Docstoc

PCI Regulatory Compliance Model

Document Sample
PCI Regulatory Compliance Model Powered By Docstoc
					Payment Card Industry (PCI) Regulatory Compliance:

                     A Model for Business

   Service Continuity for Educational Institutions


                    A Technology Integration Project

                              Presented to

  The Faculty of the Department of Information and Logistics Technology

                          University of Houston




                          In Partial Fulfillment

                  of the Requirements for the Degree of

                           Masters of Science

                                   In

     Technology Project Management - Information Systems Security




                                  By
                            Veena Nagarajan



                           December 17, 2007
                                Masters Project Committee
                                       Agreement




For        Nagarajan,Veena                   HA0642664               September 26,2007
        Student Name Last, First           Student Number                  Date


Anticipated Field of Research    Information Systems Security

Tentative Masters Project        PCI Regulatory Compliance: A Model for Business
Title                            Service
                                 Continuity for Educational Institutions
The following faculty members in the College of Technology agree to serve on the
Master‟s Committee for the student named above. By initialing below, they have agreed
to serve.
                 COMMITTEE MEMBERS                                     Accepted

1. Chairperson                                                   Edward Crowley

2. Committee Member                                              Michael L.Gibson ,Ph D

3. Committee Member                                              Sam V.Longoria, IT –
                                                                 Service Continuity
                                                                 Manager, Service
                                                                 Continuity ,Information
                                                                 Technology, UH

4. Committee Member                                              Mark P.Mathre, Service
                                                                 Continuity Analyst,
                                                                 Service Continuity,
                                                                 Information Technology,
                                                                 UH
5. Committee Member
                                                                 Mary E.Dickerson, IT
                                                                 Project Manager, PCI
                                                                 Compliance. Information
                                                                 Technology Security, UH



                                            2
Approved

           Michael L. Gibson, Ph.D., Chair Information   Date
           & Logistics Technology




                                       3
                                       Abstract


PCI Compliance regulation is a process developed for organizations that carry out credit

and debit card transactions. Identity theft, security breaches, data leakage and malicious

code attacks have increased in large numbers during the past few years. It is imperative to

sustain an organization‟s critical business functions like credit and debit card transactions

during and after a disruption or an unexpected event.



When an activity in an organization is stopped for any reason, it causes a great impact on

business. This impact could be felt immediately, after a few days or escalate over time.

These impacts might affect cash flow, reputation or meeting legal and statutory

requirements. This puts forward the need for a PCI Regulatory Compliance, a Model for

Business Service Continuity for Educational Institutions.



The objective of this technology integration project is to develop a PCI Regulatory

Compliance Model to alleviate the potential risks involved in businesses. This proposed

model will benefit academic institutions that aim to improve their security posture and

protect themselves from fraudulent activities. The guidelines for the project are primarily

from journals, white papers, online resources and research articles. The robustness of the

model would be determined by studying the current methodologies and practices. I would

use my sponsor organization to acquire primary data regarding PCI Regulatory

Compliance for Business Service Continuity and evaluate how they deal with the

requirements relative to the specifics of the proposed model.



                                             4
                                            Table of Contents

Chapter 1: Introduction ............................................................................... 8

  1.1. Background .............................................................................................................. 8

  1.2. Definitions.............................................................................................................. 12

  1.3. Proposed Model ..................................................................................................... 13

  1.4 Why Is The Project Important? ............................................................................... 14

  1.5 Project Motivation .................................................................................................. 15

  1.6 Benefits ................................................................................................................... 17

  1.7. How This Project Relates To Technology-Based Projects .................................... 18

  1.8. Project Contribution ............................................................................................... 21

Chapter 2: Project Methodology Justification......................................... 23

  2.1. Project Justification................................................................................................ 23

     2.2.1 Need for PCIDSS in Educational Institutions .................................................. 27

  2.2. PCI Regulatory Compliance .................................................................................. 28

  2.3. Consequences of Non-Compliance ........................................................................ 30

  2.4. PCIDSS for Educational Institution ....................................................................... 31

  2.5. Project Methodology Justification ......................................................................... 32

     2.5.1 Secondary Data Collection .............................................................................. 32

     2.5.2. Data Content Organization ............................................................................. 34

     2.5.3. Content Analysis ............................................................................................. 34

     2.5.4. Inductive Reasoning........................................................................................ 37

     2.5.5. Progressive Elaboration .................................................................................. 38

     2.5.6. Case Studies .................................................................................................... 39


                                                                5
      2.5.7. Primary Data Analysis Methods ..................................................................... 45

Chapter 3: Project Methodology ............................................................... 48

   3.1. Proposed Approach ................................................................................................ 48

      3.1.1. Secondary Data Collection ............................................................................. 48

      3.1.2. Content Organization ...................................................................................... 51

      3.1.3. Content Analysis ............................................................................................. 53

      3.1.4. Inductive Reasoning........................................................................................ 54

      3.1.5. Assessment of Academic Institutions‟ PCI Practices Using the Model: ........ 56

      3.1.6. Primary Data Collection ................................................................................. 56

      3.1.7. Primary Data Analysis .................................................................................... 58

   3.2. Sponsor Organization Background ........................................................................ 59

   3.3. Project Resources ................................................................................................... 62

   3.4. Technology Used ................................................................................................... 62

   3.5. Proposed Project Plan .......................................................................................... 663

References .................................................................................................... 65




                                                              6
                                                         List of Figures


Figure 1.1: Federal It Security Survey ................................................................................ 9

Figure 1.2: Consumer Fraud and Identity Theft Consumer Data ....................................... 9

Figure 1.3: Location of Banks Whose Cards Where Sold on underground Economy

Servers............................................................................................................................... 11

Figure 1.4: Business Threat Model ................................................................................... 16

Figure 1.5: PCIDSS Compliance - Solution to the Business Threat Model ..................... 17

Figure 1.6: Security Solutions for Compliance................................................................. 20



Figure 2.1: Methods of Payments Reported By Consumers ............................................. 24

Figure 2.2: Data Breaches That Could Lead Id Theft ....................................................... 25

Figure 2.3: Data Breaches That Could Lead To Identity Theft by Sector ........................ 26

Figure 2.4: PCIDSS Control Categories ........................................................................... 29

Figure 2.5: Affinity Process: Random Ideas Generation and Affinity Diagram .............. 37



Figure 3.1: Data Gathering Phase ..................................................................................... 50

Figure 3.2. Content Organization for Category I in Endnote X........................................ 53

Figure.3.3: Inductive Reasoning- “Bottom- Up” Approach ............................................. 55

Figure 3.4: Project Plan..................................................................................................... 64




                                                                   7
Chapter 1: Introduction

1.1. Background

During the past few years, numerous high profile security breaches in many companies

have left consumers and credit card companies searching for answers (Sterling

Commerce, 2007). Today, organizations rely on open sources and the internet for

business-to-business credit card transactions. Security attacks that target administrative

and technical vulnerabilities are at the greatest risks among information systems

(Tripwire, 2007).



Security Attacks target many institutions for financial gain. The most important aspect

for any institution is protection of sensitive electronic data from criminals, whose targets

include checking account numbers, user identity (ID) and passwords. Figure 1.1, a 2006

Federal IT security survey by Market Connections INC, showed that respondents

considered reduced operations and service delivery due to security breaches as their

number one concern (Market Connections, 2006).



Between January and December 2005, the Federal Trade Commission‟s (FTC‟s)

complaint database, Consumer Sentinel, received over 685,000-consumer fraud and

identity theft complaints (FTC, 2006). Figure 1.2; shows that Credit card fraud (26%)

was the most common form of identity theft that was reported by victims followed by

phone or utilities fraud (18%), bank fraud (17%) and employment fraud (12%). Other

significant categories of identity theft as stated by FTC were government

documents/benefits fraud (9%) and loan fraud (5%) (FTC, 2006).



                                              8
               Figure 1.1: Federal It Security Survey
                    (Market Connections Inc, 2006)

                 Other Assorted Incidents
                          13%
              Fradulent Loans
                                                         Credit Card Fraud
                    5%
                                                                26%
     Government Document
       or Benefits Fraud
             9%


            Employment-Related
                  Fraud                                    Unauthorized Phone or
                  12%                       Bank Fraud        Utility Services
                                               17%                   18%




Figure 1.2:“Consumer Fraud and Identity Theft Consumer Data”,

                                   FTC (2006)




                                             9
Brodkin (2007) stated that the exposure of 45.7 million credit and debit card numbers in

TJX breach served as a wake up call for many retailers. He also stated that retailers

understood that failure to protect the assets of customers would put their trust and money

at risk.



A recent threat report by Symantec Corporation reveals an increase in data theft,

malicious code attacks, and data leakage to obtain access to confidential information for

financial gain (Symantec, 2007). Furthermore, Symantec Corporation also states the use

of underground economy servers by criminals and criminal organizations to sell stolen

information for subsequent use in identity theft. The data obtained according to Symantec

include government issued Social Security numbers, credit cards, user accounts and e-

mail addresses (Symantec, 2007).



