INFORMATION TO TECHNOLOGY

Effective Professional Writing: The Memo

Adapted from a presentation by Xavier de Souza Briggs,

Department of Urban Studies and Planning, MIT

I F S M 2 01

Licensing Information This work “Effective Professional Writing: The Memo”, a derivative of Effective Professional Writing: The

Memo, by the Massachusetts Institute of Technology, is licensed under a Creative Commons Attribution-

NonCommercial-ShareAlike 4.0 International License. “Effective Professional Writing: The Memo” by

UMGC is licensed under a Creative Commons Attribution-NonCommercial-

ShareAlike 4.0 International License.

“To do our work, we all have to read a mass of papers. Nearly all of them are far too long. This wastes time, while energy has to be spent in looking for the essential points. I ask my colleagues and their staffs to see to

it that their Reports are shorter.”

– W I N STO N C H U R C H I L L , AU G U ST 9 , 19 4 0

– S O U RC E ( A O N E PAG E R E A D ) : C H U RC H I L L’ S “ B R E V I T Y ” M E M O

Writing Memos

The context of professional writing

Why write memos?

How to write them?

How to make them better?

3

The Context

The workplace or field:

◦ Time is precious.

◦ Information has substantive as well as political implications.

The decision-maker as reader:

◦ Busy and distracted (attention “spread thin”), not necessarily patient while you get to the point.

◦ Info needs are varied, unpredictable, fluid.

◦ Decision-maker sometimes offers vague instructions.

4

Academic vs. professional writing

Differences (when writing concisely)

◦ The academic reader often demands nuance and relevance to established lines of thinking, while the professional reader wants the “so what’s” for their decision making emphasized (relevance to their

actions).

◦ An academic assignment assumes a small and benevolent audience, but professional documents can be “leaked,” end up in the hands of unintended readers.

Similarities

◦ Strong essays and strong memos both start with your main ideas, but essays usually build toward conclusion and synthesis. The memo’s conclusions are usually right up top.

◦ In both, persuasive argument = clear viewpoint + evidence

◦ In both, addressing counter-arguments tends to strengthen your case.

5

Top mistakes in memos

Content: ◦ off point or off task (major substantive

omissions, given the request);

◦ impolitic (risks political costs if leaked);

◦ inappropriate assumptions as to background knowledge;

◦ no evidence.

Organization: ◦ important info “buried,”

◦ no summary up top, format confusing, not “skim-able.”

◦ Sentences long and dense,

◦ headings an after-thought.

Style: ◦ language too academic, too “preachy,”

or too casual;

◦ sentences long and/or dense.

6

Why write memos?

Professional communication

◦ Efficient

◦ Persuasive

◦ Focused

Two types of memos:

◦ Informational (provide analytic background)

◦ Decision or “action” (analyze issues and also recommend actions)

7

Consider Your Message in Context

Purpose Audience

Message

8

Use a Clear Structure

Summary:

◦ Summarize the entire memo

◦ Highlight major points to consider

Background:

◦ State the context

Body:

◦ Prove it, analyze it, address counter arguments (if any)

Conclusion:

◦ Outline Next Steps or Next Questions

9

Action Memos: Recommend Decisions

Summary:

◦ Summarize the entire memo, clearly, but more importantly, concisely

◦ State the broad recommendation(s)

◦ If the decision-maker reads only this section/paragraph, will he/she know what the situation is/recommendation(s) is/are (without necessarily knowing specific action steps)

Background:

◦ Provide the context

Body:

◦ Prove it/Analyze it, perhaps with pros/cons by option (if there are multiple options)

Conclusion:

◦ Outline next steps, don’t merely restate recommendation(s)

10

Tip: Construct a Clear, Concise, Coherent Argument

In your opening summary, you may use more than one sentence to describe overall goals or

recommendations, however, as an exercise it typically helps to try to state your argument in one

sentence. Expand on the sentence as needed as your construct your opening summary.

Examples:

◦ In order to recreate the organization’s image and reorganize our internal structure in the next 6 months, we should focus on X, Y and Z.

◦ While the company is in compliance with State of California Privacy laws with respect to X, Y and Z, there are two areas that still need to be addressed to reach our goal of 100% compliance: A and B.

11

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 1/17

Ethics

Computers, like any other tool, can be used for the best of purposes or manipulated to

accomplish outcomes that are dangerous or illegal. There are well-established standards

or guidelines that define the appropriate use of information technology (IT) and all the

associated systems that support this technology—computers, networks, and so on. These

guidelines form the basis of IT ethics.

Codes of Conduct: The Particular to the General

We will begin our study of ethics in the information technology setting by looking first at

those issues that more immediately affect the employee in the document that describes

use of the organization's IT resources: primarily computers and access to the internet.

Subsequently, we will investigate the policies and guidelines that define the employee's

expected behaviors related to more than just IT use—the employee code of conduct.

Finally, we will look at the standards that outline the employee's relationship to the larger

world outside the immediate organization.

User Access Agreements

Organizations expect employees to act ethically in all situations related to workplace

behavior and use of the employer's resources. To act ethically means to make sound

decisions about what is right and wrong and to act accordingly. Every time employees log

onto their computers and click to accept the user access agreement, they agree to abide

by the rules specified by the user access agreement.

