The Experts below are selected from a list of 1896 Experts worldwide ranked by ideXlab platform
Tzicker Chiueh - One of the best experts on this subject based on the ideXlab platform.
-
tracking payment card data flow using virtual machine state introspection
Annual Computer Security Applications Conference, 2011Co-Authors: Jennia Hizver, Tzicker ChiuehAbstract:Credit and debit card payment processing systems are key elements in financial transactions. Negligence in securing these systems makes them vulnerable to hacking attacks, which may lead to significant monetary losses for both merchants and the financial organizations. To reduce this risk, mandatory security compliance regulations, such as the payment card industry Data Security Standard (PCI DSS), were developed and adopted by the industry. A key pre-requisite of the PCI DSS compliance process is the ability to identify the components of the payment systems directly involved with the card data (i.e. process, transmit, or store). However, existing data flow tracking tools cannot fully automate the process of identifying system components that touch card data, because they either can not examine encrypted communications or they use an instrumentation-based approach and thus require a priori detailed knowledge of the payment card processing systems. We describe the implementation and evaluation of a novel tool to identify the card data flow in commercial payment card processing systems running on virtualized servers. The tool performs realtime monitoring of network communications between virtual machines and inspects the memory of the communicating processes for unencrypted card data. Our implementation does not require instrumentation of application binaries and can accurately identify the system components involved in card data flow even when the communications among system components are encrypted. Effectiveness of this tool is demonstrated through its successful discovery of the card data flow of several open- and closed-source payment card processing applications.
-
automated discovery of credit card data flow for pci dss compliance
Symposium on Reliable Distributed Systems, 2011Co-Authors: Jennia Hizver, Tzicker ChiuehAbstract:Credit cards are key instruments in personal financial transactions. Credit card payment systems used in these transactions and operated by merchants are often targeted by hackers to steal the card data. To address this threat, the payment card industry establishes a mandatory security compliance standard for businesses that process credit cards. A central pre-requisite for this compliance procedure is to identify the credit card data flow, specifically, the stages of the card transaction processing and the server nodes that touch credit card data as they travel through the organization. In practice, this pre-requisite poses a challenge to merchants. As the payment infrastructure is implemented and later maintained, it often deviates from the original documented design. Without consistent tracking and auditing of changes, such deviations in many cases remain undocumented. Therefore building the credit card data flow for a given payment card processing infrastructure is considered a daunting task that at this point requires significant manual efforts. This paper describes a tool that is designed to automate the task of identifying the credit card data flow in commercial payment systems running on virtualized servers hosted in private cloud environments. This tool leverages virtual machine introspection technology to keep track of credit card data flows across multiple machines in real time without requiring intrusive instrumentation of the hyper visor, virtual machines, middleware or application source code. Effectiveness of this tool is demonstrated through its successful discovery of the credit card data flow of several open and closed source payment applications.
Jennia Hizver - One of the best experts on this subject based on the ideXlab platform.
-
tracking payment card data flow using virtual machine state introspection
Annual Computer Security Applications Conference, 2011Co-Authors: Jennia Hizver, Tzicker ChiuehAbstract:Credit and debit card payment processing systems are key elements in financial transactions. Negligence in securing these systems makes them vulnerable to hacking attacks, which may lead to significant monetary losses for both merchants and the financial organizations. To reduce this risk, mandatory security compliance regulations, such as the payment card industry Data Security Standard (PCI DSS), were developed and adopted by the industry. A key pre-requisite of the PCI DSS compliance process is the ability to identify the components of the payment systems directly involved with the card data (i.e. process, transmit, or store). However, existing data flow tracking tools cannot fully automate the process of identifying system components that touch card data, because they either can not examine encrypted communications or they use an instrumentation-based approach and thus require a priori detailed knowledge of the payment card processing systems. We describe the implementation and evaluation of a novel tool to identify the card data flow in commercial payment card processing systems running on virtualized servers. The tool performs realtime monitoring of network communications between virtual machines and inspects the memory of the communicating processes for unencrypted card data. Our implementation does not require instrumentation of application binaries and can accurately identify the system components involved in card data flow even when the communications among system components are encrypted. Effectiveness of this tool is demonstrated through its successful discovery of the card data flow of several open- and closed-source payment card processing applications.
-
automated discovery of credit card data flow for pci dss compliance
Symposium on Reliable Distributed Systems, 2011Co-Authors: Jennia Hizver, Tzicker ChiuehAbstract:Credit cards are key instruments in personal financial transactions. Credit card payment systems used in these transactions and operated by merchants are often targeted by hackers to steal the card data. To address this threat, the payment card industry establishes a mandatory security compliance standard for businesses that process credit cards. A central pre-requisite for this compliance procedure is to identify the credit card data flow, specifically, the stages of the card transaction processing and the server nodes that touch credit card data as they travel through the organization. In practice, this pre-requisite poses a challenge to merchants. As the payment infrastructure is implemented and later maintained, it often deviates from the original documented design. Without consistent tracking and auditing of changes, such deviations in many cases remain undocumented. Therefore building the credit card data flow for a given payment card processing infrastructure is considered a daunting task that at this point requires significant manual efforts. This paper describes a tool that is designed to automate the task of identifying the credit card data flow in commercial payment systems running on virtualized servers hosted in private cloud environments. This tool leverages virtual machine introspection technology to keep track of credit card data flows across multiple machines in real time without requiring intrusive instrumentation of the hyper visor, virtual machines, middleware or application source code. Effectiveness of this tool is demonstrated through its successful discovery of the credit card data flow of several open and closed source payment applications.