Figure 1.3 and table 1.1 articulate the statistics determined by Symantec Corporation.

According to Symantec, “85 percent of credit and debit cards advertised for sale on

underground economy servers in the first half of 2007 were issued by banks in the United

States” (Symantec, 2007).




                                            10
Figure 1.3: Location of Banks Whose Cards Where Sold

 on Underground Economy Servers (Symantec, 2007)




 Table 1.1: Breakdown of Goods Available For Sale on

       Underground Servers (Symantec, 2007)




                         11
1.2. Definitions

According to Payment card industry (PCI) Security Standards Council (2006), “PCI

Data Security Standard (DSS) is a set of comprehensive requirements for enhancing

payment account data security.” PCI DSS was a joint effort of major credit card

companies, which includes American Express, Discover Financial Services, JCB,

MasterCard Worldwide and Visa International (PCI Security Standards Council, 2006).



PCI Compliance regulation is a process developed for organizations that carry out

credit and debit card transactions (Acunetix, 2007). Businesses may face severe penalty if

they suffer security breach due to lack of PCI compliance (Top Layer, 2006). Businesses

lose the right to process card transactions if they fail to enforce compliance with PCI

standards (Acunetix, 2007). Johnson (2006) states that, “Compliance is required of all

merchants and service providers that store, process, or transmit cardholder data.”



Gaining an understanding of both regulatory compliance and business service

continuity would help institutions to implement strategies that improve operational

efficiencies and bring the institution into regulatory compliance (Wenk & Bertrand,

2005). Wenk & Bertrand also state that regulatory compliance and business service

continuity helps maintain a good security posture and manage the loss expectancy.



Krutz & Vines (2003) state that, “Business Continuity Planning is the process of

making the plans that will ensure that critical business functions can withstand a variety




                                            12
of emergencies.” In other words, BCP provides assurance that the organization can

accomplish its mission.



Business Service Continuity planning for an educational Institution is maintaining,

recovering or resuming the services offered by the University as an educational

Institution (California State University, 2006). Education Institutions must make sure that

the critical business functions and services offered with regard to credit card transactions

occur uninterrupted and remain available for several business days without jeopardizing

the institution‟s ability to serve its communities and students (North Carolina State

University, 2006).




1.3. Proposed Model

Payment Card Industry Data Security Standard (PCIDSS) is a single solution for all

major credit card companies. A PCI Data Security Standard is a common platform for all

credit card companies whose objective is to safeguard sensitive credit card information

(Sterling Commerce, 2007). Sterling Commerce states that credit card transactions

consist of three main processes capturing, processing and routing of cardholder data

during their authorization and settlement of cardholder details. The most important aspect

here is security of cardholder data as it involves three main processes (Sterling

Commerce, 2007).



A PCI regulatory compliance model would facilitate PCI compliance and ensure

continuity in business services offered to an institution. The members, retailers and credit


                                             13
card service provider build a culture of security among each other by complying with the

PCI DSS (Johnson, 2006). The proposed model focuses on educational institutions with

an objective to arrive at single solution to the threats attackers pose upon them. The

project will involve detailed research on PCI standards and procedures. The proposed

approach for the project is a new approach that targets the educational institutions that

work hard to keep up with the unexpected events while still maintaining continuity in

business services.



The deliverable of this technology integration project is a regulatory compliance model

with key areas of focus being PCI standard and business service continuity planning for

educational institutions. The project would include documentation of key findings from

literature with regard to PCI standards and requirements that should be followed to

maintain a secure business network in an educational environment.




1.4 Why Is The Project Important?

The project is important because the PCI compliance standard aims to prevent the root

cause of financial fraud and identity theft at its source by making sure the systems that

process and store cardholder details are secure (Acunetix, 2007). The targets for online

fraud and identity theft are not only the retailers but also organizations who are involved

in credit card transactions on a daily basis, such as educational institutions.



Data security breaches are convincing retailers to adopt PCIDSS. “VISA U.S.A.INC

reported that about 96% of the world‟s largest businesses that accept credit and debit


                                              14
cards have stopped storing magnetic stripe information in their systems, meeting a key

PCI requirement” (Vijayan, 2007).



Security attacks and unexpected technological problems in network security keep the

security analysts and businesses on their toes. Unfortunately, once a system is secure,

new vulnerabilities are exposed. This brings in a need for PCI compliance standard and

that is why the PCI DSS compliance is an ongoing process. PCIDSS ensures business

continuity by following and maintaining PCI standards faithfully.



Minnesota is the first state to make PCIDSS a core requirement legally for all credit card

companies (Vijayan, 2007). Vijayan states that companies who suffer data breaches and

found to have unauthorized credit and debit details pay a heavy penalty. He also states

that a similar law was proposed in Texas. The law passed the Texas House of

Representatives by a vote of 139-0 in May 2007 (Vijayan, 2007). The proposal was

unable to pass the Texas Senate, which needed more time to address various concerns

about the bill (Vijayan, 2007).




1.5 Project Motivation

With a wide range of security issues to address, credit cards are assets used more often

than any other asset today. Securing sensitive customer data with the aid of PCIDSS

would not only fortify customer trust but also improve the security posture of an

organization as a whole.




                                            15
The main idea of my project evolved through a series of research on two main security

issues: risk assessment and business continuity. With the progression of my initial

research, the idea of securing credit card details emerged. On further analysis of security

audit procedures available today, PCIDSS appeared to have more scope for ensuring

business continuity in an institution and protecting an institution from unexpected

security risks.



Figure 1.4 shows the security risks involved in businesses like credit card fraud, bank

fraud, malicious code attacks, and data leakage. Figure 1.5 depicts the importance of

PCIDSS compliance to maintain continuity in businesses.


  Credit Card
    Fraud


                                         Regular
                                                                             Business
  Bank Fraud                          activities in an
                                                                              Stops
                                        Institution


 Malicious code
    attacks



                      Figure 1.4: Business Threat Model




                                            16
                                                            Ensures
                  PCI DSS                                   Business
               Compliance in an                             Service
                 institution
                                                           Continuity




    Figure 1.5: PCIDSS Compliance - Solution to the Business

                                     Threat Model


1.6 Benefits

The proposed model would benefit educational institutions. The benefits would include

continued secured credit card services to faculty, staff and students. The University as a

whole performs a number of transactions on a daily basis. Universities also maintain a

database of student personal identity numbers (social security numbers, etc.), credit card

details and daily transactions. Educational institutions also deal with other monetary

concerns, such as student grants, Federal funds, and student tuition. It is highly important

to secure these funds from unexpected events like security breaches, etc.



The PCI regulatory compliance model would benefit colleges and universities

whose ultimate goal is to provide continued services without disrupting the

regular activities of the organization. Business service continuity provides

assurance that the organization can accomplish its mission




                                             17
According to Federal Emergency Management Agency (FEMA, 2003),

“Continuity of operations planning is a good business practice and part of the

fundamental mission of agencies as responsible and reliable public institutions.”

By ensuring business service continuity with PCI compliance, organizations can

address other major issues involving security. PCI DSS regulatory compliance

ensures trust and security among the students, faculty and staff in an organization,

which in turn protects the reputation of universities and colleges.



I hope the proposed model would benefit academic institutions and improve the

security posture of the organization. Business service continuity is a preventive

measure. Providing the necessary service at the right time without any disruption

lays a strong foundation to the security posture of academic institutions.




1.7. How This Project Relates To Technology-Based Projects


The PCI DSS combines technology, policies, education, awareness and industry best

practices. Financial networks, consumers and governmental regulatory agencies are more

concerned about the potential of security breaches within merchant technology

environment (Tripwire, 2007). Merchants are the companies who accept credit cards in

exchange of the services or goods provided by them. Businesses that perform credit card

transactions must enforce PCI DSS to protect cardholder data (AppsLabs, 2007).

Merchants incur huge risk if they fail to protect the cardholder data (Tripwire, 2007).




                                             18
The goal of PCI standard is to build a safer and easier electronic commerce for banking

and electronic credit card industry. Complying with PCI DSS is daunting as the necessary

security measures span the network and connected systems (Imprivata, 2007). According

to industry experts, the best way to achieve and maintain PCI compliance is adopting a

realistic approach to locking down their networks (Imprivata, 2007). This can be done by

centrally managing the systems, network services, and providing user access to critical

systems based on individual access rights (Imprivata, 2007).



Implementation of PCIDSS involves more use of technology, some of which includes

installation and maintenance of firewall configuration, use of strong encryption and

security protocols to protect cardholder data, implementation of anti-virus software to

protect critical systems from malicious code attacks (PCI Security Standards Council,

2006).



Figure 1.6 shows that in terms of specific solutions applied to achieve compliance,

application level firewalls have been deployed by 31% of respondents to protect their

assets. To protect communications between critical systems, organizations use internal

encryption and vulnerability scanning (Antonopoulos, 2005).




                                            19
             Figure 1.6: Security Solutions for Compliance

                             (Antonopoulos, 2005)


The PCI DSS security requirements apply to all system components in an organization. A

system component is any network component, server, or application that is included in or

connected to the cardholder data environment (PCI Security Standards Council, 2006).

