You visit a retail establishment, shop around, and finally carry several products to one of the point of sale (POS) terminals distributed openly around the store. You produce a credit card, the sales clerk processes the transaction, bags your goods, and hands you the receipt. On your way to the exit, a store employee asks to see your receipt and checks the contents of the store bag. Document each of the major events just described and explain them in terms of PCI compliance standard. Include this report in your weekly assignment. After carefully reviewing the above scenario, I will list the major events as shopping, cashing out, paying and vacating the premises. In compliance with PCI, the first phase which is shopping …show more content…
It suggests that to guarantee that the data remain safe, hard drives in the main frame should be encrypted fully. Utilizing Microsoft Bitlocker encryption services. Bitlocker uses an inboard microchip along with a Trusted Platform Module (TPM) chip to secure and encrypt the data (Microsoft, n.d.). TPM creates an added advantage by keeping cryptographic information which is fool-proof and make it possible for the chip to send the right key to the operating system during start up. For some odd reason or reasons, if the OS has been compromised, the key would not be sent and the system will institute a lockout protocol that needs a forty-eight digit key to be used (Microsoft, n.d.). The HGA database is now compliant because of the implementation on the encryption …show more content…
There must be forced password changes and appropriate lockout policies. In dealing with the passwords, they should all be encrypted and masked. Unauthorized and ex-user should be denied access and the time for accessing the cardholder information can be setup (PCI Security Standards Council, 2006).
4. The PCI specification notes that all systems and network devices connected to a system that stores, transmits or processes cardholder data is in scope and must comply with PCI specifications. To avoid having the whole network subject to PCI specifications, how would you segment the network to reduce the scope of compliance?
I would institute a measure to separate all systems and devices which do not require access to cardholder data from the devices and systems which store or transmit cardholder data (PCI Security Standards Council, 2006). The IT department will be separated from the Human Resources department. Printers as well as workstations that are not a part of any transaction should also be separated. Using switches and routers for separation is also recommended. They can be configured to block unwanted and outbound