FiveQuestionAssignment(3.8)(Gregory)
docx
keyboard_arrow_up
School
Full Sail University *
*We aren’t endorsed by this school
Course
CYB3841
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
5
Uploaded by JusticeMink2465
Information Assurance and Compliance
Document 3.8
Group Members: Gregory Allen Eric Saenz Yaseen Al-Azzawi, Jahque Panthier
1.
What PCI merchant level applies to SnowBe Online? Why? Be thorough in your explanation. (Yaseen)
SnowBe Online would likely fall under the classification of PCI DSS Level 1 merchant due to various factors concerning their business operations, particularly in handling cardholder data and
transaction volumes. Here's a detailed explanation:
Transaction Volumes:
SnowBe Online processes a substantial number of credit or debit card transactions, roughly amounting to 1.2 million transactions annually, with an average sale size of $75. Such high transaction volumes are typically indicative of Level 1 merchants under PCI DSS.
Data Storage and Handling:
1.
Website Operations:
SnowBe's website houses all credit card information and stores customer details and purchase history indefinitely, which implies consistent storage of sensitive cardholder data.
2.
Brick-and-Mortar Stores:
Multiple storefronts in the U.S. and Europe accept credit cards using bank-provided terminals, indicating cardholder data handling across various physical locations.
Third-Party Services:
The use of AWS as the platform for the website and payment processing implies reliance on a third-party service provider. Their engagement with AWS, a PCI DSS Level 1 Service Provider, adds complexity to their compliance obligations.
Neglected Security Measures:
Initially, SnowBe had a lax approach to implementing technical controls and processes. Despite recent improvements following a consultant's suggestions and updates, their prior neglect could have accumulated compliance gaps.
Compliance Stringency:
Given their extensive handling of cardholder data, widespread transaction processing, multi-
location operations, and reliance on third-party service providers, SnowBe Online faces a stringent compliance requirement in line with Level 1 classification.
Regulatory Expectations:
Information Assurance and Compliance
Document 3.8
Group Members: Gregory Allen Eric Saenz Yaseen Al-Azzawi, Jahque Panthier
Level 1 merchants are subject to the most stringent PCI DSS compliance requirements due to the
volume of transactions and the potential risks associated with handling vast amounts of cardholder data. Such entities must meet extensive security standards to protect sensitive information adequately.
Conclusion:
The comprehensive handling of cardholder data, substantial transaction volumes, multi-location presence, reliance on third-party services, and prior lapses in security measures collectively position SnowBe Online within the criteria of a Level 1 merchant. Compliance at this level necessitates the highest standards of security measures and regulatory adherence to safeguard sensitive financial information effectively.
2.
What must SnowBe do under this level? Be thorough in your response. (Yaseen)
Annual On-Site Assessment:
Conduct an annual on-site assessment by a Qualified Security Assessor (QSA) to validate compliance. This assessment should cover all applicable controls and systems involved in cardholder data processing.
Quarterly Network Scans:
Perform quarterly scans using an Approved Scanning Vendor (ASV) to identify vulnerabilities across systems and networks.
Annual Report on Compliance (RoC):
Submit an annual Report on Compliance (RoC) to the acquiring bank or payment brand. This report details the organization's adherence to PCI DSS requirements.
Robust Security Measures:
Implement stringent security measures including firewalls, encryption, access controls, and regular updates across systems handling cardholder data.
Restricted Access:
Enforce restricted access to cardholder data, following the principle of least privilege. Limit access based on job responsibilities and ensure monitoring of any
access to sensitive information.
Security Training:
Provide comprehensive security awareness training to all employees who interact with cardholder data. Ensure they understand and adhere to security policies and procedures.
Logging and Monitoring:
Maintain logs for all system access, regularly reviewing and monitoring these logs for suspicious activities or unauthorized access attempts.
Information Assurance and Compliance
Document 3.8
Group Members: Gregory Allen Eric Saenz Yaseen Al-Azzawi, Jahque Panthier
Incident Response Plan:
Develop and maintain an incident response plan, outlining procedures to address and respond to security incidents, breaches, or unauthorized access.