PCIDSS requires continuous validation of security measures. Experience shows PCIDSS

implementation is successful when coordinated with business operations (Tripwire,

2007).



The derived model would align both the technology and business goals and aid in

achieving PCI regulatory compliance in an education institution.


                                           20
1.8. Project Contribution

Project Contribution to Information Systems Security

In information age, information system security is recognized as a critical factor for

business success (Oscarson, 2007). Oscarson also states that as internet is the major

information infrastructure in various sectors like education, health care etc., the

importance of information system security steadily increases.



According to PCI Security Standards Council (2006), “the PCI Data Security Standard is

a multifaceted security standard that includes requirements for security management,

policies, procedures, network architecture, software design and other critical protective

measures.” The PCI council also states that the PCI requirements will benefit all

stakeholders in the payment value chain and will improve the overall security for

customer-entered data.



As a security model, PCI requirements can help educational institutions manage

compliance costs and build an efficient and reliable Information Technology (IT)

infrastructure that renders better service while incurring less risk (Tripwire, 2007). PCI

DSS acts as a measuring stick to gauge the data security at merchant level who handle

credit and debit card transactions in an educational institution (Trace security, 2007).



Project Contribution to Project Management

The proposed model in PCIDSS will provide an enterprise structure for enhancing

operational, security and audit performance (Tripwire, 2007). Tripwire also states that



                                             21
implementing the model in an organization will help the management better manage

information security risks. The model forms a basis for technology architecture with PCI

guidelines and security standards and helps maintain a good policy management (Trace

Security, 2007).



Exhibiting compliance with PCI will help management in preserving a healthy business

relationship between merchants, service providers and acquiring banks as it reduces non-

compliance risks in quantifiable ways (Trace Security, 2007). Trace Security also states

that “PCI DSS is a set of standards designed for configurations, best practices, change

management procedures, and validation processes.”



By using the model, an educational institution‟s management group can achieve

regulatory compliance with PCI standards and build the trust of customers, which include

students, faculty and staff in an organization.




                                             22
Chapter 2: Project Methodology Justification

2.1. Project Justification

The information age has brought a heightened concern about the security of an

individual‟s identity. Information is shared more quickly and easily without permission.

This has increased the possibility of identity theft and unauthorized use of private

information (Adler, 2006).



According to the Federal Bureau of Investigation (FBI), “Criminals use computers to

store, process and perform financial transactions.” High-tech crime is a source of

revenue for organized criminal groups and a sophisticated method to make commercial

and financial transactions that support criminal activity.



Consumer credit card data is an attractive target for the criminals and criminal

organizations. Selling fraudulently acquired information is a growing business over

internet by the cyber criminals. Identity theft is the crime of 21st century (Sterling

Commerce, 2007). According to GFI, a leading software company, credit card fraud

(25%) was the most common form of reported identity theft in 2006. Financial

institutions and businesses lost more than $48 billion in that year due to identity theft.



According to FBI (2006), “Identity theft includes acquiring an individual's

personal information such as Social Security number, date of birth, mother's




                                              23
maiden name, account numbers, address, etc., for use in criminal activities such as

obtaining unauthorized credit and/or bank accounts for fraudulent means.”



Protection of credit card data is highly important, as a credit card is the most used

asset for online payments and transactions. Figure 2.1; shows that credit cards

were the most used method for payment by customers during the year 2005 (FTC,

2006).




    Figure 2.1: Methods of Payments Reported By Consumers
                                       (FTC, 2006)


Loss of personal data not only costs an individual whose identity is at risk and the

financial institution but also the organization responsible for collecting and retaining the


                                             24
data. Data breaches could harm an organization‟s reputation and destroy a customer„s

confidence on the organization.



Data breaches may also lead to identity (ID) theft. The primary cause of data breaches

may be loss of a computer or a USB drive or any medium used to store sensitive

information. During the first half of 2007, 46% of data breaches were reported due to

stolen hardware. Table 2.2, shows the statistics for the other causes of data breaches.




                          2%2%
            16%

                                                        46%

                                                                  Theft/loss
           34%                                                    Insecure Policy
                                                                  Hacking
                                                                  Insider attack
                                                                  Other




         Figure 2.2: Data Breaches That Could Lead Id Theft
                                  Symantec (2007)


Educational institutions need more security from data breaches. Figure 2.3, show that in

the first half of 2007, the education sector accounted for more data breaches than any



                                            25
other sector, making up to 30 percent of the total .This has increased from the previous

time when the education sector accounted for only 22 percent of the total and ranked

second.




 Figure 2.3: Data Breaches That Could Lead To Identity Theft by

                            Sector (Symantec, 2007)

Educational organizations handle many credit card transactions and store a lot of personal

information. Criminals make use of sensitive information like these for identity theft.

These organizations especially larger universities consist of independent departments

where sensitive personal data may be stored in locations that are accessible to many



                                            26
people. This increases the opportunities for attackers to gain unauthorized access to the

personal information and credit card data. In addition, research hospitals that are part of

the education sector store a large amount of patients‟ personal data, including medical

information (Symantec, 2007).




2.2.1 Need for PCIDSS in Educational Institutions

According to Doan in Los Angeles Times (2006), “Since January 2006, at least

845,000 people have had sensitive information jeopardized in 29 security failures

at colleges nationwide.” Identity theft experts who monitor media reports found

that hackers have gained access to Social Security numbers and, in some cases,

medical records.”



The following Universities were affected due to data breaches during the year

2006 (Doan, 2006):

 University of Texas discovered illegal access to 197,000 Social Security

 numbers of students, alumni and employees.

 Stanford University applicants hacked into admissions systems to check if

 their applicants were accepted.

 Ohio University confirmed its third security breach since April 2006, together

 compromising 360,000 personal records and a number of patented data and

 intellectual property files.




                                             27
 Sacred Heart University in Connecticut reported that a security breach has

 compromised the Social Security numbers and some credit card numbers of

 135,000 people.

 The California State University system reported 24 breaches since July 2003.

According to Rick Jones, an information security analysts in Los Angeles, "A

university is fighting for every dollar to maintain a good education standard."



This brings a need for a Payment Card Industry (PCI) Data Security Standard

(DSS) Regulatory Compliance Model, to help maintain a good secured

environment and offer continuity of critical business functions by avoiding the

security risks like data breaches, criminal attacks etc.




2.2. PCI Regulatory Compliance

PCIDSS ensures consistency of security standards for the card issuers and provides

assurance to cardholders that their data is secure, regardless of where the card is used. It

defines industry best practices for how the credit card information must be stored and

processed to reduce the probability of loosing the credit card data to unauthorized users

(Blount, 2006).



The PCIDSS establishes twelve requirements that companies must follow to protect the

sensitive cardholder data. The twelve requirements focus on every aspect of an

organization‟s operation from business operation to configuration of IT infrastructure.



                                              28
The twelve-requirements fall into six control categories (Bakman, 2007) as shown in

Figure 2.4.


                                          PCIDSS
                                          control
                                         categories




                                                    Implement
Build and                       Maintain a                       Regularly      Maintain an
                 Protect                              strong
 manage                        vulnerability                      monitor       information
                cardholder                            access
   card                        management                         and test        security
                   data                               control
holder data                      program                         networks          policy
                                                     measures



                  Figure 2.4: PCIDSS Control Categories
                     (PCI Security Standard Council, 2006)

The six control categories according to PCI security Standard Council are:

 Build and maintain a secure network: These include firewall installation and secure

  password policy.

 Protect cardholder data: This ensures implementing data encryption across open public

  networks.

 Maintain a vulnerability management program: This includes regular updates of anti-

  virus software and security applications.

 Implement strong access control measures: This control ensures restricted access to

  cardholder data by assigning a unique identity to the person who is accessing the

  network.




                                               29
 Regularly monitor and test networks: This control helps in monitoring and test security

    systems and processes.

 Maintain an information security policy: This control focuses on maintaining a policy

    that addresses information security to employees and contractors.




2.3. Consequences of Non-Compliance

The primary aspect of PCI Compliance is the cost of non-compliance is high. In a event

of a security breach, the merchant must immediately notify the credit card entity and limit

the exposure of cardholder data.



Examples of industries in which merchants must be compliant (GFI Software, 2007) are:

     Online retailers.

     Retailers such as outlets.

     Higher education such as Universities.

     Healthcare such as hospitals.

     Travel and entertainment such as hotels and restaurants.

     Energy such as gas stations.

     Finance such as banks and insurance companies.



If a security breach occurs in a non-PCI compliant organization or company, severe fines

will be imposed on the organization. Fines up to $50,000 per incident are imposed in an

event of data breach due to PCI non-compliance. The other consequences include

revoking future credit card transactions by the credit card company (GFI, 2007).


                                               30
The following is an example of the list of fines issued to a large wholesaler, franchise

restaurant and a small grocery store) due to PCI non-compliance (CISCO, 2007):

   Large wholesaler: Card issuers sued the chain for US$16 million for compromised

    credit cards.