Learning Resource

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 2/17

Unauthorized "Surfing"

Rajiv is a new intern in the purchasing department at ABC Corporation. He

completed orientation and systems training during the first week at work and is now

eager to start working. Every morning Rajiv's manager promises to meet and give

him assignments, but his manager just can't seem to fit Rajiv's training time into his

schedule. Day after day, Rajiv comes to work, logs into his computer, clicks "I

accept" on the user access agreement, then opens his company-provided email

account and the internet browser installed on his work computer.

Rajiv has internet access at work for conducting company business by email and for

ordering supplies and services. Since Rajiv doesn't have any work to do, he

rationalizes that a little surfing on the computer wouldn't hurt anything, and it

would keep him from getting so bored every day. The following week Rajiv's

manager asks to speak with him privately. He tells Rajiv that he's been fired for

surfing the internet, which violates the company's user access agreement. Each time

Rajiv clicked "I accept" on the user access agreement, he agreed to abide by the

company's policy.

The user access agreement consists of rules outlining the activities that are acceptable

and those that are not when using the employer's computers, network, e-mail system,

website, databases, and any other forms of IT-related resources. This agreement is often

called an acceptable use policy. What type of language might such an agreement contain?

Acceptable Use Policy (adapted from UMGC, 2018):

Though the list here is brief, a well-written user access agreement will contain a longer

and more exact list of acceptable and unacceptable behaviors related to use of the

company's computers and IT resources. Effective user access agreements will also contain

examples of what is considered acceptable and unacceptable use, along with the

sanctions or penalties for misusing the company's resources. Generally, you will find

specific sections that deal with security, online etiquette, and valid use or misuse of the

organization's resources.

1. Employees should use only the computer systems, network accounts, and computer

applications and files that they are authorized to use.

2. Employees may not use another employee's network account or attempt to steal or

ascertain another employee's password.

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 3/17

3. Employees are responsible for all computer resources assigned to them, including

both hardware and software, and shall not enable or assist unauthorized users to

gain access to the company's network by using a computer.

4. Employees must not share their passwords with other employees or nonemployees

and must take all reasonable steps to protect their passwords and secure their

computer systems against unauthorized use.

5. Employees may not attempt to gain access to protected/restricted portions of the

company's network or operating system, including security software and

administrative applications, without authorization.

6. Employees must not use the company's computer resources to deploy programs,

software, processes, or automated transaction-based commands that are intended

to disrupt other computer or network users or damage software or hardware

components of a system.

7. Employees are responsible to promptly report any theft, loss, or unauthorized access

of the company's network system, or illegal disclosure of any proprietary

information.

Note: If you conduct additional research on the topics here, you may find differences in

how the components or documents are labeled: agreements, policies, guidelines,

standards.

An example of a modifiable template for a complete user access agreement

(http://www.sans.org/security-resources/policies/Acceptable_Use_Policy.pdf) (more

commonly called an acceptable use policy), is provided by the SANS Institute (2014).

Rajiv's mistake was that he violated the user access agreement by surfing on the internet

when he didn't have any work to do. Clicking "I accept" on the user access agreement is

necessary to gain computer access. It is of paramount importance to know and comply

with the terms of the agreement to maintain your computer access.

You might argue that Rajiv was never warned that his actions were violating the user

access agreement, or that his supervisor was at fault for not finding the time to complete

Rajiv's training. The scenario is lacking several critical details as to why this action was

taken. The language of the user access agreement must be specific as to the actions to be

taken when a violation occurs. For example, Rajiv's employment termination might have

been a result of a sanction such as this: "Failure to observe these policies will result in

immediate disciplinary action or termination at the discretion of the offending party's

supervisor or department head."

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 4/17

Rajiv had completed orientation and system training, and it is assumed that he knew the

contents of the user access agreement. And when Rajiv clicked on the "accept" button

when logging onto the internet, he was acknowledging that he understood the actions

allowed and prohibited by the user access agreement.

The Employee Code of Conduct

Expected Behaviors in an Organization

Compliance with the user access agreement is one of an employee's expected behaviors

within the organization. A user access agreement is typically part of a larger document

that outlines both the mission of the organization and the organization's approach to

employee behavior on the worksite. This document, often called the "employee code of

conduct," contains the following (New South Wales Government, Industrial Relations,

n.d.):

So the user access agreement previously discussed would be a specific example of a set of

guidelines that might be found in such a document.

policies that outline the principles and practices that enable an organization to meet

its stated mission or purpose

the steps the organization will take in dealing with operational activities and how to

respond to requirements to comply with federal and state legislation and regulations

procedures that explain how to perform tasks and duties, who is responsible for

what tasks, and how the duties are to be accomplished

guidelines listing appropriate behaviors (and sanctions for violation of these

behaviors) related to a range of topics: harassment, safety, workplace attendance,

drug and alcohol use in the workplace, religious exercise, and computer use, for

example

These policies, steps, procedures and guidelines define the "what and when" for running

the organization and also define the organization's expectations of all employees

collectively. The "what and when" in the organization means what needs to be done and

when it needs to be finished.

