Management of Information Security

Unit 5 Assignment: Redesigning HGA's Network

April 16, 2013

IT540 - 01: Management of Information Security

Table of Contents

Abstract.........................................................................................................3

Part I: PCI Compliance....................................................................................................................4

A. Scenario...............................................................................................................................4

B. PCI Compliance..................................................................................................................4

Part II: Redesigning HGA's Network for PCI Compliance............................................................5

A. Suppose HGA's mainframe stored cardholder data in the private databases. What steps should be taken to protect it and make the data PCI Compliant?

B. How should data be protected in transmission?

C. Access controls to restrict unauthorized use.

D. Segmenting the network for PCI Compliance.

Conclusion

References

Abstract

The assignment for unit five is twofold. The first part of the assignment will deal with a Point of Sale (POS) transaction and its aftermath. The goal of this first part is to determine if the events in the described scenario are Payment Card Industry (PCI) compliant. The second part of the assignment also covers PCI as it pertains to HGA's Network. The goal of this second part is to answer four questions and determine if HGA's network is already compliant or what can be done to make it compliant.

Unit 5 Assignment: Redesigning HGA's Network

Part I: PCI Compliance

Scenario:

You visit a retail establishment, shop around, and finally carry several products to one of the point of sale (POS) terminals distributed openly around the store. You produce a credit card, the sales clerk process the transaction, bags your goods, and hands you the receipt. On your to the exit, a store employee asks to see your receipt and checks the contents of the store bag. Document each of the major events just described and explain them in terms of the PCI compliance standard. Include this report in your weekly assignment.

PCI Compliance

PCI was created by the major credit card issuers, such as MasterCard, Visa, etc. The purpose of PCI standards are to "protect personal information and ensure security when transactions are processed using a payment card" (Practical e-commerce, 2007). The previous scenario contains many things that are critical in PCI compliance.

The sales clerk should begin the transaction by logging in with their own unique password, which would be in compliance with the PCI Standard: Implement Strong Access Control Measures; Requirement 8 (Assign a unique ID to each person with computer access). The data contained on the card should not be readable to the sales clerk which would also be compliant with Implementing Strong Access Control Measures; Requirement 7 (Restrict access to cardholder data by business need-to-know). The receipt that is given to you by the sales clerk should contain only the last four digits of the card number, for example; XXXX XXXX XXXX 1234. This is also PCI compliant according to Requirements 7 and 9 (Restrict physical access to cardholder data). The store copy (if there is one) should be secured in a safe location or saved to the database that is secure (Protect Cardholder Data, Requirement 3: Protect stored cardholder data). The person who is looking at your receipt upon exiting the store should not be able to see any cardholder data.

Part II: Redesigning HGA's Network for PCI Compliance

Suppose HGA's mainframe stored cardholder data in the private databases. What steps should be taken to protect it and make the data PCI Compliant?

HGA is not compliant with the very first section of the PCI Standards, build and maintain a secure network, Requirement 1 states to install and maintain a firewall and router configuration to protect cardholder data. The network diagram provided does not contain a firewall, a DMZ, or provide any measures that show if any of the equipment is secure. The following steps need to be taken:

1. All equipment needs to be located in a secure area with limited access. An ID swipe card will need to be used to access the room and only select personnel such as IT staff and managers will be able to gain access. The room will contain proper safety

...