   Franchise restaurant chain: Compromised restaurant was fined $500,000 in addition

    to the cost of re-issuing the credit card.

   Small grocery store: Card associations fined store about $50,000.



Businesses that have compromised sensitive cardholder data has to notify legal

authorities and is expected to provide free credit protection services to all affected

members. Organizations are susceptible to legal action by the cardholder if cardholder

data is accidentally lost or occurs through data theft. This results in bad publicity and loss

of business reputation (GFI, 2007).


2.4. PCIDSS for Educational Institution


PCIDSS requires all merchants including Colleges and Universities to comply with the

PCI requirements (Adler, 2006). Virginia Tech is a comprehensive innovative research

university with the largest full-time student population in Virginia. An External vendor

processes their credit card transactions, such as tuition payments. The University is

responsible for the private information of thousands of students, faculty, staff and alumni,

and preventing data breaches is a top initiative for Virginia Tech (Core Security, 2007).




                                                 31
For Virginia Tech University to comply with PCI standard, the initial focus was on

departments that handle credit card transactions. PCIDSS provides the standards with

which universities must comply to safeguard the cardholder data. With the help of an

industry standard tool, a security assessment was conducted for Virginia Tech University

as a part of PCI requirement for exploiting the vulnerabilities that lead to data breaches

(Core Security, 2007).



During the testing phase, a remote attack was launched to test the vendor system of

Virginia Tech University. The vendor recognized the problem, corrected it and brought

the system back to its secured state (Core Security, 2007).




2.5. Project Methodology Justification

The Project Methodology involves two main data collection methods: Secondary data

Collection and Primary data collection.


2.5.1 Secondary Data Collection

What is Secondary Data Collection?

FAO (1997) describes secondary data collection as the analysis of data or information

gathered by researchers, institutions etc. Secondary data involves using existing data for

research purposes. Secondary data helps in drawing conclusions, answering a question

and solving a problem (FAO, 1997). It provides a cost-effective way of gaining a

comprehensive understanding of a specific theory (FAO, 1997).




                                             32
Secondary data analysis helps in designing primary research and provides a baseline to

compare the results of primary data collection (FAO, 1997). Secondary data takes two

forms (Glasgow Caledonian University, 2004); one is the Qualitative Sources and other

Quantitative Sources. Qualitative Sources include the following (Glasgow Caledonian

University, 2004):

   Handbooks, Policy Statements, Planning Documents, Reports, Historical & Official

    Documents.

   Newspapers - public interest & opinion.

   Literature in general.

   Memoirs - benefit/problem of hindsight etc.



Quantitative Sources include (Glasgow Caledonian University, 2004):

    Published Statistics include National Government Sources like Demographic

     (Census and Vital Statistics), Administrative (Collected by Government) and

     Government Surveys.

    Local Government sources.

    Other Sources like Academic Research Institutes like National Institute of

     Standards and Technology.

    Non-Published / Electronic Sources like International Sources on Internet and Web.



Secondary data collection involves collecting and analyzing a vast array of information.

It improves the researcher‟s understanding of a problem. Secondary data also facilitates




                                              33
comparisons using the data obtained and gives a more thorough understanding of a

particular theory (Caston, 2005).




2.5.2. Data Content Organization


Organizing the content is putting critical information, grouping related elements

and ensuring that all information is available (U.S Department of Health &

Human Services, 2007). The content organization consists of two approaches that

are (Indiana University Southeast, 2007):

  Organizational schemes: An Organization scheme is a classification system

   for content items. It is a way to cluster things into groups based on some

   common characteristic.

  Organizational      structures:    Organizational   structures   determine   the

   relationship between the groups.

 Affinity process is used to organize the data gathered into groups based on their

 natural relationship (Balance Scoreboard Institute, 2007).




2.5.3. Content Analysis

Content Analysis is a method used to draw inferences and corroborate those using

data collection methods. Content analysis is a qualitative technique (Stemler,

2001). Content analysis enables researchers to examine large volumes of data and

help them sort the data in a systematic fashion (GAO, 1996). Content Analysis

consists of two general categories (Palmquist et al., 1980):


                                            34
 Conceptual analysis where a concept is selected for examination and the number

    of its occurrences in the text is recorded.

 Relational analysis is one, which builds on conceptual analysis by examining

    the relationships among concepts in a text.



Content Analysis provides insight about complex models of human thought

process and language use (Palmquist et al., 1980). Content analysis is useful for

examining trends and patterns in data collected (Stemler, 2001).



Affinity Analysis Process

Affinity Analysis Process is used to group ideas generated by brainstorming process

(Balance Scoreboard Institute, 2007). Affinity process uses affinity diagram, developed

by Jiro Kawakita, a Japanese anthropologist (Mind tools, 2007). Affinity Diagram is a

tool that gathers large amounts of data and organizes them into groupings based on their

natural relationships (Balance Scoreboard Institute, 2007).



The affinity process can be utilized for the following purpose (Balance

Scoreboard Institute, 2007):

    Sifting large volumes of data: This is helpful to organize data into groups.

    Encouraging new patterns of thinking: This phase helps in brainstorming

     ideas.




                                                  35
Creation of affinity diagram involves the following steps (Brassard, 1989):



   Generate Ideas: Here, the brainstorming tool is used to generate ideas.

   Display the ideas: Here, the ideas are posted on a chart pack or wall in a

    random manner.

   Sort Ideas into groups: Here, the ideas are sorted and arranged in the groups

    they are closely related.

   Create header or common theme cards: The header is an idea that captures

    the link between the ideas from a group of cards.

   Draw affinity diagram: Here, the problem statement is written on the top of

    each group of ideas. The ideas are then reviewed and clarified to complete the

    affinity process.



An affinity diagram is a great tool for assimilating and understanding huge

volumes of data gathered (Mindtools, 2007). Figure 2.5, depicts the affinity

process for generating random ideas and grouping them with common theme

cards to form affinity diagram.




                                            36
    Figure 2.5: Affinity Process: Random Ideas Generation and

                      Affinity Diagram (Mind Tools, 2007)



The process of creating relationships and working backwards from detailed

information to common theme provides an insight about specific research and

helps discover all the hidden linkages (Mindtools, 2007).




2.5.4. Inductive Reasoning

Inductive reasoning is the process of making generalizations based on a number of

observations (Mind Tools, 2007). According to Nicholas Rescher (1980), “Inductive

reasoning is a solution to the problem of finding answers to questions on the basis of

limited evidence.” A study conducted by Harverty et al. (2000) in mathematics function

finding processes recommends three main processes of inductive reasoning:

   Data gathering: Data gathering includes data collection, organization and

    representation.

   Pattern finding: Pattern finding includes study and analysis of data


                                            37
   Hypothesis testing: Hypothesis testing is the process of constructing, proposing and

    testing hypothesis.

Data gathering is a pre-inductive preparatory activity. Pattern finding is a process of

detection of co-variation from a number of samples (Holland et.al, 1987). The

researcher‟s ability of inductive reasoning is supported by careful selection and

utilization of techniques (Lin et al, 2005).



The different kinds of inductive reasoning are (King, 2006):

   Statistical syllogism: Statistical syllogism proceeds from generalization to

    conclusion about a specific member of the group.

   Generalization: Generalization is a process that proceeds from a premise of a sample

    to a conclusion of a population as a whole.

   Analogy: Analogy provides known similarities that exist between two things and

    helps in drawing conclusion about the attributes common to both.

   Simple induction: Simple induction proceeds from a premise about a sample group

    to a conclusion about a specific member in the group.

Inductive reasoning is an important tool used to build models of reality. It aids in drawing

unified conclusion by studying the outcomes, events and observations (Mind tools, 2007).




2.5.5. Progressive Elaboration

Progressive elaboration adds more detail to the project and provides better understanding

of the project. Progressive elaboration proceeds by developing steps in the project and by

continuing in increments (Whittingham, 2007). Progressive elaboration is a process that


                                               38
focuses on details through time (U.S Department of Interior Bureau of Reclamation,

2007). Progressive elaboration defines the requirements at highest level. The

requirements are broken down into different steps until fine details are gathered.

Progressive elaboration gives a detailed understanding from the study. It aids in

uncovering more and more details suitable for the project (Pitagorsky, 2002).




2.5.6. Case Studies

Case study is a triangulated research strategy. According to Tellis (1997), “Triangulation

can occur with data, theories, and methodologies.” Case study approach helps in gaining

practical knowledge about a specific area. Selection of appropriate cases helps in

maximizing the knowledge about the topic for a specific period (Tellis, 1997).



There are three specific types of case studies Exploratory, Explanatory, and Descriptive

(Yin, 1993). The other types are intrinsic, instrumental and Collective. Intrinsic is when

the researcher focuses on specific case. Instrumental is using the case to gain a detailed

understanding. Collective is used when group of case studies are used (Stake, 1995). An

exploratory case addresses social research. Explanatory case studies aids in causal

investigations. For descriptive cases, descriptive theory is developed before beginning a

project. Case study aids data collection and research analysis (Yin, 1993).



