International’s Maturity
Model for determining where the organization
stands presently (Ukidve, SMantha&Tadvalkar,
2017).
This will help in determining which steps would
be easy to achieve and which ones would need
more attention.
2 weeks
Step 2 Involving the
leadership team
The executives would serve as IG members and
reduce the risk of not having enough participation
of employees across various departments.
Their support must be earned by demonstrating
the return of the program on its investment and
the ability to decrease risk
3 weeks
Step 3 Establishing a
cross functional
committee
The employees’ workflows must be supported
and help in making their task easy (Schulze,
2018). The committee must include information
technology, information security, compliance and
the business units
1 month
Step 4 Developing a
clear and
comprehensive
policy
A holistic view must be taken which would cover
the structured as well as unstructured data to
deletion, backup data and retention.
It must be checked that all the critical scenarios
and items have been covered (Gaynor, Bass &
Duepner, 2015).
The policy must be written in the terms of
Layman and enable employees of various levels
2 months

5PAYMENT CARD INDUSTRY
to know their responsibilities
Step 5 Understanding
that IG would be
an ongoing
initiative and not
just a one- time
project
The members should stay up-to-date regarding
the regulations, employee participation and
company needs. A proactive environment must be
created against any negative occurrence like data
breach, security issues, data loss and many more.
This should be done in order to take instant action
on these occurrences and change them.
2 weeks
Table 1: plan for designing and implementing the IG program

6PAYMENT CARD INDUSTRY
References
Clapper, D., & Richmond, W. (2016). Small business compliance with PCI DSS. Journal of
Management Information and Decision Sciences, 19(1), 54.
Gaynor, M., Bass, C., &Duepner, B. (2015). A tale of two standards: strengthening HIPAA
security regulations using the PCI-DSS. Health Systems, 4(2), 111-123.
Piazza, M., Fernandes, J., Anderson, J., & Olmsted, A. (2016, October). Cloud payment
processing without ritualistic sacrifices reducing PCI-DSS risk surface with thin
clients. In Information Society (i-Society), 2016 International Conference on (pp. 166-
168). IEEE.
Porter, J. (2017). Evaluating and designing a network and information security solution for a
company in accordance with PCI DSS.
Schulze, R. (2018, June). Identity and Access Management for Cloud Services Used by the
Payment Card Industry. In International Conference on Cloud Computing (pp. 206-
218). Springer, Cham.
Ukidve, A., SMantha, D. S., &Tadvalkar, M. (2017). Analysis of Payment Card Industry
Data Security Standard &91; PCI DSS&93; Compliance by Confluence of COBIT 5
Framework. International Journal of Engineering Research and Applications, 7(1),
42-48.
Williams, B. L. (2016). Information Security Policy Development for Compliance: ISO/IEC
27001, NIST SP 800-53, HIPAA Standard, PCI DSS V2. 0, and AUP V5. 0. Auerbach
Publications.
Wilson, D., Roman, E., &Beierly, I. (2018). PCI DSS and card brands: Standards,
compliance and enforcement. Cyber Security: A Peer-Reviewed Journal, 2(1), 73-82.