Payment Card Industry Data Security Standard - Revision history

Manselnj: /* T.J. Maxx */

2007-12-06T18:18:38Z

T.J. Maxx

← Older revision		Revision as of 18:18, 6 December 2007
Line 90:		Line 90:

	====T.J. Maxx====		====T.J. Maxx====
-	~~[[Image:TJMaxxCustAlert.jpg\|frame\|center\|Figure 3: Notice to T.J.Maxx customers]]~~
	In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem.		In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem.
	<BR>		<BR>
	As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.		As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.
		+	[[Image:TJMaxxCustAlert.jpg\|frame\|center\|Figure 3: Notice to T.J.Maxx customers]]

	== References ==		== References ==

Manselnj: /* T.J. Maxx */

2007-12-06T18:18:02Z

T.J. Maxx

← Older revision		Revision as of 18:18, 6 December 2007
Line 90:		Line 90:

	====T.J. Maxx====		====T.J. Maxx====
-	[Image:TJMaxxCustAlert.jpg\|frame\|~~right~~\|Figure 3: Notice to T.J.Maxx customers]	+	[[Image:TJMaxxCustAlert.jpg\|frame\|center\|Figure 3: Notice to T.J.Maxx customers]]
	In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem.		In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem.
	<BR>		<BR>

Manselnj at 18:17, 6 December 2007

2007-12-06T18:17:44Z

← Older revision		Revision as of 18:17, 6 December 2007
Line 1:		Line 1:
-	~~NOTE: This is currently a very rough draft. I have 2 exams this week and will be making the final draft in one week (12/9/07)~~
-	~~<BR><BR>~~
	The Payment Card Industry Data Security Standard (PCI DSS) is a security document created by the Payment Card Industry Security Standards Council (PCI SSC) in order to unify the security requirements of the Payment Card Industry. In order to tie this in with what was taught in [http://www.cas.mcmaster.ca/~wmfarmer/CS-3IS3-07 Comp Sci 3IS3] (taught at [http://www.mcmaster.ca McMaster University]), the PCI DSS will be presented as an Industry Wide Security Policy and as such will be evaluated by tracing its development through the Security Life Cycle. The first step in the Security Life Cycle is to identify threats. The main threat to the PCI is that of Card Holder data being stolen. The next step is Policy Creation. In order to create one coherent document for Merchants to follow, the five major brands of the PCI (Visa, Mastercard, American Express, Discover and JCB) formed the Payment Card Industry Security Standards Council (PCI SSC). Next comes the requirements specifications. The PCI SSC created a detailed document of 12 major requirements for Merchants and any company which deals with Card Holder data to comply with. These requirements focused on the ability of the Merchant to protect Card Holder data, in both electronic and physical form. The next phase includes the design and implementation of a security system to enforce the afore stated requirements. For a company wide security policy, this is possible. However, for an industry wide security policy it does not make sense to specify implementation because of varying Merchant sizes. Finally comes the Operation and Maintenance phase. The operation of each Merchants security system depends on their implementation of the requirements stated in the PCI DSS. These operations can be assured to be PCI DSS compliant through the use of QSA's and ASV's. The important part of this phase is the Maintenance part. The PCI DSS has gone through a few updates since it's creation as direct results of problems with the first version of it or new security issues that may have arisen.		The Payment Card Industry Data Security Standard (PCI DSS) is a security document created by the Payment Card Industry Security Standards Council (PCI SSC) in order to unify the security requirements of the Payment Card Industry. In order to tie this in with what was taught in [http://www.cas.mcmaster.ca/~wmfarmer/CS-3IS3-07 Comp Sci 3IS3] (taught at [http://www.mcmaster.ca McMaster University]), the PCI DSS will be presented as an Industry Wide Security Policy and as such will be evaluated by tracing its development through the Security Life Cycle. The first step in the Security Life Cycle is to identify threats. The main threat to the PCI is that of Card Holder data being stolen. The next step is Policy Creation. In order to create one coherent document for Merchants to follow, the five major brands of the PCI (Visa, Mastercard, American Express, Discover and JCB) formed the Payment Card Industry Security Standards Council (PCI SSC). Next comes the requirements specifications. The PCI SSC created a detailed document of 12 major requirements for Merchants and any company which deals with Card Holder data to comply with. These requirements focused on the ability of the Merchant to protect Card Holder data, in both electronic and physical form. The next phase includes the design and implementation of a security system to enforce the afore stated requirements. For a company wide security policy, this is possible. However, for an industry wide security policy it does not make sense to specify implementation because of varying Merchant sizes. Finally comes the Operation and Maintenance phase. The operation of each Merchants security system depends on their implementation of the requirements stated in the PCI DSS. These operations can be assured to be PCI DSS compliant through the use of QSA's and ASV's. The important part of this phase is the Maintenance part. The PCI DSS has gone through a few updates since it's creation as direct results of problems with the first version of it or new security issues that may have arisen.

