Question

Please discuss and explain the Payment Card Industry Standards(PCIS). Also discuss credit card security and give example of security/data breach. What happened and what was done to address the breach

Answer 1

The Payment Card Industry Data Security Standard (PCI DSS) is a commonly accepted set of policies and processes aimed at optimizing credit, debit and money card safety transactions and protecting cardholders from misuse of their private data. Four main credit card businesses developed the PCI DSS in 2004 together: Visa, MasterCard, Discover and American Express.

The PCI DSS specifies and develops six significant goals.

First, it is necessary to maintain a secure network in which transactions can be carried out. This requirement includes the use of cardholders or suppliers using firewalls that are robust enough to be efficient without causing undue inconvenience. There are specialized firewalls for wireless LANs that are extremely susceptible to malicious hackers ' eavesdropping and assaults. Furthermore, authentication data such as personal identification numbers (PINs) and passwords should not include vendor defaults. Customers should be able to alter such information comfortably and frequently.

Second, wherever it is stored, cardholder data must be shielded. Repositories should be safe against hacking with essential information such as birth dates, mother's maiden names, social security numbers, phone numbers and mailing addresses. When transmitting cardholder information via government networks, the information must be encrypted in an efficient manner. Digital encryption is essential for all types of credit card transactions, but especially for Internet-based e-commerce.

Third, by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions, systems should be shielded against malicious hackers ' operations. All apps should be free from bugs and vulnerabilities that could open the door to exploits that could stolen or alter cardholder information. To guarantee the greatest possible amount of vulnerability management, patches provided by software and operating system (OS) suppliers should be installed frequently.

Fourth, it is necessary to restrict and control access to system data and activities. Cardholders should not be required to provide business data unless those companies need to understand that data in order to safeguard themselves and perform a transaction efficiently. A distinctive and private identification name or number must be allocated to any individual using a laptop in the scheme. Both physically and electronically, cardholder information should be shielded. Examples include the use of document shredders, avoiding unnecessary duplication of paper documents, and dumpster locks and chains to deter criminals who would otherwise rummage through the garbage.

Fifth, networks must be tracked and tested on an ongoing basis to guarantee that all safety measures and procedures are in location, function correctly, and are kept up-to-date. For example, the latest definitions and signatures should be provided for anti-virusand anti-spyware programs. These programs should scan commonly, if not continually, all information exchanged, all applications, all random access memory (RAM) and all storage media.

Sixth, all participating organizations must define, maintain and follow a formal information security policy at all times. Implementing steps such as audits and penalties may be essential for non-compliance.

Security of credit cards:

Credit cards have a range of built-in fraud defenses and the financial sector is constantly creating better instruments to fight fraudsters. Here are today's two most popular safety measures in credit cards. Fraud monitoring One of the reasons why card firms track your expenditure is to catch fraud. Financial organizations create systems that automatically detect inconsistencies in client expenditure in order to prevent losses— as fraud costs banks cash.

If you use your card fraudulently, you probably won't be responsible either. Many banks and card suppliers— particularly big ones like Chase, Bank of America, Visa and Mastercard — offer fraud protection "zero liability." That implies you will not have to pay anything if your card is lost or robbed. Even if you owe cash for a fraudulent transaction, you can only be charged up to $50 in federal law regulations.

You may have recently received a fresh card from your card supplier with a shiny chip inside. If so, you got a chip card, also known as an EMV card. EMV stands for Europay, Visa and Mastercard.

A chip card is comparatively safe because each time it is used it encrypts account data differently. On a magstripe card, on the other hand, information is static, meaning it is easier for criminals and skimmers to obtain.

Worldwide, chip cards have been commonly accepted, but only now is the US following suit. Mostly the US adopts chip-and-signature cards to check your identity with which you register your name.

Meanwhile, many other countries use chip-and-PIN cards that require you to enter a personal ID number. As there is no signature to forge, chip-and-PIN cards are regarded to be safer.