What's the Difference Between Policies and Guidelines?

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 5/17

In an organization, employees are responsible for complying with both policies and

guidelines. Both are binding and are enforced, and both concern the organization's

operation. The major differences between the two have to do with the authoring body

and specificity. Policies tend to be larger, relatively static documents authored and

approved by an organization's governing body, most often its board of directors. Policies

are intended to be useful and applicable over time. To that end, they are normally written

with some degree of flexibility so that they can be adapted to changing circumstances.

Specific penalties and expectations are not usually included in a policy.

Guidelines are based on policy, but they tend to focus on a specific series of steps in the

functional area. Guidelines are normally approved and changed by the department or

division most affected by them. This approach puts authority in the hands of

knowledgeable staff. Because fewer individuals are involved in the drafting and approval

process, guidelines can be changed and adapted more quickly than policies. Guidelines are

typically much more explicit than policies in defining what's allowed and specifying the

penalties for particular violations.

For example, an organization's policy may state that everyone needs to have a user ID and

password to access a desktop computer. The organization's guidelines may state that the

password must contain eight characters with at least two numeric digits and two

uppercase letters.

As a general rule, an employer expects you to behave as a responsible, mature, and ethical

person. In day-to-day terms, this means being respectful of your coworkers and of the

organization's resources. Be aware that your use of the organization's resources can have

an effect on others' use of them. Broadly, it's expected that you will:

As it relates specifically to use of computer resources, the code of conduct outlines the

employer's expectation that computers, email, and the internet will be used primarily to

conduct the company's business.

maintain the security and confidentiality of your user ID and password

take care of any property assigned to you

use your knowledge of organizational information in a responsible way

use the organization's supplies and services for official purposes only

be respectful of others' property and privacy rights

Professional Associations and Codes of Conduct

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 6/17

Codes of Conduct

We've covered the user access agreement and learned about an organization's policies

and guidelines as applicable to the employee code of conduct within an organization.

Another way to look at what we've covered is that we first described the expected, ethical

behavior of the individual as outlined in the user access agreement. Next, we learned that

policies and guidelines define the "what and when" for running the organization and also

define the organization's expectations of all employees collectively (as found in an

employee code of conduct).

Now, we take one step further in our discussion to describe general standards applicable

to and the behaviors that are expected of individuals who belong to professional

associations or who have obtained certifications in a particular field of expertise. How do

these codes of conduct differ from those written for a particular company, business, or

institution?

Many professional careers are not regulated by any external bodies such as federal and

state governments. Unlike doctors or accountants, for example, IT professionals do not

have specific regulations that govern their behavior, outside of established laws regarding

any type of illegal activity. Thus, professional organizations like those supporting IT

professionals develop a code of ethics, which is intended to guide and govern the

behaviors of its members. This, in one sense, is an attempt at self-regulation and ensuring

that the members demonstrate behaviors that reflect positively on the organization and

that profession as a whole.

When you look at the codes of ethics for such groups such as the Association for

Computing Machinery or the SANS Institute, you will find many of the same topics

addressed as those found within any single organization's employee code of conduct—

being respectful of others' property and privacy rights, using resources only when

authorized to do so, using knowledge of organizational information in a responsible way,

and the like. The basic elements of the code of ethics in professional associations revolve

around members conducting themselves "honorably, responsibly, ethically, and lawfully so

as to enhance the honor, reputation, and usefulness of the profession" (NSPE, 2007).

These professional associations provide a collective voice for members who are focused

on a particular field of expertise. The associations attempt to promote professional ethical

standards among their members. But the code of ethical conduct for a professional

association is written with less specificity than an employee code of conduct. The

contents are presented as standards of behavior and do not include the details of "who,

what, and when" that are found in an employee code of conduct. In a code of ethical

conduct for a professional organization, you might find phrases such as:

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 7/17

"I shall perform with honesty and integrity in all my professional relationships."

" I shall not use my knowledge and experience in the field to take advantage of

others, thereby achieving personal gain."

" I shall be willing to share my knowledge and expertise with others and always act

in such a way that reflects favorably on my profession."

Of course, these same standards of behavior are part of any employee code of conduct,

but in that setting, there are generally specific policies and guidelines to be followed in

support of these standards. If we look at one item in all three documents (the ethical code

of conduct for a professional association, the employee code of conduct, and the user

access agreement), the same topic might be addressed in the following ways:

Ethical Code of Conduct

for a Professional

Association

Employee Code of

Conduct User Access Agreement

"I shall protect the

privacy and

confidentiality of all

information entrusted to me."

"The employee will

maintain the security and

confidentiality of his/her

user ID and password."

"The user ID and

password are to be used

only by the authorized

owner of the account and only for the authorized

purpose specified by the

owner's job description."

An IT professional with a network engineering certification, faculty members in a

university with membership in the Middle States Association of College and Schools, or a

union plumber working on a construction site are a few examples of individuals who, by

virtue of their membership in a particular professional association, have subscribed to the

code of ethical conduct for that organization. Professional certifications and memberships

convey an assurance that the individual with the certification or membership has agreed

to abide by the established code of conduct.