Line 92:		Line 90:

	====T.J. Maxx====		====T.J. Maxx====
		+	[Image:TJMaxxCustAlert.jpg\|frame\|right\|Figure 3: Notice to T.J.Maxx customers]
	In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem.		In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem.
	<BR>		<BR>

Manselnj: /* T.J. Maxx */

2007-12-06T18:13:35Z

T.J. Maxx

← Older revision		Revision as of 18:13, 6 December 2007
Line 92:		Line 92:

	====T.J. Maxx====		====T.J. Maxx====
-	In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp \| T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem.	+	In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem.
	<BR>		<BR>
	As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.		As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.

Manselnj: /* T.J. Maxx */

2007-12-06T18:13:21Z

T.J. Maxx

← Older revision		Revision as of 18:13, 6 December 2007
Line 92:		Line 92:

	====T.J. Maxx====		====T.J. Maxx====
-	In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem.	+	In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp \| T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem.
	<BR>		<BR>
	As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.		As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.

Manselnj: /* T.J. Maxx */

2007-12-06T18:12:38Z

T.J. Maxx

← Older revision		Revision as of 18:12, 6 December 2007
Line 92:		Line 92:

	====T.J. Maxx====		====T.J. Maxx====
-	In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem.	+	In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem.
	<BR>		<BR>
	As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.		As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.

Manselnj: /* See Also */

2007-12-06T18:10:30Z

Manselnj at 03:22, 6 December 2007

2007-12-06T03:22:17Z

← Older revision		Revision as of 03:22, 6 December 2007
Line 15:		Line 15:
	== Security Life Cycle ==		== Security Life Cycle ==
	<BR>		<BR>
-	[[Image:SecurityLifyCycle.GIF\|frame\|right\|Figure 1: The Security Life Cycle[1]]]	+	[[Image:SecurityLifyCycle.GIF\|frame\|right\|Figure 1: The Security Life Cycle<SUP>[1]</SUP>]]
	The Security Life Cycle consists of the following phases: Threats, Policy, Specification, Design, Implementation and Operation and Maintenance (See Figure 1). As you can see, the security life cycle relies heavily upon later phases giving input to previous phases so that they can be updated. This keeps the security system up to date and hence keeps what the security system is protecting more secure too.		The Security Life Cycle consists of the following phases: Threats, Policy, Specification, Design, Implementation and Operation and Maintenance (See Figure 1). As you can see, the security life cycle relies heavily upon later phases giving input to previous phases so that they can be updated. This keeps the security system up to date and hence keeps what the security system is protecting more secure too.
	----		----
Line 23:		Line 23:
	<P>This security threat directly affects the Payment Card Industry because if cardholders don't trust that their information is secure, then they will not use their credit cards and hence the payment card vendors loose business. This is why the Payment Card Industry is moving forward with their industry wide standard for security, the Payment Card Industry Data Security Standard.</P>		<P>This security threat directly affects the Payment Card Industry because if cardholders don't trust that their information is secure, then they will not use their credit cards and hence the payment card vendors loose business. This is why the Payment Card Industry is moving forward with their industry wide standard for security, the Payment Card Industry Data Security Standard.</P>
	<BR>		<BR>
-	[[Image:PCICouncil.JPG\|frame\|right\|Formation of the PCI SSC]]	+	[[Image:PCICouncil.JPG\|frame\|right\|Figure 2: Formation of the PCI SSC]]
	----		----
	=== Policy Creation===		=== Policy Creation===
Line 92:		Line 92:

	====T.J. Maxx====		====T.J. Maxx====
-	In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an ~~explaination~~ to the customers about what happened, why it happened and what steps are being taken to fix the problem.	+	In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem.
	<BR>		<BR>
-	As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption ~~Protocall~~ Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.	+	As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.