According to Yin (1994), data collection for case studies can be obtained from many

different sources. Primary data collection is one of the main methods of data collection

for case studies (Hurrell, 2005).


                                             39
Primary Data Collection

Primary data is the data gathered to solve a current problem (Allen, 1999). The data

collected is unique and based on the focus area of the researcher (San Diego State

University, 2007).

The three basic means by which primary data can be collected are:

   Observation.

   Survey (questionnaires and interviews).

   Experiment (Allen, 1999).



Observation

Observation data collection is a technique by which a researcher gathers firsthand data on

the processes, behavior and programs that are studied (National Science Foundation,

1997). National Science Foundation also highlight that observation provides accurate

data on what consumers perform during a specific situation. The researcher can develop a

holistic approach by directly observing the operations and activities in an organization

(National Science Foundation, 1997).



Observation data collection records the behavioral pattern of people, processes and events

in a systematic fashion (Thames Valley University, 2007). Observation techniques

consist of two main methods (Allen, 1999):

   Mechanical observation: Mechanical observation provides reliable data and they use

    objective measures.




                                              40
   Personal observation: Personal observation is an approach by which data is

    obtained by observing actions and situations

The other methods for observational data collection are (Thames Valley University,

2007):

   Structured observation: In structured observation, the observer or researcher

    specifies what to observe and how to record it. It is suitable when the problem is

    clearly defined.

   Unstructured Observation: If the problem is not been formulated yet precisely, then

    unstructured observation is used. In unstructured observation, the researcher observes

    all aspects of the phenomenon that is relevant to the research.

   Disguised observation: In disguised observation, respondents are unaware that they

    are being observed.

   Undisguised Observation: In undisguised observation, respondents are aware that

    they are being observed.

   Natural observation: Natural observation is observing the behavior in the working

    environment.

   Contrived observation: The respondent‟s behavior is observed in an artificial

    environment.

   Participant observation: In participant observation, the observer is a part of the

    group being studied.

   Non-participant observation: The observer does not show any active participation

    in the observation.




                                             41
Role of observer

The fundamental distinction between different observational strategies is by knowing the

extent to which the observer participates in the setting being studied (National Science

Foundation, 1997). An observer‟s role can be classified as follows (Thames Valley

University, 2007):


   Observer as employee: The observer works as an employee in the organization.

    Here, the role of observer need not be explicit.


   Observer as an explicit role: The observer is present every day for a particular

    period and is allowed to observe, interview and participate in the work.


   Interrupted involvement: The observer is present sporadically for a particular

    period. Interrupted involvement permits the observer to conduct interviews and to

    move in and out of organization if need arises to complete the research.


   Observation alone: The observer performs only observation in the organization to

    collect primary data.




Surveys


Surveys or questioning involves using a data collection instrument like questionnaire to

ask the respondents the necessary questions to obtain the desired information (Allen,

1999). Questionnaires are easy to use but are difficult to design. Questionnaires provide




                                             42
an option of keeping the respondents anonymous. Questionnaires are used to survey large

organizations (Thames Valley University, 2007).



The different methods to administer questionnaire are (San Diego State University,

2007):


   Electronic - Mail Surveys: Electronic- mail (E-mail) surveys are administered

    through internet via mail service. E-Mail surveys do not include Interviews.

    Respondents can read the description and answer the question.


   Web-based survey: Web-based survey is a survey conducted over the web.


   Telephonic Interviews: Telephone interviews involve voice conversation between

    the interviewer and respondent. They are easy to administer and gives spontaneous

    response.


   Personal interview method: Personal interview is an interview conducted between

    the interviewer and respondent with a focus group.




Formulating Questions for questionnaire


The types of questions formulated for questionnaire fall in one of the following

categories (Duval, 2005):

   Open questions: Open questions aids in elaboration of answers by the

    respondent.



                                            43
   Closed-ended questions: The respondent gives all possible answers for the

    question asked by the interviewer. Closed-ended questions are used when

    quantitative statistical results are desired.

   Likert scale questions: Likert scale is used to assess the respondent‟s

    perspective about a specific research.

   Multiple-choice questions: Multiple-choice questions provide finite number

    of options to answer the question.

   Ordinal questions: Ordinal questions are used to rate the answers for the

    specific question.

   Numerical questions: Numerical questions are questions used to obtain real

    values like months, period etc.

   Categorical questions: Categorical questions are questions with answers in

    the form of category. The respondent is required to select one among different

    category of answers.



Archive Data Collection

Archive data is the data obtained from survey data, service records and

organizational records. The researcher carefully checks the accuracy of each data

collected before using archive data (Yin 1994). Archive data collection helps the

researcher in arriving at the right approach for the research, the concept for

questionnaire and answer schemes (SIDOS, 2005). Swiss Academy of Humanities

and Social Sciences (SIDOS) states that archive data allows the researcher to

delve deeper into the previously published analysis based on the specific field of




                                               44
research. SIDOS also states that archive data is a precious tool to illustrate the

data analyzed.


Interviews

Interview is a technique primarily used to gain an understanding about the views of the

experts and their experiences (Thames Valley University, 2007). Thames Valley

University also states that interview questionnaire is prepared by listing the areas that

require more information and by selecting the respondents for expert opinion. Personal

Interviews are interviews that can be carried out between an interviewer and respondent

with a specific focus group (San Diego State University, 2007). It is a direct, face-to-face

interview (Thames Valley University, 2007). More information can be obtained through

personal interview (San Diego State University, 2007).


2.5.7. Primary Data Analysis Methods


Thames Valley University (2007) states the uses of analyzing data as follows:

   To describe and summarize the data.

   To identify relationships between variables.

   To compare variables.

   To identify the difference between variables.

   To forecast outcomes.

Thames Valley University also states that data that can be analyzed statistically is known

as qualitative data analyses and an analysis where data is subjective and is presented in

the form of words is known as qualitative analysis.




                                             45
Qualitative Analysis

According to Marshall and Rossman (1990), “Qualitative data analysis is a search for

general statements about relationships among categories of data.” Content analysis

consists of reading and re-reading the data collected looking for similarities and

differences and to develop categories (Thames Valley University, 2007). Qualitative

analyses include two types of analyses (Hart, 2007):

   Source of quoted material

   Thematic analyses

Qualitative analysis will be performed on archive data that include organizational records

and survey data and observational data that include personal interviews. Interview data

can be analyzed by performing thematic analyses (Hart, 2007). Hart also states that a

thematic analysis is an analysis performed to analyze the text of interviews for the

prevalence of certain themes.



Quantitative Analysis

Quantitative data is data that can be analyzed using statistical methods (Thames Valley

University, 2007). The data that is analyzed quantitatively is the questionnaire data (Hart,

2007).

The statistical methods as stated by Thames Valley University are:

   Scales of Measurement: The scale of measurement of data is achieved using

    different set of scales like ordinal scale, nominal scale and numerical scale.

   Descriptive statistics: Descriptive statistics describe the origin of data set using

    numbers typically an average or measure of dispersion. The summary statistics of



                                             46
    descriptive statistics include the following variables(Thames Valley University,

    2007):

                    Mode: Mode is a frequently occurring value.

                    Median: Median is the middle value.

                    Mean: Mean is obtained by adding the values and dividing by the

                     number of values.

                    Quartiles (Q1 and Q3): Quartiles are the 25% and 75% values

                     respectively and are measures of dispersion about the median.

                    Standard deviation: Standard Deviation is a measure of the

                     dispersion about the mean.

   Establishing relationship between variables: Establishing relationship between

    variables can be achieved by two approaches(Thames Valley University, 2007):

                    Cross-Tabulation: A cross tabulation is a matrix in which all

                     categories representing one variable are presented in rows and

                     categories representing another variable are presented in columns.

                    Correlation Coefficient: Correlation Coefficient is used to see if

                     there is a linear relationship between two variables.

   Diagrammatic Representation of Data: Diagrammatic representation of data is

    achieved using graphs and charts like bar charts, pie charts and histograms.




                                            47
Chapter 3: Project Methodology

3.1. Proposed Approach


The goal of the project is to derive a PCI regulatory compliance model by

conducting detailed research on Payment Card Industry Data Security Standards.

The proposed model would serve as a guide and help determine the management

actions and priorities for managing information security risks. The model would

also provide guidance for implementing appropriate PCI security controls to

safeguard against these risks.


The methodology used to complete the project consists of the following phases:

  I. Secondary Data Collection.

 II. Content Organization.

III. Content Analysis.

IV. Inductive Reasoning.

 V. Assessment of Academic Institutions‟ PCI Practices using the Model.

VI. Primary Data Collection.

VII. Primary Data Analysis.




3.1.1. Secondary Data Collection

Phase I of the project methodology is the secondary data collection phase. The main

purpose is to collect secondary data for performing detailed research on latest

technologies, methodologies, policies and procedures pertinent to the topic. Secondary


                                            48
data collection is collection and analysis of the data gathered by researchers, institutions

etc. Secondary data should provide clarity and give a comprehensive understanding of the

project goal. Secondary data is collected from a variety of sources. Secondary data

sources include paper based sources and electronic sources.