One reason organizations hire certified professionals is to establish themselves as

organizations with competent and ethical professional employees. The rapidly changing

nature of technology makes a general standards approach very practical—it's much easier

for organizations to rely on the credentials established by the certifying professional

organizations and boards than to hire employees without knowing their level of expertise

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 8/17

or their ethical and moral standing. An organization with a highly ethical and competent

staff distinguishes itself because the general standards of competency have a high level of

credibility in the workplace.

Standards and Behavior

Jenna is a network engineer and holds a Microsoft Certified Solutions Expert

(MCSE) certification. This certification attests to Jenna's ability to design and

implement computer network systems. Chad holds several Certified Information

Systems Security Professional (CISSP) credentials. These credentials signify that

Chad has the experience to handle all issues related to information systems in

business environments, particularly those that relate to security of the systems. To

obtain these professional certifications and credentials, Jenna and Chad had to

agree to act in accordance with high moral and ethical standards in all activities

related to that profession. They also had to pass examinations to prove that they

had the appropriate subject knowledge. Therefore, a professional certification

attests not only to Jenna's and Chad's subject knowledge, but also to their high

ethical standards and behavior in their professional lives.

IT Ethical Issues

Software Piracy

Even though you have purchased a legitimate copy of this software for your use, lending it

to another person, even for a short time, is a violation of the license agreement you

agreed to when you installed the software on your machine. You are not allowed to lend

(or borrow) software, and doing so is a violation of copyright law. In general, US copyright

law makes it illegal to distribute or reproduce copyrighted work without the consent of

the copyright holder. These laws have a long history in the United States, and they are

rooted in the idea that strong intellectual property rights encourage invention and

creativity.

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 9/17

Legal to Lend?

Jeff is upgrading his computer and has an old version of a document

creation/editing program. He asks to borrow your installation CDs for the newer

version of the same software application to load onto his machine until he has a

chance to purchase his own copy. You give him the CDs, and he loads the program

on his machine. But when he attempts to open the program, he gets notification

that he needs to register the application. He uses the activation code that is still

attached to the back of the set of CDs you lent him. Eventually, Jeff purchases his

own copy of the software and loads it on his machine.

It can be difficult to understand that software piracy is theft because the thief isn't taking

anything physically, and because retail merchants are not present when the theft occurs. It

may seem strange that you can purchase something legally (like an iTunes song or an e-

book), and its use will become illegal if you load it more than the allowed number of times.

On the other hand, If you purchased a hardcover or paperback book, a music CD, or a

movie on a DVD, you can lend that item to as many people as you wish (as long as they do

not make copies).

Piracy, a type of software theft, occurs when software is illegally copied, registered,

activated, released, or sold. Software includes data files, music files, videos, pictures, game

files, e-books, computer applications, and operating system programs.

Software owners register or copyright their work to protect it. Software owners specify

the method and terms by which the software is distributed or shared with users. So if you

purchase a song from the iTunes store, you can load it or sync it with as many Apple

devices as you own and up to five computers that you own, but you cannot legally sync or

load songs from someone else's computer or Apple device to yours. To do so would

constitute an infringement of the copyright on the song and transfer process claimed by

Apple. Or you can purchase an e-book and download it to your computer and then

transfer it to one or more electronic readers that you own—but you cannot transfer the

book legally to someone else's electronic reader.

The victims of piracy are software manufacturers, writers, programmers, and owners of

the software. Ultimately, legitimate customers who purchase software are victims of

piracy as well, because the purchase price of software must increase in order to cover the

losses incurred by theft.

What Is Copyright and Does It Really Apply to Digital Media?

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 10/17

What Is Copyright?

Copyright refers to a series of rights that are granted to the author of an original work.

These rights focus on the reproduction and distribution of the work—specifically, "the

right to control copying." Copyright owners are essentially given two specific entitlements:

the right to exploit their own copyrighted work, and the right to stop others from doing

so.

In the United States, copyright is automatically granted to the creator of a work.

Copyright protection remains in effect for the life of the author plus an additional 70

years. Although individuals and companies concerned about protecting their copyright will

often place an explicit copyright notice on the work (e.g., "© 2010, all rights reserved"),

this notice is not required for the work to qualify for copyright protection.

What Can Be Copyrighted?

US law specifies eight general types of works that are copyrighted. These works are

specified below:

These include CDs, DVDs, video games, software, songs, poems, movies, plays, books,

databases, label designs, photographs, and websites.

literary works

musical works

dramatic works

pantomimes and choreographic works

pictorial, graphic, and sculptural works, including fabric designs

motion pictures and other audiovisual works

sound recordings

architectural works

What Cannot Be Copyrighted?

According to the US Copyright Office, "Copyright does not protect facts, ideas, systems,

or methods of operation, although it may protect the way these things are expressed."

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 11/17

It's important to point out that as a university student, you are likely going to be creating

original work throughout your academic career. Copyright law applies to you not just as a

consumer, but also as a creator of original work. In that capacity, copyright can protect the

work you own from being used without your permission. Do you think asserting your

rights under copyright law in your student work is never worth the time and effort?

Consider these cases:

What's Special About Digital Media?