	== References ==		== References ==

Manselnj at 03:19, 6 December 2007

2007-12-06T03:19:22Z

← Older revision		Revision as of 03:19, 6 December 2007
Line 15:		Line 15:
	== Security Life Cycle ==		== Security Life Cycle ==
	<BR>		<BR>
-	[[Image:SecurityLifyCycle.GIF\|frame\|right\|Figure 1: The Security Life Cycle]]	+	[[Image:SecurityLifyCycle.GIF\|frame\|right\|Figure 1: The Security Life Cycle[1]]]
	The Security Life Cycle consists of the following phases: Threats, Policy, Specification, Design, Implementation and Operation and Maintenance (See Figure 1). As you can see, the security life cycle relies heavily upon later phases giving input to previous phases so that they can be updated. This keeps the security system up to date and hence keeps what the security system is protecting more secure too.		The Security Life Cycle consists of the following phases: Threats, Policy, Specification, Design, Implementation and Operation and Maintenance (See Figure 1). As you can see, the security life cycle relies heavily upon later phases giving input to previous phases so that they can be updated. This keeps the security system up to date and hence keeps what the security system is protecting more secure too.
	----		----
Line 22:		Line 22:

	<P>This security threat directly affects the Payment Card Industry because if cardholders don't trust that their information is secure, then they will not use their credit cards and hence the payment card vendors loose business. This is why the Payment Card Industry is moving forward with their industry wide standard for security, the Payment Card Industry Data Security Standard.</P>		<P>This security threat directly affects the Payment Card Industry because if cardholders don't trust that their information is secure, then they will not use their credit cards and hence the payment card vendors loose business. This is why the Payment Card Industry is moving forward with their industry wide standard for security, the Payment Card Industry Data Security Standard.</P>
		+	<BR>
	[[Image:PCICouncil.JPG\|frame\|right\|Formation of the PCI SSC]]		[[Image:PCICouncil.JPG\|frame\|right\|Formation of the PCI SSC]]
	----		----

Manselnj at 03:18, 6 December 2007

2007-12-06T03:18:19Z

← Older revision		Revision as of 03:18, 6 December 2007
Line 16:		Line 16:
	<BR>		<BR>
	[[Image:SecurityLifyCycle.GIF\|frame\|right\|Figure 1: The Security Life Cycle]]		[[Image:SecurityLifyCycle.GIF\|frame\|right\|Figure 1: The Security Life Cycle]]
-	~~<BR>~~
	The Security Life Cycle consists of the following phases: Threats, Policy, Specification, Design, Implementation and Operation and Maintenance (See Figure 1). As you can see, the security life cycle relies heavily upon later phases giving input to previous phases so that they can be updated. This keeps the security system up to date and hence keeps what the security system is protecting more secure too.		The Security Life Cycle consists of the following phases: Threats, Policy, Specification, Design, Implementation and Operation and Maintenance (See Figure 1). As you can see, the security life cycle relies heavily upon later phases giving input to previous phases so that they can be updated. This keeps the security system up to date and hence keeps what the security system is protecting more secure too.
	----		----

← Older revision		Revision as of 18:10, 6 December 2007
Line 111:		Line 111:

	== See Also ==		== See Also ==
-	[[~~Electronic Voting Systems]]<BR>~~	+	[[Random Number Generators and Information Security]]<BR>
-	~~[[Social engineering]]<BR>~~	+
-	~~[[Piggybacking]]<BR>~~	+
-	~~[[Identity Theft]]<BR>~~	+
-	~~[[The Mitnick attack~~]]<BR>	+
	[[Security and Storage Mediums]]<BR>		[[Security and Storage Mediums]]<BR>
-	[[~~Operating Systems Security~~]]<BR>	+	[[Piggybacking]]<BR>
	[[Honeypot]]<BR>		[[Honeypot]]<BR>
-	[[Smart Card ~~technology~~ to ~~prevent fraud~~]]<BR>	+	[[Biometric Systems Regarding Security Design Principle]]<BR>
		+	[[Phishing]]<BR>
		+	[[Email Security]]<BR>
		+	[[Biometrics in Information Security]]<BR>
		+	[[Smart Card Technology to Prevent Fraud]]<BR>
		+	[[Electronic Voting Systems]]<BR>
		+	[[Anti-spam systems and techniques]]<BR>
		+	[[The Mitnick Attack]]<BR>
		+	[[Operating Systems Security]]<BR>
		+	[[Autocomplete]]<BR>
		+	[[Internet Cookies and Confidentiality]]<BR>
		+	[[Social Engineering]]<BR>
		+	[[Identity Theft]]<BR>
		+	[[Information Security Awareness]]

	[[User:Manselnj\|Manselnj]] 11:54, 5 December 2007 (EST)		[[User:Manselnj\|Manselnj]] 11:54, 5 December 2007 (EST)