The paper-based sources used for the project are (Thames Valley University, 2007):

   Books: Secondary data retrieved from the books include data related to growth and

    regulation of payment card markets, business service continuity, risk assessment,

    credit card industry, and e-commerce. University of Houston Library is used for

    obtaining resources.

   Journal and Periodicals: Current security issues in PCIDSS are collected using

    security journals and periodicals like Institute of Electrical & Electronics Engineers

    IEEE) etc.

   Research Reports: Data gathered from research reports include projects similar to

    PCI regulatory compliance.



The electronic resources used for the project are (Thames Valley University, 2007):

   Online-databases: Online databases utilized for the research are Association for

    Computing Machinery (ACM) Digital Library, Institute of Electrical & Electronics

    Engineers (IEEE) Xplore, INFORM Global, Educause and Business source complete.

    University of Houston Library Online database is used to access the online resources.

   Online periodicals and journals: Whitepapers and online journals will be used for

    studying the current developments and trends in payment card industry.




                                             49
   Search Engine: Additional data sources include data retrieved from search engines

    like Google and Yahoo.

During a data search, keywords like “PCI for Educational Institutions,” “Technical

Solutions for PCI” and “Business Service Continuity” will help effectively use the library

resources and Google search engines. Each article is identified by the title, author, year of

publication, online source and date it was retrieved. Figure 3.1 shows the use of

keywords in search engine results and the details used to identify each article.

                                                 Data search –
                                                 Using Keywords


                                                 Technical
                                                 Solutions
                                                 for PCI


                                       Business
                                       Service               PCI for
                                       Continuity            academic
                                                             institutions




                         Search                        Online                  White
                         engine like                   databases               Papers
                         Google,                       like ACM,               and online
                         Yahoo                         IEEE                    periodicals




                                          Secondary Data - Resources details


                                               Author
                                                             Year of
                                                            Publication
                                       Title
                                                            Online
                                                            source
                                           Date
                                           retrieved




                           Figure 3.1: Data Gathering Phase



                                                       50
3.1.2. Content Organization

The second phase in the project methodology is content organization. Organizing the

collected data is important as it involves different categories of information. It is essential

to sort, review, organize and save different sets of data. EndNote X software is used to

sort and organize the large volumes of data into identifiable categories. EndNote X

organizes references, images and PDF in any language, and creates bibliographies and

figure lists (EndNote, 2007). Each data is organized into specific category with the name

of the author, year of publication, title of the article and online source of the article.



The initial categories of data organized in EndNote X include the following; others will

likely emerge as data collection proceeds.

Technical solutions for PCI: A number of technical firms help maintain PCIDSS in

different organizations. These technical firms aid organizations‟ understanding and

compliance with PCI requirements. Technology solutions provided by the firms support

the organization in maintaining a secure environment from unauthorized users (Top

Layer, 2006).

    The PCI Security Standards Council has a set of Approved Scanning Vendors and

    Qualified Security Assessors who provide technical solutions for achieving PCI

    standards (PCI Security Standards Council, 2007). The secondary data collected from

    the technical analysts provide an insight about PCIDSS and the need for PCI

    compliance. The data extracted gives a one –time solution to various security issues

    in an organization and facilitates in the development of the PCI regulatory

    compliance model.



                                               51
   PCI for academic institutions: Data collected about various academic institutions

    that are PCIDSS compliant and institutions that face consequences due to non-

    compliance of PCI standards falls into this category. Security attacks on information

    systems have become increasingly frequent, sophisticated and severe. A disturbing

    amounts of faculty, student and staff‟s confidential information is being compromised

    (Core Security, 2007). The decentralized computing environments and the concept of

    “academic freedom” make development of robust PCI regulatory model necessary

    and a daunting task (Georgia State University, 2006). The Sensitive Information

    Protection Policy mandates that “information systems storing or serving sensitive

    information should be operated on secured systems (Georgia State University,

    2006).” This articulates the need for PCI compliance in academic institutions.

   PCI and Business Service continuity: The data collected for this category is useful

    in analyzing the risks involved due to non-compliance of PCIDSS (Cisco, 2007).

    Reviewing business continuity plans of various organizations and analyzing the

    business need for PCIDSS provides a better understanding of the project goal and

    facilitates the process of deriving the model.

   Need for PCIDSS: This category helps understand the need of PCIDSS by

    conducting research on various institutions affected by security attacks like data

    breaches and studying the root cause of these attacks on both academic and non-

    academic institutions. The statistics are obtained from federal organizations like

    Federal Trade Commission (FTC), Federal Bureau of investigations (FBI) and from

    private security organizations like Symantec Corporation. The statistics define the

    business need for PCI compliance in an organization (Sterling Commerce, 2007).




                                             52
Figure 3.2 shows the content organization for category I: Technology Solutions for PCI.




   Figure 3.2. Content Organization for Category I in Endnote X
3.1.3. Content Analysis

Content Analysis is a process of sorting and arranging large volumes of data in a

systematic fashion. This phase gives a more thorough understanding of the collected data.

Data collected from each source is reviewed again and analyzed to absorb the key details

that were missed during the first review. Reviewing the reference item again, helps avoid

duplication of data. If required, new categories are added to the existing database.

Content Analysis clears any ambiguity that exists during the project.




                                             53
Affinity Analysis

Affinity analysis is performed to group the content of data extracted from secondary data

and to categorize the data based on the affinity the data has for each other. The affinity

analysis process uses two main tools (Balance Scoreboard Institute, 2007): brainstorming

ideas and affinity diagram. Affinity diagrams are used to sort large volumes of data into

categories. Affinity process provides a thorough understanding of the research topic and

brings clarity in defining relationships between different groups of data (Mindtools,

2007).




3.1.4. Inductive Reasoning

The organized data in content analysis is analyzed and further observations are made.

Techniques and methods are carefully selected to support the research (Lin et al, 2005).

To derive the model inductively from the content extracted, a bottom up approach would

be used (Trochim, 2006). Trochim states the following steps for inductively deriving a

theory using the “bottom up” approach (Trochim, 2006):

   Making specific observations and measures.

   Detecting patterns and regularities on the observations and measures made.

   Formulating the hypothesis using the detected patterns.

   Developing general conclusions or theories.




                                             54
Figure 3.3, shows the steps for inductively deriving the theory.




                                                                         Testing

                                                         Hypothesis

                                          Pattern
                          Observation




     Figure.3.3: Inductive Reasoning- “Bottom- Up” Approach

                                   (Trochim, 2006)

Trochim also states that the pattern detected in the data could lead to development of new

theories. Further enhancement of data is achieved through progressive elaboration (U.S

Department of Interior Bureau of Reclamation, 2007).



Progressive Elaboration adds more detail to the data gathered after inductively analyzing

the concepts. Progressive Elaboration provides a comprehensive understanding of the

research topic. It helps define the requirements well and extract the necessary details

(Whittingham, 2007). Progressive elaboration helps in narrowing down the scope of the

project and elaborating the concept until the result is delivered (U.S Department of

Interior Bureau of Reclamation, 2007).




                                            55
3.1.5. Assessment of Academic Institutions’ PCI Practices Using the

Model:


A case study at an academic institution will be performed to assess their PCI operations

relative to aspects of the inductively derived model. The first step in the assessment of the

model is data collection by conducting interviews and surveys at the sponsor

organization. Archive data would be collected by conducting the surveys and by using

organizational records. Observational data would be collected by conducting personal

interviews. The next step is analyzing and assessing the model based on the gathered

data.




Data collected at the organization will be based on the existing procedures and policies

followed to maintain the PCIDSS. An assessment of academic institutions‟ PCI practices

and readiness of the sponsor organization relative to the derived model is performed here.

The technical, business and managerial aspects of the model will be considered during

the assessment process.



3.1.6. Primary Data Collection


Primary data collection is a process of collecting data from experts in a specific field

using methods like surveys and interviews (Thames Valley University, 2007). Surveys

and interviews are conducted to gather expert opinion about PCIDSS and business

service continuity.



                                             56
Surveys help analyze the problem better (Allen, 1999). Primary data collected provides a

detailed understanding of the topic. Expert opinion gives the necessary direction for

developing the model. Questionnaires are administered via electronic mail. E-mail

surveys will be used to assess the components of the derived model (San Diego State

University, 2007).



Personal interviews will be administered face-to-face in addition to the E-mail surveys.

Face-to-face interviews provide more detail and clarity to the information obtained (San

Diego State University, 2007). Interviews give an in-depth understanding of the topic and

real issues an organization faced during the implementation of PCIDSS (Thames Valley

University, 2007).



In addition to personal interviews and e-mail surveys, observational, and archival data

will be used to assess the components of the derived model. The observer will take the

interrupted involvement role for collecting observational data. Interrupted involvement

role of an observer lets the observer to conduct interviews and obtain needed data from

the organization when required (Thames Valley University, 2007). The observer or

researcher will be present in the organization sporadically to collect observational data.