Student Sues Professors Over Intellectual Theft

(http://www.africaresource.com/index.php?

option=com_content&view=article&id=448:binghamton-university-doctoral-

student-sues-professors-over-intellectual-theft&catid=136:race&Itemid=351)

Who Owns Your Great Idea?

(http://www.nytimes.com/2009/01/04/education/edlife/whoseidea-t.html?

_r=1&ref=edlife)

Given that copyright law has more than 300 years of history behind it, why has this issue

suddenly become so contentious and prominent in the news? Has copyright law always

been as problematic as it is today? For most of its history, the topic of copyright has been

reasonably established and settled. It's only recently that the topic has become so

newsworthy. Much of this attention is the result of changes in technology that make

reproduction and distribution much easier. Think of how much easier it is to distribute a

document digitally than in paper form, or to send friends a digital image compared to

mailing a printed photograph.

Since that case, technology has continued to lower the cost and burden of reproducing

copyrighted work, most particularly media files—text, images, and audio and video

recordings. Similarly, advances in telecommunications have reduced the cost of

distributing such files. Much of the current controversy stems from the combination of

personal computers and the internet. Together, these technologies make reproducing and

distributing copyrighted work exceptionally inexpensive. These technologies have enough

potential to affect copyrighted works for which laws were put in place in the United

States specifically to address the issue.

Current concerns over copyright have their roots in the 1970s, when Sony popularized

videocassette recorders (VCRs). Until then, reproducing and distributing most forms of

copyrighted work required expensive equipment. The expense of reproduction generally

protected copyright holders from easy reproduction of their work. The widespread

consumer adoption of the VCR suddenly made reasonably high-quality reproduction of

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 12/17

copyrighted works easy and inexpensive. Concerned movie studios filed lawsuits against

Sony, culminating in a Supreme Court case

(http://en.wikipedia.org/wiki/Sony_Corp._of_America_v._Universal_City_Studios,_Inc.)

that protected the use of potentially copyright-infringing technology when the technology

in question had other (noninfringing) uses.

The Digital Millennium Copyright Act (DMCA) of 1998

As advances in technology made copyright infringement easier and less expensive, major

copyright owners sought additional protections to make such infringements easier to

penalize. At the same time, because the internet plays such a prominent role in this

potential infringement, both internet service providers (ISPs) and online service providers

(OSPs, those that host websites on the internet) sought limits on their own liability if their

networks and systems were used as a conduit to infringe on copyright.

Congress was concerned that without limiting the liability of online service providers, the

efficiency and growth of the internet as an important technology would be stifled. The

Digital Millennium Copyright Act (DMCA) was the legislative product of this controversy.

The law specifically sets out expectations and safe harbors for ISPs. Under the DMCA,

ISPs are encouraged to provide and improve online services such as network access

(thereby allowing their users to transfer files), but if illegal activity is detected, the ISP is

obligated to ensure that these illegal transfers or publications of copyrighted materials do

not continue.

So does the DMCA protect the copyright holder or just set the liability limits for OSPs and

ISPs? If you find that digital material for which you hold the copyright is appearing on a

site owned/managed by an online service provider (OSP) such as Facebook, Twitter,

YouTube, etc., you have the right to demand that the OSP remove the material. This is

called a "takedown notice," and when an OSP receives such a notice, it is required to

remove or disable access to the accused material to avoid being held liable. This portion of

the DMCA "gives individual authors more power to protect their rights. At the same time,

the DMCA takedown mechanism has certain safeguards in place to protect the rights of

those who have a right to publish material that is not infringing" (Liu, 2013).

Under the DMCA, copyrighted works are given specific protections that prohibit the

circumvention of technological measures that control access to and prevent unauthorized

duplication of copyrighted works. The law also increased penalties for copyright

violations.

The DMCA goes beyond penalizing those for reproducing copyrighted software. Under

the law, it is illegal to bypass any protection the software manufacturer built into the

software. Developing, selling, and owning the tools to carry out the bypass are also illegal

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 13/17

under the law.

Prosecutions for copyright infringement and related news coverage of the issues of

copyright protection and enforcement have increased dramatically in the past decade.

These increases reflect the importance of this issue and the hard line contemporary

copyright owners take on copyright violations.

It may seem remote that you'd be caught violating the DMCA because your actions would

be on such a small scale. Consider that if you are caught violating these laws, you can be

liable for civil penalties of up to $150,000 per violation. You could also face criminal

prosecution, with fines and penalties. Is the risk of getting a criminal record and paying a

hefty fine worth the reward of having pirated software?

A Specific Issue Related to Software Piracy: File Sharing

File sharing is the process of transferring files across a network (often the internet).

Although any type of file can be shared, most file sharing revolves around media files:

music, movies, and video games. Many different applications can be used to share files,

including FTP, Internet Relay Chat (IRC), operating system sharing capabilities, web pages,

and peer-to-peer (P2P) applications.

Any type of file sharing that infringes on copyright is illegal, but most media and legal

attention is focused on the use of P2P applications. Although there are legal uses for P2P

technology, these applications are especially popular for exchanging files illegally. This

popularity stems from their efficiency—many popular P2P applications offer a fast way to

download and upload information—and also from a perception of anonymity. Because

users are sending or receiving files with other users (peers), many users mistakenly believe

that their identities can't be tracked. In reality, computers that use P2P applications to

upload or download files can be identified by their IP addresses.

