ISOL 633 Summer MAIN 2018 Residency Project – PCI DSS
The Project
This team-based Residency Project, which accounts for 20% of the overall course grade, is
comprised of two components: a research paper, and a presentation. The challenge of this Project
includes demonstrating that the team acquired a sophisticated level of knowledge about one
component of the system of the PCI DSS. Each team’s efforts should be able to be successfully
applied to the knowledge gained by its fellow student teams toward an overall, comprehensive
understanding of these crucial governing principles collectively known as the Payment Card
Industry Data Security Standard.
Unless logically inapplicable, such as when writing about historical facts, use the current version
of the guidelines: PCI DSS 3.2.
Each team is charged with researching, discussing, and presenting results about one of eight
components of the PCI DSS system:
Group One: Historical background of PCI DSS, such as the history of payments in the U.S., the
introduction of the Payment Card Industry Security Standards Council, and other general points
of knowledge that help to set the tone for the Project. We need the context from this Group.
Group Two: Just as our textbook chapters typically begin, Group One’s history lesson is
expanded here by describing some of the challenges that the three main stakeholders of payment
card systems—i.e., payment card companies (Visa, MasterCard, et al), merchants and vendors
(small, large, online, brick-and-mortar), and consumers—face vis-à-vis technologies, business
challenges, and legal challenges within the PCI domain.
Group Three: With some background and context coupled to the challenges that are evident, it
is time to explore the PCI DSS requirements. When you carefully and fully learn these (coupled
to Group Four’s work) you will be able to understand compliance. This Group will research and
discuss the first three “control objectives,” each of which includes numerous requirements:
1. Build and Maintain a Secure Network and Systems
a. Install and maintain a firewall configuration to protect cardholder data
b. Do not use vendor-supplied defaults for system passwords and other security
parameters
2. Protect Cardholder Data
a. Protect stored cardholder data
b. Encrypt transmission of cardholder data across open, public networks
3. Maintain a Vulnerability Management Program
a. Protect all systems against malware and regularly update anti-virus software or
programs
b. Develop and maintain secure systems and applications
Group Four: Continuing with the PCI DSS requirements, this Group will research and discuss
the second set of PCI DSS “control objectives,” most of which include numerous requirements:
1
4. Implement Strong Access Control Measures
a. Restrict access to cardholder data by business need-to-know
b. Identify and authenticate access to system components
c. Restrict physical access to cardholder data
5. Regularly Monitor and Test Networks
a. Track and monitor all access to network resources and cardholder data
b. Regularly test security systems and processes
6. Maintain an Information Security Policy
a. Maintain a policy that addresses information security for all personnel
Group Five: There are fewer better ways to help understand these complex guidelines, from a
practical perspective, than to learn about how “real world” stakeholders have dealt with them.
Thus, the audience needs to learn about some case studies. Research and discuss at least three
actual scenarios in which a PCI stakeholder has dealt with, or failed to comply with, PCI DSS.
Tell us some stories. Make sure to include at least three subjects: (1) an online retailer; (2) a
small, local business (such as a barber shop, bookstore, or restaurant); and (3) a law firm, large
or small. You may choose more than three subjects, but do not expand so much so that you are
unable to tell a full story about your chosen subjects.
Group Six: Next comes some analysis. This Group examine and discuss PCI DSS in a limited,
albeit complementary, way. Look specifically at Kentucky’s laws, regulations, and business
practices in order to examine PCI DSS from a state-level perspective. Are there other Kentucky
laws that govern payment cards? What Kentucky laws implicate PCI DSS? What are some things
that Kentucky business leaders need to be aware of when they accept payment cards at their
establishments?
Group Seven: In further analyzing PCI DSS, and without necessarily homing in on Kentucky
stakeholders, what other American laws or regulations might relate to, implicate, or otherwise
find a nexus with PCI DSS? Here, the audience needs to understand, as you will, that PCI DSS
does not operate in a vacuum. Rather, like most of what we’ll learn in ISOL 633, there are
numerous laws, regulations, and other governing principles that interact with PCI DSS to form
an overall governance model.
Group Eight: This enviable Group gets the opportunity to examine and explain two PCI DSS
concepts. First, tell us what’s wrong with PCI DSS. Has it become outdated or irrelevant in some
way, or is it lagging behind modern technologies? Secondly, what is on the horizon for PCI DSS
stakeholders, especially for the merchants and vendors?
The Research
Please utilize the University’s wealth of library resources, as well as alternative scholarly or legal
resources as appropriate.
While it is not prohibited to use other, non-scholarly resources, the key to compiling a cogent,
informed Residency Project in our course is to focus on peer-reviewed, scholarly articles and the
laws, regulations, and legal cases that surround PCI DSS. The balance should weigh heavily
2
toward those resources, although some other magazine, newspaper, or website sources may help
you.
•
•
•
•
•
•
Peer-reviewed sources
Law Review
Scientific journals
Scholarly Journals
EBSCO
ProQuest
UC Library IS Guide
•
•
•
•
•
•
Acceptable Sources
Court cases
Legal Restatements
News articles
News magazines
Professional magazines
Articles from experts in
the field of study
•
•
•
•
•
Unacceptable Sources
Wikipedia
Open Source
General blogs
Vendor White papers
Social Media Posts
The Writing
The research paper that you produce must be in APA style, as discussed. Style affects all
components of the paper from margins and font choice to overall structure to references
citations, including proper citation of laws and court cases.
In addition to using the APA style to guide your work, your team should also keep in mind the
scoring rubric that is provided at iLearn. The more that your work answers the call of that rubric,
the higher your score will be.
It is important to write well both in academia and in your professional lives. This is not only
because communicating well is part of being a professional, but also because poorly written
work detracts from the value of the work. Readers, intentionally or not, equate badly grammar,
pore speling, and other English righting mistakes with incomplete research or unpersuasive
arguments. Perhaps that is in error—i.e., it is not actually the case that all poorly written work is
dispensable—though that effect cannot be ignored.
The paper should be written according to APA rules, and is to be between five and 10 total
pages. Fewer than five pages will result in proportionate deductions, and pages beyond 10 will
not be considered. Your team must submit both the paper and the PPT in iLearn no later than
Monday, June 18. Residency Project scores will be recorded no later than Monday, June 25.
The Presentation
On Sunday, June17, your team will conduct a presentation of your research to the class. All team
members must participate. Each team will have approximately 15 minutes. It is highly
recommended that a rehearsal or practice run is accomplished before the formal presentation. As
you know, when a presenter begins by fumbling with the technology, or otherwise appearing
unprofessional, much like poor writing, the message loses its value. Your team should reflect
your subject matter expertise about the PCI DSS component assigned, and be prepared to answer
questions.
3
Purchase answer to see full
attachment