Vikas Singh - One of the best experts on this subject based on the ideXlab platform.
-
A survey of payment card industry data security standard
IEEE Communications Surveys and Tutorials, 2010Co-Authors: Jing Liu, Srinivas Dodle, Suat Özdemir, Hui Chen, Yang Xiao, Vikas SinghAbstract:Usage of payment cards such as credit cards, debit cards, and prepaid cards, continues to grow. Security breaches related to payment cards have led to billion dollar losses annually. In order to offset this trend, major payment card networks have founded the payment card industry (PCI) Security Standards Council (SSC), which has designed and released the PCI Data Security Standard (DSS). This standard guides service providers and merchants to implement stronger security infrastructures that reduce the risks of security breaches. This article mainly discusses the need for the PCI DSS and the data security requirements defined in the standard to address the ongoing security issues, especially those pertaining to payment card data handling. It also surveys various technical solutions, offered by a few security vendors, for merchant companies and organizations involved in payment card transaction processing to comply with the standard. The compliance of merchants or service providers to the PCI DSS are assessed by PCI Qualified Security Assessors (QSAs). This article thus discusses the requirements to become PCI QSAs. In addition, it introduces the PCI security scanning procedures that guide the scanning of security policies of a merchant or service provider and prepare relevant reports. We believe that this survey sheds light on potential technical research problems pertinent to the PCI DSS and its compliance.
Jing Liu - One of the best experts on this subject based on the ideXlab platform.
-
A survey of payment card industry data security standard
IEEE Communications Surveys and Tutorials, 2010Co-Authors: Jing Liu, Srinivas Dodle, Suat Özdemir, Hui Chen, Yang Xiao, Vikas SinghAbstract:Usage of payment cards such as credit cards, debit cards, and prepaid cards, continues to grow. Security breaches related to payment cards have led to billion dollar losses annually. In order to offset this trend, major payment card networks have founded the payment card industry (PCI) Security Standards Council (SSC), which has designed and released the PCI Data Security Standard (DSS). This standard guides service providers and merchants to implement stronger security infrastructures that reduce the risks of security breaches. This article mainly discusses the need for the PCI DSS and the data security requirements defined in the standard to address the ongoing security issues, especially those pertaining to payment card data handling. It also surveys various technical solutions, offered by a few security vendors, for merchant companies and organizations involved in payment card transaction processing to comply with the standard. The compliance of merchants or service providers to the PCI DSS are assessed by PCI Qualified Security Assessors (QSAs). This article thus discusses the requirements to become PCI QSAs. In addition, it introduces the PCI security scanning procedures that guide the scanning of security policies of a merchant or service provider and prepare relevant reports. We believe that this survey sheds light on potential technical research problems pertinent to the PCI DSS and its compliance.
Cihan Cobanoglu - One of the best experts on this subject based on the ideXlab platform.
-
a financial analysis of the payment card industry compliance journey of a hotel a case study
The Journal of Hospitality Financial Management, 2010Co-Authors: Katerina Berezina, Cihan CobanogluAbstract:payment card transactions have become an essential part of hotel operations. The purpose of this study is to explore the procedure, approximate the cost, and describe the real-life hotel experience of becoming PCI-compliant in order to provide guidelines and approximate expenses for recently opened hotels and for existing ones that are not PCI compliant. A case study method approach was used. One hotel located in the Northeast part of the U.S. agreed to participate in this study. This limited-service 120-room hotel is a major brand franchisee and is operated by a management company. We collected the data through a structured interview with the general manager of the hotel. Findings indicated the cost for being PCI compliant is not easy to calculate, as many of the costs were integrated in typical costs of the hotel such as franchise fee and IT budget. Findings also suggested the key elements every hotel is required to invest in to become PCI compliant, including secure PMS/POS systems with firewalls and a...
-
payment card industry data security standards pci dss compliance in restaurants
The Journal of Hospitality Financial Management, 2010Co-Authors: Kutay Kalkan, Francis A Kwansa, Cihan CobanogluAbstract:In order to improve the security of customer data, the credit card companies have come together to create a security standard, called payment card industry Data Security Standard (PCI DSS), which involve mandatory requirements for merchants that accept credit card transactions. All restaurants that accept a credit card must comply with PCI DSS. The purpose of the study was to examine the PCI DSS compliance levels of Quick Service, Casual/Family and Fine Dining restaurants. A random sample of 1000 restaurant managers that are in charge of information technology at their companies and are subscribers of Hospitality Technology Magazine were surveyed. One hundred ninety managers responded to the survey. The results indicate that restaurants are far from full compliance with PCI DSS. This may have significant financial and non-financial consequences for restaurant owners and operators.
-
payment card industry data security standard compliance in restaurants
The Journal of Hospitality Financial Management, 2008Co-Authors: Kutay Kalkan, Francis Kwansas, Cihan CobanogluAbstract:ABSTRACT In order to improve the security of customer data, the credit card companies have come together to create a security standard called the payment card industry Data Security Standard (PCI DSS), which involves mandatory requirements for merchants that accept credit card transactions. All restaurants that accept a credit card must comply with PCI DSS. The purpose of the study was to examine the PCI DSS compliance levels of quick-service, casual/family, and fine dining restaurants. A random sample of one thousand restaurant managers who are in charge of information technology at their companies and were subscribers of Hospitality Technology magazine were surveyed. One hundred ninety managers responded to the survey. The results indicate that restaurants are far from full compliance with PCI DSS. This may have significant financial and non-financial consequences for restaurant owners and operators.