Given all of the risks and possible repercussions, why would anyone ever use P2P to share

digital files? Are there any legitimate uses for the technology? In fact, there are. File-

sharing applications can be an efficient and effective way to share information. As a

mechanism for sharing content that you've created yourself—whether informational,

multimedia, or software—P2P applications represent a legal and effective approach.

This same technology can be a useful way to gain access to material that is not

copyrighted, or that has licensing such that it's legal to share it. Sometimes it seems as

though P2P file sharing is mentioned solely in conjunction with downloading movies and

music illegally, but these applications have plenty of legal uses. P2P programs provide an

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 14/17

efficient method for obtaining files that are in the public domain or are licensed to allow

electronic distribution. If you choose to use file-sharing technologies, the onus is on you

to make sure that you are doing so legally and safely.

Social Networking Issues

The Benefits of Social Networking

Social networking is ongoing communication between people, and in that form has existed

ever since humans joined together in communities. However, now the term has taken on a

particular meaning since it more often refers to groups that communicate on the internet.

The reasons for joining these online groups are varied and include sharing of interests,

photos, videos, stories, affiliations, and product and service reviews. Such sites are also

used as a forum for professional contacts with the purpose of exchanging work-related

information, posting jobs, or posting resumes from those seeking jobs. Another use, made

possible by the large number of public databases that store information about individuals,

is searching for information about persons, including police records, tax records, and other

details.

One of the positive outcomes of this new form of social networking is the ability to

contact and come to know people from any part of the world, exposing the participant to

countries, cultures, languages, and customs that might never be made available in the

individual's local community. Some of the most popular networking sites are Facebook,

Instagram, Twitter, Flickr, LinkedIn, YouTube, Pinterest, and Meetup. Participation in any of

these can lead to an expanded list of friends and a sense of belonging to a community. It

can provide a source of information to help with a problem. It gives you a voice for your

opinions and a place to connect with people who like the same things.

The Dangers of Social Networking

While conventional social networking follows accepted normal behavior, there are

unethical and even criminal uses made of the information that is available on social

networking sites. An individual can become the victim of data theft or unwittingly

download a virus. One of the more significant dangers involves online predators or those

who claim to be someone they are not. We will take a look at two such dangers—

cyberbullying and cyberstalking.

Cyberbullying

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 15/17

Cyberbullying is defined as actions that use information and communication technologies

—the internet, web pages, discussion groups, instant messaging, or text messaging—to

support deliberate, repeated, and hostile behavior by an individual or group that is

intended to harm another or others. These communications seek to intimidate, control,

manipulate, put down, falsely discredit, or humiliate the recipient ("Cyberbullying," 2016).

Although we most often hear about this negative use of social networking among minors,

resulting in disastrous actions such as school shootings, suicides, or even murders, adults

can be victims of cyberbullying as well. Cyberbullying has an advantage of anonymity. The

bully or bullies do not face the victim but communicate from untraceable cell numbers,

fake email accounts, or fake online IDs at popular social networking sites. The online

actions can include such content as sexual remarks, hate speech, false accusations, gossip

or rumors, online ridicule, or threats of harm or death. Victims often suffer in silence

rather than face being ostracized by their peers.

Cyberstalking

Cyberstalking, also called cyberharassment, is a pattern of behavior that involves

repeated continuous, unwanted communication to an adult. It is the adult version of

cyberbullying. In the workplace, it can take place via company websites, blogs, or product

reviews. It can escalate to criminal behavior if the stalker's behavior is threatening or

invades the privacy of the victim.

This cyberharassment or stalking results from many of the same factors that give rise to

cyberbullying: professional or sexual obsession, perceived failure with life or job, wanting

to make others feel inferior, a delusional belief that he/she "knows" the target, and the

assumption of anonymity. In the workplace, the cyberstalker may also be motivated for

economic reasons—perhaps the victim is an affiliate or a competitor ("Cyberbullying,"

2016). Under the US federal cyberstalking law, anyone who uses electronic means to

repeatedly harass or threaten someone online can be prosecuted.

Whether it is called cyberbullying or cyberstalking, there are several key identifiers for

this type of behavior:

Perhaps one of the greatest dangers involves an invitation to a meeting between the

victim and the cyberstalker ("Cyberstalking," 2016).

The perpetrator seeks to damage the reputation of the victim by posting false

information about the victim on websites.

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 16/17

He or she may gather personal information about the victim through the victim's

friends, family, and/or coworkers.

A technically savvy stalker may attempt to trace the victim's IP address to gather

more information about the victim's online presence.

Sometime cyberstalkers involve others; they may even claim that the victim is

harassing them to encourage others to join in the harassment of the victim.

The cyberstalker may try to damage the victim's computer by sending viruses.

Purchases or magazine subscriptions (often involving pornography) may be made in

the victim's name.

There are some elementary steps you can take to keep yourself and the information about

you safe. Think about these:

Look at your postings through the eyes of employers or potential employers. Do not

post anything that might be embarrassing in your current or potential employment

situations.

