Implementing the Payment Card Industry (PCI) Data Security Standard (DSS)

Enda Bonner, John O' Raw, Kevin Curran

Abstract


Underpinned by the rise in online criminality, the payment card industry (PCI) data security standards (DSS) were introduced which outlines a subset of the core principals and requirements that must be followed, including precautions relating to the software that processes credit card data. The necessity to implement these requirements in existing software applications can present software owners and developers with a range of issues. We present here a generic solution to the sensitive issue of PCI compliance where aspect orientated programming (AOP) can be applied to meet the requirement of masking the primary account number (PAN).  Our architecture allows a definite amount of code to be added which intercepts all the methods specified in the aspect, regardless of future additions to the system thus reducing the amount of work required to the maintain aspect. We believe that the concepts here will provide an insight into how to approach the PCI requirements to undertake the task. The software artefact should also serve as a guide to developers attempting to implement new applications, where security and design are fundamental elements that should be considered through each phase of the software development lifecycle and not as an afterthought.


Full Text:

PDF

References


FBI. Federal Bureau of Investigation Internet Crime Report. 2009; http://www.ic3.gov/media/annualreport/2009_IC3Report.pdf

Docksey R. PCI DSS - Closing the Loop on `Card Not Present' Fraud. The Institution of Engineering and Technology Conference on Crime and Security. London. 2006: 27-37.

Liu J, Xiao Y, Chen H, Dodle S, Singh V. A Survey of Payment Card Industy Data Standard. IEEE Communications Surveys & Tutorials. 2010; 12(3): 287-303.

Rowlingson R, Winsborrow R. A comparison of the Payment Card Industry data security standard with ISO17799. Computer Fraud & Security. 2006; (16)3: 16-19.

Berinato S. Data Breach Notification Laws, State by State. CSO Online, February 12th 2008 http://www.csoonline.com/article/221322/cso-disclosure-series-data-breach-notification-laws-state-by-state

Fabry HW. Database Vault: Enforcing Separation of Duties to Meet Regulatory Compliance Requirements. 12th International IEEE Enterprise Distributed Object Computing Conference. Munich. 2008: xxi.

Blackwell C. The Management of Online Credit Card Data using the Payment Card Industry Data Security Standard. 3rd International conference on Digital Information Management (ICDIM 2008). London. 2008: 22-30

McMillan R. Hotels.com Customer Data Stolen. PCWorld Magazine. June 3rd 2006. http://www.pcworld.com/article/125962/hotelscom_customer_data_stolen.html

PCI DSS. ‘Requirements and Security Assessment Procedures’ PCI Security Standards Council. Wakefield, MA. USA. 2008.

Campara D, Mansourov N. How to tackle security issues in large existing/legacy systems while maintaining development priorities. IEEE Conference Technologies for Homeland Security. Georgia. 2008: 167-172.

Gamma E, Helm R, Johnson R, Vlissides J. Design Patterns: Elements of Reusable Object-Oriented Software. Boston: Addison-Wesley. 1998

Zhang C, Jacobsen H. Aspectizing Middleware Platforms. University of Toronto Technical Report. CSRG-466. January 2003

Henning M. The Rise and Fall of CORBA. ACM Queue Journal. 2006; 5(4): 28-34.

Steed H. Encapsulating Legacy Software for Use in Client/Server Systems. Proceedings of the Third Working Conference on Reverse Engineering. Monterey, CA. 1996: 104:119.

Nordbotten N. XML and Web Services Security Standards. IEEE Communications & Surveys Tutorial. 2009; 11(3): 4-21.

Laddad R. Aspect-orientated programming will improve quality. IEEE Software. 2003; 20(6): 20-21.

Miller S. Aspect-orientated programming takes aim at software complexity. IEEE Transaction on Computer. 2001; 32(4): 18-21.

Morse E, Raval V. PCI DSS: Payment card industry data security standards in context. Computer Law & Security Report. 2008; 24(6): 540-554.

Mattsson U. A Database Encryption Solution That Is Protecting Against External and Internal Threats and Meeting Regulatory Requirements. 2004. http://www.net-security.org/article.php?id=715

NIST (2001) Announcing the Advanced Encryption Standard (AES), http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

Coyler A, Clement A. Aspect-orientated programming with AspectJ. IBM Systems Journal. 2005. 44(2): 301-308.




DOI: http://dx.doi.org/10.12928/telkomnika.v9i2.709

Article Metrics

Abstract view : 166 times
PDF - 183 times

Refbacks

  • There are currently no refbacks.


Copyright (c) 2014 Universitas Ahmad Dahlan

TELKOMNIKA Telecommunication, Computing, Electronics and Control
ISSN: 1693-6930, e-ISSN: 2302-9293
Universitas Ahmad Dahlan, 4th Campus, 9th Floor, LPPI Room
Jl. Ringroad Selatan, Kragilan, Tamanan, Banguntapan, Bantul, Yogyakarta, Indonesia 55191
Phone: +62 (274) 563515, 511830, 379418, 371120 ext. 4902, Fax: +62 274 564604

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

View TELKOMNIKA Stats