4 responses 04/01

Ram Work:

PCI compliance is a payment card industry data security standard, which is the security regulation standards related to payment cardholders and card information security. If any company stores these kinds of payment information, they need to comply with the PCI standard. Some of the PCI standards' general requirements are maintaining and building a secure network where it is mandatory to install and maintain a good firewall to protect the data from any attacks. It is also good to change the passwords and any security login details provided by the vendors. 

It is also necessary to keep the non-production systems safe, which store the card data. Also, there should be explicit instruction in handling the access authorization on the SQL server. There are two different kinds of authentication available for the SQL server. The first one is the windows authentication, and SQL server authentication in this windows authentication is way less vulnerable for any attacks. Still, SQL server authentication can use response when validating the authentication attempts. For the admins to have complete control over the data, any action the individual took should have all the privileges and access. "The reason behind the creation of PCI standards was as a way of ensuring that a larger control of these credit card information was given to retailers so that these retailers can perform procedures and steps which will prevent both theft and fraud of data" (Bonner et al., 2011). We need to stick with these standards if you are a retailer handling credit card information. One of the ways this is ensured is the imposition of heavy penalties for not complying. To ensure enforcement, company, IT, database, and legal departments collaboratively try very hard. Such four classes are very different and never speak together, and that may be a problem. DBAs are legally binding even because they intend to be sold – and are typically even accepted for software procurement in the contract language. "As if achieving PCI compliance wasn't complex enough on its own, maintaining compliance year-over-year and keeping up with ever-evolving nuances to PCS data security standards has proven itself a perpetual expense and burden to any organization" (Brereton, 2020). 

The effect on database administration of regulatory PCI compliance is unique. The DBA is not liable for compliance design and execution, but its role is impacted by applications and responsibilities relevant to enforcement. The critical impact of compliance on the DBA is assessing, deploying, and managing compliance technologies, especially data and DBMS. PCI-related activities involving the maintenance of information, data integrity, the auditing and data exposure of records, the masking and obscuring of records, long-term database preservation and archival, and better follow up to standard DBA activities modifying management, backup, and recovery. Retailers that comply with PCI standards may experiences attacks due to data breaches which may be costly to compromised credit cards and suspension and even legal action against them. After understanding the general overview and risk accompanied by PCI compliance, DBA must take the main three categories to attain PCI compliance. Taking a free self-assessment questionnaire is the first step to identifying potential vulnerabilities from how credit card data was captured, stored, and transmitted within the payment environment (Clapper & Richmond, 2016).

 

Reference:

Bonner, E., O' Raw, J., & Curran, K. (2011). Implementing the Payment Card Industry (PCI) Data Security Standard (DSS). TELKOMNIKA (Telecommunication Computing Electronics And Control), 9(2), 365. https://doi.org/10.12928/telkomnika.v9i2.709

Brereton, L., Rana, A., Webb, D., H, J., & Wallace, T. (2020). PCI Compliance: Requirements Explained Checklist (2018). Retrieved from https://www.bigcommerce.com/blog/pci-compliance/#weve-successfully-achieved-pci-compliance-whats-next

Clapper, D., & Richmond, W. (2016). Small Business Compliance with PCI DSS. Journal of Management Information and Decision Sciences, 19(1), 54.

 

Dushyanth Work:

PCI Compliance to the Database Administrator at a Large Retailer

            Retailers mainly under-emphasize the need for payment security due to other challenges that they experience. They focus on sales generation and competitiveness in the sector, not realizing the importance of their payment systems (Graminga, 2018). They should realize that Payment Card Industry (PCI) data security rules can significantly influence their profitability. “These guidelines govern how retail stores properly handle credit card transactions, including: account numbers; card expiration dates; cardholder names; and card verification values (CVVs)” (Graminga, 2018). The collection, processing, and transmission of the data mentioned above require several steps to protect it from attack.

            Incompliance to the PCI guidelines can severely affect the firm’s operations. It exposes the retailer to credit card fraud or hefty fees and penalties by the agency (Graminga, 2018). Moreover, after data loss, the management might incur litigation and legal expenses after being summoned in courts. It also leads to reduced consumer confidence in the retailer since the customers feel unvalued (Graminga, 2018). Thus, the management should install the required  IT resources to preserve its debit and credit card data.

            Lakin (2018) ascertains that, “It’s evident that hacking and online theft have become problematic for retail businesses more than ever.” Statistics show that several major retail brands have suffered from cyber attacks, where millions of their customer data was exposed. Some of the victims are Macy’s, Best Buy, and Forever 21 retailers, who have been in operation for a very long time (Lakin, 2018). Therefore, they failed to use their resources and experience in the retail industry to safeguard themselves from the strikes.

            Analysts estimate that the cyber attacks can lead to 20 % loss of consumer base, even after the first hacking incident. Moreover, 50 % of the consumers might take a very long time before shopping in the affected store (Lakin, 2018). The waiting time can be more than a year, where the large retailer survives due to the large number of customers they have. “Luckily, there is a framework that has been created to help retailers lower their risk of cyber breach and secure the private credit card data that is passing through their systems” (Lakin, 2018). The implementation of PCI compliance assures customers that their data is safe and recoverable after attacks.

            PCI DSS compliance allows organizations adopt tight regulations on storage and transmission of payment information. Therefore, the management assesses the payment environment, mitigates any detected vulnerabilities, and compile data security reports after consultations with the stakeholders. It has to understand that, “The global payment security market size is expected to reach $43.76 billion by 2025, according to a new report by Grand View Research, Inc.” (Fasulo, 2019). Therefore, the compliance operations should scaled upwards and motivate customers to adopt digital payment methods. The strategy will allow the retailers to prevent occurrence of fraudulent transactions since they can track data in real time (Fasulo, 2019).  Moreover, it ensures that attacks like those staged on Worldpay in 2015 and a South Korean payment infrastructure  that claimed lots of consumer data.

References

Fasulo, P. (2019, September 6). Why the Retail Industry Needs to Improve PCI Compliance & Cybersecurity. Security Scorecard

Graminga, K. (2018, April 16). Why PCI Compliance is Important for Retailers. My total Retail

Lakin,R.  (2018, July 23). PCI Compliance Guide for Retailers. Iron Edge Group