|
|
Historical background of PCI DSS, such as the history of payments in the U.S., the introduction of the Payment Card Industry Security Standards Council, and other general points of knowledge that help to set the tone for the Project.
|
|
|
Describe some of the challenges that the three main stakeholders of payment card systems—i.e., payment card companies (Visa, MasterCard, et al), merchants and vendors (small, large, online, brick-and-mortar), and consumers—face vis-à-vis technologies, business challenges, and legal challenges within the PCI domain.
|
|
|
Research and discuss the first of six “control objectives,” each of which includes numerous requirements:
· Build and Maintain a Secure Network and Systems
a. Install and maintain a firewall configuration to protect cardholder data
b. Do not use vendor-supplied defaults for system passwords and other security parameters
|
|
|
Research and discuss the second of six “control objectives,” each of which includes numerous requirements:
· Protect Cardholder Data
a. Protect stored cardholder data
b. Encrypt transmission of cardholder data across open, public networks
|
|
|
Research and discuss the third of six “control objectives,” each of which includes numerous requirements:
· Maintain a Vulnerability Management Program
a. Protect all systems against malware and regularly update anti-virus software or programs
b. Develop and maintain secure systems and applications
|
|
|
Research and discuss the fourth of six “control objectives,” each of which includes numerous requirements:
· Implement Strong Access Control Measures
a. Restrict access to cardholder data by business need-to-know
b. Identify and authenticate access to system components
c. Restrict physical access to cardholder data
|
|
|
Research and discuss the fifth of six “control objectives,” each of which includes numerous requirements:
· Regularly Monitor and Test Networks
a. Track and monitor all access to network resources and cardholder data
b. Regularly test security systems and processes
|
|
|
Research and discuss the sixth of six “control objectives,” each of which includes numerous requirements:
· Maintain an Information Security Policy
a. Maintain a policy that addresses information security for all personnel
|
|
|
There are fewer better ways to help understand these complex guidelines, from a practical perspective, than to learn about how “real world” stakeholders have dealt with them. Research and discuss an actual scenario in which a PCI stakeholder has dealt with, or failed to comply with, PCI DSS. Tell us some stories. Your subjects is: (1) an online retailer.
|
|
|
There are fewer better ways to help understand these complex guidelines, from a practical perspective, than to learn about how “real world” stakeholders have dealt with them. Research and discuss an actual scenario in which a PCI stakeholder has dealt with, or failed to comply with, PCI DSS. Tell us some stories. Your subjects is: (2) a small, local business (such as a barber shop, bookstore, or restaurant).
|
|
|
There are fewer better ways to help understand these complex guidelines, from a practical perspective, than to learn about how “real world” stakeholders have dealt with them. Research and discuss an actual scenario in which a PCI stakeholder has dealt with, or failed to comply with, PCI DSS. Tell us some stories. Your subjects is: (3) a law firm, large or small.
|
|
|
Next comes some analysis. Examine and discuss PCI DSS in a limited, albeit complementary, way. Look specifically at Kentucky’s laws, regulations, and business practices in order to examine PCI DSS from a state-level perspective. Are there other Kentucky laws that govern payment cards? What Kentucky laws implicate PCI DSS? What are some things that Kentucky business leaders need to be aware of when they accept payment cards at their establishments?
|
|
MY PROJECT
|
In further analyzing PCI DSS, and without necessarily homing in on Kentucky stakeholders, what other American laws or regulations might relate to, implicate, or otherwise find a nexus with PCI DSS? Here, the audience needs to understand, as you will, that PCI DSS does not operate in a vacuum. Rather, like most of what we’ll learn in ISOL 633, there are numerous laws, regulations, and other governing principles that interact with PCI DSS to form an overall governance model.
|
|
|
Examine and explain what’s wrong with PCI DSS. Has it become outdated or irrelevant in some way, or is it lagging behind modern technologies? Also, examine and explain what is on the horizon for PCI DSS stakeholders, especially for the merchants and vendors?
|