Explain the purpose of PCI DSS

MIS 680 Cyber Security Audit

Assignment 2

Student Name: __________________________________

1

Purpose

This project provides an opportunity for you to apply principles related to auditing to

ensure information systems are in compliance with pertinent laws and regulations, as

well as industry requirements.

Learning Objectives and Outcomes

You will be able to:

• Explain the purpose of PCI DSS

• Analyze business factors that influence PCI DSS compliance

• Describe potential consequences of failing to demonstrate PCI DSS

compliance

• Apply standards and frameworks to the development of information security

internal control systems

• Analyze the use of information security controls within IT infrastructure

domains.

Required Source Information and Tools

The following tools and resources that will be needed to complete this project:

§ Course textbook

§ Materials posted on Canvas

§ Access to the Internet to perform research for the project

§ PCI Security Standards Council: https://www.pcisecuritystandards.org

§ Important PCI Compliance Information for Merchants:

http://www.pciassessment.org/pci-dss-framework/merchants

§ Other source of information as you deem needed.

Deliverable Outcomes

As discussed in this course, IT Audit is an important process for all organizations.

This is particularly true in information systems, which provides critical support for

organizational missions. The heart of IT audit is a formal IT Audit management plan.

The project activities described in this document allow you to fulfill the role of an

MIS 680 Cyber Security Audit

Assignment 2

Student Name: __________________________________

2

employee participating in the PCI DSS IT Audit management process in a specific

business situation.

Submission Requirements

All project submissions should follow STU’s standards and course syllabus format:

Scenario – PCI DSS Compliance Requirements

Scenario S&H Aquariums is a new online retailer that is about to begin selling

aquariums and other items for aquarium hobbyists. In recent months, many companies

have been featured in the news because of information security breaches that have

exposed customers’ credit card data. S&H Aquariums’ management team is worried

about the negative impact a potential breach could have on the company’s reputation

and business standing.

S&H Aquariums has hired you, an information systems security expert, to ensure that

the company is prepared to accept credit card payments for purchases made through

the company’s Web site. To kick off the planning phase, the board of directors would

like you to write a report explaining what the company will need to do to minimize

risks to sensitive data and comply with applicable laws and regulations, as well as

industry standards. In preparation, you sit down with the company’s president and

discuss the following details:

• Per the company’s strategic plan, the company expects to have between

20,000 and 1,000,000 credit card transactions during the first year of

operations. However, the board would like to know what differences to

anticipate as the volume of credit card transactions grows in the coming years.

• The company will initially accept payments made with MasterCard and Visa

only, but it may decide to accept other credit cards in the future.

MIS 680 Cyber Security Audit

Assignment 2

Student Name: __________________________________

3

• The board of directors is discussing the possibility of opening a bricks-and-

mortar store in the future, and the board would like to consider any

compliance-related issues prior to making that decision.

• The board consists of professionals from a variety of fields. It is unlikely that

any of the board members are familiar with complex information security

concepts or with PCI DSS, the set of requirements that prescribes operational

and technical controls to protect cardholder data.

Tasks

• Review the information related to PCI DSS compliance provided in the course

textbook and in the Internet resources listed for this project. Consider how this

information relates to the description of S&H Aquariums provided in the

scenario above.

• Write a report for S&H Aquariums’ board of directors. Include the following:

o Introduction

o PCI DSS Overview

• Include a discussion of the six principles, twelve primary requirements, and

the sub requirements of PCI DSS.

o Rationale

Explain why the company needs to address the PCI DSS requirements and describe

potential consequences if the company is not able to demonstrate compliance.

o Immediate Considerations for PCI DSS Compliance

Analyze factors (including those introduced in the scenario above) that will influence

S&H Aquariums’ immediate plans for PCI DSS compliance. Discuss payment brands

MIS 680 Cyber Security Audit

Assignment 2

Student Name: __________________________________

4

(credit card companies), transaction volumes, merchant levels (i.e., 1 through 4), and

types of reporting required in relation to S&H Aquariums’ business projections.

o Future Considerations for PCI DSS Compliance:

• Analyze contingencies that may influence PCI DSS compliance in the future.

Address potential questions from the board, including but not limited to:

• What would be expected of the company if credit card volume increases past

1,000,000 transactions in future years?

• What should S&H Aquariums do to demonstrate PCI DSS compliance if it

begins to accept American Express or Discover?

• How would opening a bricks-and-mortar store affect the company’s

responsibilities for PCI DSS compliance?

o Conclusion

• Describe the main key findings and key takeaways.

Submission Requirements: · Format: Microsoft Word · Font: Times new Roman 12-point, double-spaced · References: Citation Style must follow APA style guide · Length: 4 pages

[promo1]