Never post private information (phone numbers, addresses). These details can be

used to track you down, possibly by someone who wishes to exploit your

identification.

Control who has access to your postings by adjusting privacy settings.

Use strong passwords and change them regularly.

Check to see how visible your name or identity is by "Googling" your name.

References

Cyberbullying. (2016). In Wikipedia. Retrieved

from http://en.wikipedia.org/wiki/Cyberbullying

Cyberstalking. (2016). In Wikipedia. Retrieved

from http://en.wikipedia.org/wiki/Cyberstalking

Liu, K. (2013, March 6). The DMCA takedown notice demystified [Blog post]. Retrieved

from http://www.sfwa.org/2013/03/the-dmca-takedown-notice-demystified/

National Society of Professional Engineers (NSPE). (2007, July). Code of ethics. Retrieved

from http://www.nspe.org/resources/ethics/code-ethics

2/23/22, 11:26 AM Ethics

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128647/View 17/17

New South Wales Government, Industrial Relations (n.d.). Workplace policies and

procedures. Retrieved from

http://www.industrialrelations.nsw.gov.au/oirwww/Employment_info/Managing_

employees/Workplace_policies_and_procedures.page

SANS Institute Consensus Policy Resource Community. (2014). Acceptable use policy.

Retrieved from https://www.sans.org/security-

resources/policies/general/pdf/acceptable-use-policy

University of Maryland Global Campus. (2018). Acceptable use of technology policy. Used

under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0

International license.

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

Professional Memo 1

IFSM 201 Professional Memo

Before you begin this assignment, be sure you have read the Small Merchant Guide to Safe

Payments documentation from the Payment Card Industry Data Security Standards (PCI DSS)

organization. PCI Data Security Standards are established to protect payment account data

throughout the payment lifecycle, and to protect individuals and entities from the criminals who

attempt to steal sensitive data. The PCI Data Security Standard (PCI DSS) applies to all entities

that store, process, and/or transmit cardholder data, including merchants, service providers, and

financial institutions.

Purpose of this Assignment

You work as an Information Technology Consultant for the Greater Washington Risk Associates

(GWRA) and have been asked to write a professional memo to one of your clients as a follow-up

to their recent risk assessment (RA). GWRA specializes in enterprise risk management for state

agencies and municipalities. The county of Anne Arundel, Maryland (the client) hired GWRA to

conduct a risk assessment of Odenton, Maryland (a community within the Anne Arundel

County), with a focus on business operations within the municipality.

This assignment specifically addresses the following course outcome to enable you to:

• Identify ethical, security, and privacy considerations in conducting data and information analysis and selecting and using information technology.

Assignment

Your supervisor has asked that the memo focus on Odenton’s information systems, and

specifically, securing the processes for payments of services. Currently, the Odenton Township

offices accept cash or credit card payment for the services of sanitation (sewer and refuse),

water, and property taxes. Residents can pay either in-person at township offices or over the

phone with a major credit card (American Express, Discover, MasterCard and Visa). Over the

phone payment involves with speaking to an employee and giving the credit card information.

Once payment is received, the Accounting Department is responsible for manually entering it

into the township database system and making daily deposits to the bank.

The purpose of the professional memo is to identify a minimum of three current controls

(e.g., tools, practices, policies) in Odenton Township (either a control specific to Odenton

Township or a control provided by Anne Arundel county) that can be considered best

practices in safe payment/data protection. Furthermore, beyond what measures are

currently in place, you should highlight the need to focus on insider threats and provide a

minimum of three additional recommendations. Below are the findings from the Risk

Assessment:

• The IT department for Anne Arundel County requires strong passwords for users to access and use information systems.

Professional Memo 2

• The IT department for Anne Arundel County is meticulous about keeping payment terminal software, operating systems and other software (including anti-virus software)

updated.

• Assessment of protection from remote access and breaches to the Anne Arundel network: Odenton Township accesses the database system for the County when updating resident’s

accounts for services. It is not clear whether a secure remote connection (VPN) is

standard policy.

• Assessment of physical security at the Odenton Township hall: the only current form of physical security are locks on the two outer doors; however, the facility is unlocked

Monday-Friday, 8am-5pm (EST), excluding federal holidays.

• Employee awareness training on data security and secure practices for handling sensitive

data (e.g., credit card information) are not in place.

• The overarching conclusion of the risk assessment was that Odenton Township is not

fully compliant with the PCI Data Security Standards (v3.2).

Note: The Chief Executive for Anne Arundel County has asked for specific attention be paid

to insider threats, citing a recent article about an administrator from San Francisco (see

Resources). Anne Arundel County wants to understand insider threats and ways to mitigate

so that they protect their resident’s personal data as well as the County’s sensitive

information. These are threats to information systems, including malware and insider threats

(negligent or inadvertent users, criminal or malicious insiders, and user credential theft).

Expectations and Format

Using the resources listed below, you are to write a 2-page Professional Informational Memo to

the Chief Executive for Anne Arundel County that addresses the following:

• Risk Assessment Summary: Provide an overview of your concerns from the risk

assessment report. Include broad ‘goal’ of the memo, as a result of the risk assessment,

the broad recommendations. Specific Action Steps will come later. The summary should

be no more than one paragraph.