Physical Security:
Implement stringent physical security measures to control access to areas where cardholder data is stored or processed. This includes access controls, surveillance, and visitor logs.
Vendor Compliance:
Ensure third-party service providers comply with PCI DSS requirements if they have access to or handle cardholder data.
Documentation and Policies:
Maintain comprehensive documentation outlining security
policies, procedures, and controls. Regularly review and update these documents to reflect changes in the environment or requirements.
3.
Which SAQ(s) applies to SnowBe Online? Why? Be thorough in your explanation. If SnowBe Online is required to complete more than one SAQ, be sure to list and explain why for each. Be thorough in your explanation. (Jahque)
SAQ D (Data Security): SAQ A: SnowBe Online, as an e-commerce business, accepts online payments without physically presenting cards. This SAQ applies to SnowBe as it specifically caters to card-not-
present merchants handling transactions through e-commerce channels. SnowBe's online platform interacts with cardholder data during these transactions.
SAQ A-EP: SnowBe, while outsourcing payment processing to a third party, interacts with cardholder data through its e-commerce website. This SAQ targets merchants who rely on third-
party services yet directly engage with cardholder data. SnowBe's website, even when payment processing is outsourced, might still handle card data during user interactions.
SAQ B: SnowBe operates physical stores where card-present transactions occur, but it doesn't electronically store cardholder data. This SAQ applies if SnowBe processes card payments in its physical stores without electronically storing cardholder data on its systems. SnowBe's in-store terminals might process card-present transactions without storing card data electronically.
SAQ C-VT: In some instances, SnowBe might use a virtual terminal interface to process payments. This SAQ targets merchants utilizing stand-alone terminals without internet connectivity for transaction processing. If SnowBe employs virtual terminals for payments without internet-connected systems, SAQ C-VT could be applicable.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Information Assurance and Compliance
Document 3.8
Group Members: Gregory Allen Eric Saenz Yaseen Al-Azzawi, Jahque Panthier
SAQ D: For SnowBe, if none of the above categories precisely define its operations, SAQ D would be the catch-all category. It covers merchants and service providers with unique scenarios not covered explicitly by other SAQs. If SnowBe's operations don't align with the specifics of A, A-EP, B, or C-VT, then SAQ D would encompass its compliance requirements.
4.
What else, if anything, is required based on the SAQ requirement? IF nothing, be sure to state that. Be thorough in your explanation. (Eric)
SAQ D is the most comprehensive of the SAQs and as such it lists all of the 12 PCI DSS requirements with 329 questions, even though some SAQ questions can be filled in with “N/A”, it will require extensive review before decisions over applicability are made. SAQ D being so stringent is already seen as the most detailed and prolonged questionnaire due to its broad coverage. Considering that SnowBe Online is a level 1 PCI organization, there likely won’t be many avenues it shouldn’t cover at this point and most of the questions will be relevant. SnowBe will have to contact its service providers and vendors for reports on the metrics that need to be taken into consideration as their monitoring tools aren’t clearly defined. Recently, they have integrated more security solutions such as their server and network device patches, those policies need to be evaluated for sound standard practices during this more in-depth review. An example of this would be their backup policies which might include the system that allowed for the mentioned neglected backup software update. This is a potential security issue and therefore the policies related to this implementation should be reviewed even if they meet a bare minimum standard (doubtful). Lastly, information about their web application security will need to be reviewed during the examination as well. Their WordPress site hosted on AWS servers is secure but for the servers on-premises many tests can be run to verify the various aspects of their site and/or services. Since this site and its management servers are so important for business functions and the protection of cardholder data (even indirectly), they will require testing with a variety of tools. Their monitoring and resource usage should reflect metrics that align with the company's intended network usage and expectations.
5.
Statement of agreement for the SAQ group portion. "I (fill in your name) agree with the information that is in our group SAQ and agree to accept the grade that our group receives." (Gregory)
Information Assurance and Compliance
Document 3.8
Group Members: Gregory Allen Eric Saenz Yaseen Al-Azzawi, Jahque Panthier
"I Eric
, agree with the information that is in our group SAQ and agree to accept the grade that our group receives."
"I Gregory, agree with the information that is in our group SAQ and agree to accept the grade that our group receives."