Perhaps we will also upgrade to chip-and-PIN cards someday. We have at least a substantial upgrade from magstripe cards until then.

Credit card breaches:

British Airways may be the highest-profile event of this kind since 2018. Over 380,000 card payments to the airline were compromised in August / September. The hack affected customers who made online reservations, as well as the names of passengers and home addresses. How the violation happened in the first location was originally uncertain. But it was later found that on the company's website a script had been altered which sent client information to an internal database.

In brief, because of a small change that should have been spotted, this all occurred. And not the only one is British Airways. Fellow airline Cathay Pacific encountered a violation in a comparable event in March 2018. This hack led in the robbed of more than 850,000 passport numbers and a comparatively tiny amount of credit cards.

In the near future, we will look at what these breaches have in common. But the primary takeaway is that millions of online purchases are handled by enormous service suppliers every year. And exposing a huge quantity of information requires only a tiny safety supervision.

2. Saks and Lord & Taylor

This is not just a dangerous internet payment. Every buy in-store will jeopardize your credit card. And if that's the same loan card you're using online, a hack's impacts can be even more painful.

In early April 2018, a significant data breach was announced involving Hudson's Bay Co, Saks ' parent corporation, and Lord & Taylor. A group called JokerStash put up details of more than 5 million loan and debit cards for sale.

In fact, these card information came from physical payments in-store at places including the renowned Saks Fifth Avenue.

Although it appears that internet payment details have not been included, this event shows the potential hazards of getting your credit card information in so many separate databases.

3. Marriott Hotels

Because of safety problems with the Marriott hotel chain, up to half a billion individuals had their private data robbed. Moreover, it wasn't a one-off event. In reality, the information in question leaked from 2014 to 2018 over a four-year period. The victims were clients who remained at the Starwood Hotels and Resorts of the company, including Westin, Sheraton, St. Regis, and W Hotels.

The hack was so broad and the hotels ' inaction so glaring that more than 150 of those impacted have now filed a class action lawsuit. The suit focuses on both the level of safety used by the hotels, but also how long it took Marriott to tell customers that something was incorrect.

This specific infringement shows how hard it can be to understand when the details of your card have been broken. You're only likely to find out if: The business openly announces an infringement if you maintain a close eye on your purchases by credit card

4.Orbitz

Orbitz is a Skyscanner and Kayak-like travel reservation aggregator. Another well-known travel site, Expedia, bought it to boost the product variety of the latter.

"From 1 October 2017 to December 2017, the violation occurred when hackers accessed a legacy travel reservation platform and stole information worth two years from January 2016 and December 2017," including 880,000 credit cards.

In March 2018, the firm informed media and clients saying that at the moment of notification, the website in question was not the Orbitz.com live.

Perhaps more worryingly, American Express and other businesses using the Orbitz platform were also affected by the hack. This is a reminder that in one manner or another so many of the instruments and services we use are linked.

Therefore, merely modifying your bank account or credit card details on a single platform may not safeguard your company data from being used or stolen.

5. Panera Bakeries and cafés are likely not the typical targets for information hacks. But in August 2017, that's precisely what Panera endured.

This was actually defined more correctly as a "information leak" than a hack. For an extended period of time, the Panera website exposed millions of customer data in plain text format. It could be seen by any intelligent developer.

What makes this all worse is how this fact was treated by the business. "They are a master class in how not to act when faced with a predicament of cybersecurity," Fortune said.

Panera was advised in August 2017 about the potential for a data breach, but it took more than eight months to recognize and address the safety faults of the site. It originally accused the cyber security specialist who reported being a scammer and seems to have taken no short-term measures to solve stuff.

And the true icing on the cake was the reaction published by the public. It initially said that it affected only 10,000 customers. But reporter Brian Krebs ' inquiries suggest that the real amount could be 37 million clients.

For Panera, this entire event is particularly hideous, and it shows that the businesses with your credit card information are not always particularly interested in defending them.