Archive data is the data collected from surveys and organizational records like past

projects (Yin, 1994). Archive data is a useful tool to analyze the data collected (SIDOS,

2005). SIDOS also states that archive data aids the researcher to gain a deeper




                                             57
understanding of the concept by analyzing the previously published data. Archive data

will be collected from the sponsor using surveys and organizational records.




3.1.7. Primary Data Analysis


The purpose of analyzing primary data is to extract usable and useful information

(Thames Valley University, 2007). Qualitative analysis would be used to analyze the

data collected via interviews and observations. Content analysis would be performed on

the archive data collected from the sponsor organization.



Quantitative analysis of data is performed using statistical methods. These methods

would be used to analyze the questionnaire data. The statistical methods that would be

used to analyze the quantitative data are descriptive statistics and graphical methods like

bar charts, pie charts and histogram.



Descriptive statistics are used to describe the basic features of the data in a study

(Trochim, 2006). Trochim states that descriptive statistics provide simple summaries

about the sample and measures. Trochim also states that together with simple graphical

analysis, descriptive statistics form the basis of virtually every quantitative analysis of

data. Further, according to Trochim descriptive statistics helps the researcher to present

the quantitative data in manageable form. Graphical representation of data enhances the

findings and discussions (Thames Valley University, 2007). Thames Valley University

states other methods like correlation coefficient, which could be used to study the linear




                                            58
relationship between two variables. According to Thames Valley University, “a variable

is a characteristic of interest that varies from one item to another and may take any one of

a specified set of values or attributes.”




3.2. Sponsor Organization Background


The sponsor organization for this project is Service Continuity, Information Technology

(IT) and IT Security at University of Houston. IT Service Continuity was formed to

provide business service continuity in an event that the University of Houston computing

center becomes unavailable.



The services offered by IT Service Continuity at University of Houston include

   Disaster Recovery.

                 Disaster Recovery Plan.

                 Disaster Recovery Annual Test Plan.

   Service Continuity.

                 Secondary Data Center.

                 Incrementally deployment of services.

   PCI Compliance.

                 Team member of PCI Compliance Project.

                 Assistance with the certification of compliance of the UH Continuing

                  Education department.

                 Development of PCI Compliance documentation.



                                            59
Current projects include the phase I of secondary data center and disaster recovery

tabletop exercise for WebCT. The phase I of secondary data center will have UH

shipping computing equipment to Dallas, TX, secondary data center location. The data

center is scheduled to be operational from November 2008. The disaster recovery

tabletop exercise for WebCT is designed to raise awareness of disaster recovery planning,

to educate staff members on recovery process and to reinforce procedures by simulating

recovery.



IT Security at University of Houston is responsible for coordinating information security

services and addressing security issues as well as reporting and working with IT and

other departments on security matters influencing UH computers and networks.



Specific activities of the IT Security team include:

   Computer and network security: Taking action to prevent computer and network

    compromises and investigating them when they occur.

   Disseminating information about system vulnerabilities.

   Advising departments and colleges regarding information security concerns.

   Processing copyright violations which include:

                      Removing violating material from network access.

                      Locating and identifying users.

                      Advising users of violations.

                      Educating users on copyright regulations.




                                             60
   Security awareness training program development and implementation.

   Assisting UH administration with compliance initiatives involving information

    technology components such as PCI.



UH IT‟s current mission and goals statement is as follows:

   To serve UH‟s colleges and its administrative departments by:

       Delivering a suite of highly reliable and secure technology services.

       Aligning with and serving our campus customers.

       Supporting state-of-the-art student, financial, human resources (PeopleSoft) and

        other information systems.

       Creating a reliable, secure, robust and cost-effective technology environment

        using industry best practices and technology.

       Maintaining the campus network infrastructure and our wireless footprint.

       Aggressively enhancing security at the enterprise level and in customer

        environments.

       Actively pursuing opportunities with UH business owners to leverage

        administrative and financial services.



Case study at IT Service Continuity and IT Security at the University of Houston will

help analyze the business and technical aspects of PCIDSS implementation.




                                             61
3.3. Project Resources


The project resources used for deriving and assessing the sponsor organization relative to

components of the model include data resources, human resources and technical

resources for completing the project. Data resources collected include secondary data and

primary data to derive and validate the model. Information regarding the latest tools,

methodologies, policies and procedures will be obtained from the secondary data search.

Guidance for the project is obtained from the project committee members and sponsor

organization. Technical resources like Microsoft Project and EndNote X will help

organize data better. Communication with the committee members and sponsor

organization is facilitated using electronic mail, telephone and face-to-face meetings.


3.4. Technology Used

The technology used for the following categories are:

   Planning: Microsoft project will be used to plan the project. The schedule for the

    project is August 2007 to May 2008. Electronic mails will be used to set alert

    messages and reminders for each planned phase.

   Research and Analysis: The research and analysis is carried out using online search

    and electronic databases. The Library electronic database will be used for research

    papers and online periodicals. Endnote X is used to organize the collected data.

   Communication: Electronic mail will be used for communication with committee

    members and sponsor organization.

   Documentation and Presentation: Microsoft Word will be used for documentation

    and Microsoft Power Point will be used for project presentation



                                            62
3.5. Proposed Project Plan


Figure3.3 shows the project plan. The deliverable for the project includes:

   Chapter I: Chapter I consists of introduction about the Project Topic, benefits of the

    project, importance of doing the project and project scope.

   Chapter II: Chapter II consists of justification of the project from literature.

   Chapter III: Chapter III describes the project methodology used to complete the

    project.

   Chapter IV: Chapter IV describes the execution of the project and complete analysis

    of the findings.

   Chapter V: Chapter V summarizes the whole project and concludes the whole

    process followed in completing the project.

The schedule for completion of Chapter I, II, and III is the end of December 2007 and for

Chapter IV and V is end of May; 2008. Figure 3.4describes the project plan in Microsoft

Project.




                                             63
Figure 3.4: Project Plan




           64
References
 [1]. Acunetix (2007), “Payment Card Industry Compliance – Securing Both Merchant
and Customer Data,” Retrieved on September 24, 2007 from
http://www.acunetix.com/websitesecurity/PCI-Compliance.pdf

[2]. Adler, P.M. (2006), “A unified approach to information security Compliance,”
Retrieved on September 24, 2007 from
http://www.educause.edu/ir/library/pdf/erm0653.pdf

[3]. Allen, G. (1999), “Primary Data Sources,” Retrieved on November 16, 2007 from
http://ollie.dcccd.edu/mrkt2370/Chapters/ch3/3prim.html

[4]. Antonopoulos, A.M. (2005), “Regulatory Compliance in Financial Services:
Information Security Challenges,” Retrieved on September 24, 2007 from
http://www.apani.com/pdf/RegulatoryCompliance-FinancialServices.pdf

[5]. AppsLabs (2007), “PCI DSS Compliance,” retrieved on September 24, 2007 from
http://www.applabs.com/uploads/app_whitepaper_pci_dss_compliance_1v00.pdf


[6]. Bakman, A.(2007), “Using Automated, Detailed configuration and Change Reporting
to Achieve and Maintain PCI Compliance, Part 4,” Retrieved on September 24, 2007
from http://www.busmanagement.com/pastissue/article.asp?art=269772&issue=195

[7]. Balance Scoreboard (2007), “Affinity Diagram, Module 4,” Retrieved on October 10,
2007 from http://www.balancedscorecard.org/files/affinity.pdf

[8]. Blount, S. (2006), “PCI Compliance: the CA Solution,” Retrieved on September 24,
2007 from
http://www.ca.com/files/TechnologyBriefs/ca_solution_for_pci_compliance_v4.pdf

[9]. Brodkin, J. (2006), “TJX breach: Rethinking corp. security,” 24, 13; ABI/INFORM
Global, Page 6, retrieved on September 24, 2007 from
http://www.networkworld.com/ifind/query.html?qt=TJX+breach%3A+Rethinking+corp.
+security+by+JOn+Brodkin&x=55&y=5&=Go

[10]. California State University (2006), “Business Continuity Plan,” Retrieved on
September 18, 2007 from
http://web.csustan.edu/BF/Documents/BusContinuityPlanFinal.pdf

[11]. Caston, K.M. (2005), “Tips for Collecting, Reviewing and Analyzing Secondary
data,” Retrieved on October 10, 2007 from
http://pqdl.care.org/pv_obj_cache/pv_obj_id_8F453F01C87B8BB24774628B95B42BBC
BD020200


                                           65
[12]. CISCO (2007), “Cisco Self-Defending Network Support for PCI Data Security
Standard,” Retrieved on September 18, 2007 from
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns625/c714/cdccont_0900aecd8
0500533.pdf

[13]. Core Security (2007), “Customer Success Story,” Retrieved on October 10, 2007
from www.coresecurity.com

[14]. Doan, L., Los Angeles Times (May 30, 2006), “College Door Ajar for Online
Criminals,” Retrieved on October 10, 2007 from
http://www.uh.edu/ednews/2006/latimes/200605/20060530hackers.html


[15]. Duval, Y. (2005), “Primary Data Collection Methods: Survey Design,” Retrieved on
October 10, 2007 from http://www.unescap.org/tid/projects/artnetbk05_surveydesign.pdf

