Case Study

Case Study

Lab #3 – Case Study on PCI DSS Non-Compliance:CardSystems Solutions
Lab Assessment Questions 
Answer the following questions pertinent to the CardSystems Solutions privacy data loss and noncompliance with the PCI DSS standard.
1. Did CardSystems Solutions break any federal or state laws?
2. CardSystems Solutions claims to have hired an auditor to assess compliance with PCI DSS and other best practices for ensuring the C-I-A of privacy data for credit card transaction processing. Assuming the auditor did indeed perform a PCI DSS security compliance assessment, what is your assessment of the auditor’s findings?
3. Can CardSystems Solutions sue the auditor for not performing his or her tasks and deliverables with accuracy? Do you recommend that CardSystems Solutions pursue this avenue?
4. Who do you think is negligent in this case study and why?
5. Do the actions of CardSystems Solutions warrant an “unfair trade practice” designation as stated by the Federal Trade Commission (FTC)?

Case Study

6. What security policies do you recommend to help with monitoring, enforcing, and ensuring PCI DSS compliance?
7. What security controls and security countermeasures do you recommend for CardSystems Solutions to be in compliance with PCI DSS requirements?
8. What was the end result of the attack and security breach to CardSystems Solutions and its valuation?
9. What are the possible consequences associated with the data loss?
10. Who do you think is ultimately responsible for CardSystem Solutions lack of PCI DSS compliance? 
11. What should CardSystem have done to mitigate possible SQL injections and data breaches on their credit card transaction processing engine?

Case Study

12. Which requirement definition within the PCI DSS standard would penetration testing and SQL injection attacks be part of? 
13. Which requirement definition within the PCI DSS standard would require the creation and implementation of information system security policies?
14. True or False. CardSystems while having proper security controls and security countermeasures, because they failed to properly implement on-going monitoring and testing on their development and production systems, was not 100% PCI DSS compliant.
15. True or False. Although the PCI DSS standard does not specifically mention web application testing and penetration testing with a back-end SQL database, this is implied in the Regularly Monitor & Test Networks section of the standard with Requirements 10 & 11 and is considered a best practice when implementing a new public facing credit card transaction processing system.

Case Study

Order 100% Plagiarism Free Essay Now

Get a 20 % discount on an
order above $ 120
Use the following coupon code :
today2015

error: Content is protected !!