[16]. Federal Trade Commission (FTC) (2006), “Consumer Fraud and Identity Theft
Consumer Data,” Retrieved on September 24, 2007 from
 http://www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf

[17]. FEMA (2003), “Continuity of Operations (COOP) Multi-Year Strategy and
Program Management Plan Template Guide,” Retrieved on September 24, 2007 from
http://www.fema.gov/pdf/government/coop/MYSPMPTemplateGuide.pdf

[18]. Food and Agricultural Organization of United Nations (FAO, 1997), “The Role of
Marketing Research,” Retrieved on October 10, 2007 from
http://www.fao.org/docrep/W3241E/w3241e02.htm#TopOfPage

[19]. Glasgow Caledonian University (2004), “Sources and uses of Secondary Data,”
Retrieved on October 8, 2007 from http://oassis.gcal.ac.uk/rms/irm/sd.html

[20]. GFI (2007), “PCI DSS made easy,” Retrieved on September 24, 2007 from
http://www.gfi.com/whitepapers/pci-dss-made-easy.pdf

[21]. Hart, M. (2007), “Survey Analysis,” Retrieved on December 14, 2007 from
www.final-year-projects.com/surveys.doc

[22]. Harverty, L. A., Koedinger, K. R., Klahr, D., & Alibali, M. W. (2000), “Solving
inductive reasoning problems in mathematics: No-so trivial pursuit,” Vol24 (2), Pp.249-
298, Retrieved on October 14, 2007, from
http://12.238.20.107:5150/yb/cse5393/abstracts/haverty.pdf

[23]. Holland, J., Holyoak, K. J., Nisbett, R. E., & Thagard, P. R. (1987). Induction:
Processes of inference, learning, and discovery. London: The MIT Press.




                                            66
[24]. Imprivata Inc (2007), “PCI Data Security Standard- a Pathway to PCI Compliance,”
Retrieved on September 24, 2007 from
http://www.imprivata.com/custom/confirmation/resource/whitepaper/asset/a_pathway_to
_pci_compliance.pdf

[25]. Johnson, M. (2006), “The PCI Data Security Standard for Service Providers
Demystified,” Retrieved on September 24, 2007 from
http://whitepapers.silicon.com/0,3800002489,60178285p,00.htm

[26]. King, J.L. (2007), “Four Varieties of Inductive Reasoning,” Retrieved on November
16, 2007 from http://www.uncg.edu/phi/phi115/induc4.htm

[27]. Krutz, R.L., & Vines, R.D. (2003). The CISSP Prep Guide, Canada, John Wiley &
Sons, Inc.

[28]. Lin, T., & Kinshuk. (2005), “Supporting Inductive Reasoning in Adaptive Virtual
Learning,” Retrieved on November 16, 2007 from
http://infosys.massey.ac.nz/~kinshuk/papers/wbe2005_induc_reasoning.pdf


[29]. Marshall, C., & Rossman, G. B. (1995). Designing Qualitative Research. Second
edition. Thousand Oaks, Sage Publications.

[30]. Mind Tools (2007), “Inductive Reasoning,” Retrieved on October 10, 2007 from
http://www.mindtools.com/pages/article/newTMC_96.htm

[31]. Mind Tools (2007), “Affinity Diagrams,” retrieved on October 10, 2007 from
http://www.mindtools.com/pages/article/newTMC_86.htm

[32]. National Science Foundation (NSF, 1997), “User-Friendly Handbook for Mixed
Method Evaluations,” Retrieved on October 10, 2007 from
http://www.ehr.nsf.gov/EHR/REC/pubs/NSF97-153/START.HTM#TOC

[33]. Oscarson, P. (2007), “Actual and Perceived Information Security,” Retrieved on
December 14, 2007 www.diva-portal.org/diva/getDocument?urn_nbn_se_liu_diva-
10215-1__fulltext.pdf

[34]. Otterness, D. (2006), “PCI Compliance in Higher Education,” Retrieved on October
8, 2007 from http://www.it.northwestern.edu/bin/docs/Otterness072606PCI.pdf

[35]. Palmquist, M. (1980), “Content analysis,” Retrieved on October 10, 2007 from
http://www.gslis.utexas.edu/~palmquis/courses/content.html

[36]. PCI Security Standards Council (2006), “About the PCI Data Security Standard,”
Retrieved on September 24, 2007 from
https://www.pcisecuritystandards.org/tech/index.htm



                                          67
[37]. PCI Security Standards Council (2006), “Payment Card Industry Data Security
Standard – Security Audit Procedures,” Retrieved on September 24, 2007 from
https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf

[38]. Pitagorsky, G., (2002), “Project Management –A stress Reduction Method:
Handling Uncertainty,” Retrieved on November 14, 2007 from
http://www.allpm.com/modules.php?op=modload&name=News&file=article&sid=341

[39]. San Diego State University (2007), “Primary Data collection,” Retrieved on
November 14, 2007 from
http://www-rohan.sdsu.edu/~renglish/470/notes/chapt06/chapter06.htm

[40]. Stake, R. (1995). The art of case research. Newbury Park, CA: Sage Publications.

[41]. Stemler, S. (2001), “An overview of Content Analysis,” Retrieved on October 8,
2007 http://pareonline.net/getvn.asp?v=7&n=17

[42]. Sterling Commerce, (2007), “Protect your Card Holder File Transfer Data
Breaches,” Retrieved on September 24, 2007 from
http://www.adapt2grow.net/assets/protectyourcardholderfiletransfersagainstdatabreaches.
pdf

[43]. Swiss Academy of Humanities and Social Sciences (SIDOS, 2007), “The Data in
Social Sciences,” Retrieved on November, 16, 2007 from
http://www.sidos.ch/data/advantages.asp?lang=e

[44]. Symantec (2005), “Symantec Internet Threat Report – Trends for Jan to June 07,”
Vol XII, Published September 2007, Retrieved on September 26, 2007
http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-
whitepaper_internet_security_threat_report_xii_09_2007.en-us.pdf

[45]. Tellis, W. (1997), “Application of Case Study Methodology,” Retrieved on October
8, 2007 http://www.nova.edu/ssss/QR/QR3-3/tellis2.html

[46]. Thames Valley University (2007), “Dissertation guide,” Retrieved on October 8,
2007 from http://brent.tvu.ac.uk/dissguide/hm1u3/hm1u3text3.htm

[47]. Top Layer (2006), “Payment card Industry (PCI) Compliance,” Retrieved on
October 16, 2007 from http://www.toplayer.com/pdf/sbPCI.pdf

[48]. Trace Security (2007), “PCI Compliance made easy,” Retrieved on September 24,
2007 from http://www.tracesecurity.com/docs/PCI-DSS-Compliance.pdf

 [49]. Trochim, W.M.K. (2006), “Descriptive Statistics,” Retrieved on December 18,
2007 from http://www.socialresearchmethods.net/kb/statdesc.php



                                          68
[50]. Trochim, W.M.K. (2006), “Deduction and Induction,” Retrieved on December 14,
2007 from http://www.socialresearchmethods.net/kb/dedind.php

[51]. Tripwire (2007), “Challenges and Opportunities of PCI,” Retrieved on September
24, 2007 from www.ITCinstitute.com

[52]. U.S. General Accounting Office (1996). Content Analysis: A Methodology for
Structuring and Analyzing Written Material. GAO/PEMD-10.3.1. Washington, D.C.

[53]. U.S Department of Health & Human Services (2007), “Content Organization,”
Retrieved on December 18, 2007 from http://www.usability.gov/pdfs/chapter16.pdf

[54]. U.S Department of Interior Bureau of Reclamation (2007), “An introduction to
project management,” Retrieved on November 16, 2007 from
http://www.usbr.gov/excellence/Finals/FinalIntroPM.pdf

[55]. Vijayan, J. (2007), “Minnesota Gives PCI Rules a Legal Standing,” 41, 22;
ABI/INFORM Global, Page 40, Retrieved on September 24, 2007 from
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId
=9020923

[56]. Vijayan, J. (2006), “Breaches Pushing Retailers to Adopt PCI,” 41, 32;
ABI/INFORM Global, Page 10, Retrieved on September 24, 2007 from
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId
=300071

[57]. Wenk, D., & Bertrand, C., (2005), “Data Governance- Regulatory Compliance and
Business Continuity,” Retrieved on September 24, 2007 from
http://www.hds.com/pdf/wp_199_data_governance.pdf

[58]. Whittingham, I. (2007), “Project Management Professional Mega guide,” Retrieved
on September 24, 2007 from http://www.preplogic.com/products/mega-
guides/samples/010431_PMP_Mega_Guide_Sample.pdf

[59]. Yin, R. (1994). Case study research: Design and methods, (second ed.), Thousand
Oaks, CA: Sage Publishing.




                                          69

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:112
posted:7/30/2011
language:English
pages:69
niusheng11 niusheng11
About Those docs come from internet,if you have the copyrights of one of them,tell me by mail niutianshang@163.com,and i will delete it on the first time. I just want more peo learn more knowledge. Thank you!