• Background: Provide a background for your concerns. Briefly highlight why the

concerns are critical to the County of Anne Arundel and Odenton Township. Clearly

state the importance of data security and insider threats when dealing with personal credit

cards. Be sure to establish the magnitude of the problem of insider threats.

• Concerns, Standards, Best Practices: The body of the memo needs to justify your

concerns and clarify standards, based on the resources listed below, at minimum. The

PCI DSS standards are well respected and used globally to protect entities and

individual’s sensitive data. The body of the memo should also highlight three current

controls that are considered best practice; that is, you should highlight the positive,

what is currently in place, based on the risk assessment.

• Action Steps: Provide a conclusion establishing why it is important for Anne Arundel

County to take steps to protect residents and county infrastructure from insider threats

based on your concerns. Recommend a minimum of three (3) practical action steps,

including new security controls, best practices and/or user policies that will mitigate the

concerns in this memo. Be sure to include cost considerations so that the County is

Professional Memo 3

getting the biggest bang for the buck. The expectations are not for you to research and

quote actual costs, but to generalize potential costs. For instance, under the category of

physical security, door locks are typically less expensive than CCTV cameras.

• Be sure to review the PowerPoint presentation (in pdf format) Effective Professional

Memo Writing that accompanies these instructions.

• Use the Professional Memo template that accompanies these instructions.

o Use four section subtitles, in bold.

▪ Risk Assessment Summary

▪ Background

▪ Concerns, Standards, Best Practices

▪ Action Steps

o Do not change the font size or type or page margins.

o Do not include any graphics, images or ‘snips’ of any content from copyrighted

sources. The PCI Standards (PCI DSS) document is copyrighted material.

o Paragraph text should be single spaced with ONE ‘hard return’ (Enter) after each

paragraph and after each section subtitle. Note: Do not create a new ‘paragraph’

after each sentence. A single sentence is not a paragraph.

o ‘Subject’ is the subject of your memo, not the course name or number.

o Be sure to remove any remaining ‘placeholder’ text in the template file before

submitting.

o The length of the template when you download it is NOT the intended length of

the entire memo. Your completed memo should be between 1.5 pages and 2

pages (total document, including the To:/From:/Re:/Subject header).

*Note: the Professional Memo is to be in a MS Word file and all work is to be in the

student’s own words (no direct quotes from external sources or the instructions) *

APA documentation requirements:

• As this is a professional memo, as long as you use resources provided with or linked

from these instructions, APA documentation is NOT required.

• Citing material or resources beyond what is provided here is NOT required.

• However, you should use basic attribution and mention the source of any data, ideas

or policies that you mention, which will help establish the credibility and authority of

the memo.

o For example, mentioning that the Payment Card Industry Data Security

Standards (PCI DSS) identify a certain control as best practice holds more

weight than simply stating the control is a best practice without basic

attribution.

o Mentioning that Wired Magazine reported that a City of San Francisco IT

technician effectively hijacked and locked 60% of the city’s network capacity,

is more effective than saying “I read somewhere that…”

Professional Memo 4

Resources

1. Examples of Security Breaches Due to Insider Threats

San Francisco Admin Charged With Hijacking City's Network Microsoft database leaked because of employee negligence

General Electric employees stole trade secrets to gain a business advantage

Former Cisco employee purposely damaged cloud infrastructure

Twitter users scammed because of phished employees

2. PCI DSS Goals:

(source: https://www.pcisecuritystandards.org/merchants/process)

Professional Memo 5

3. References

FBI. (2021). The Insider Threat: An Introduction to Detecting and Deterring an Insider Spy.

https://www.fbi.gov/file-repository/insider_threat_brochure.pdf/view

PCI DSS. (2021, Feb. 12). Payment Card Industry Security Standards.

Official PCI Security Standards Council Site

Jingguo Wang, Gupta, M., & Rao, H. R. (2015). Insider threats in a financial institution: Analysis

of attack-proneness of information systems applications. MIS Quarterly, 39(1), 91-A7.

https://search-ebscohost-

com.ezproxy.umgc.edu/login.aspx?direct=true&db=bth&AN=100717560&site=ehost-

live&scope=site

Professor Messer. (2014). Authorization and access control [Video file]. YouTube.

U.S. DHS. (2021). Insider Threat. https://www.dhs.gov/science-and-technology/cybersecurity-

insider-threat

Wizuda. (2017). Data anonymisation simplified [Video file]. YouTube.

Yuan, S., & Wu, X. (2021). Deep learning for insider threat detection: Review, challenges and

opportunities. Computers & Security. https://doi-

org.ezproxy.umgc.edu/10.1016/j.cose.2021.102221

Keywords: risk assessment, insider threats, data security

Submitting Your Assignment

Submit your document via your Assignment Folder as Microsoft Word document, or a document that can

be ready using MS Word, with your last name included in the filename. Use the Grading Rubric below to be sure you have covered all aspects of the assignment.

Professional Memo 6

GRADING RUBRIC:

Criteria

Far Above

Standards

Above Standards

Meets Standards

Below Standards

Well Below

Standards

Possible

Points

Summary of

Risk

Assessment

15 Points

Summary is highly

effective, thorough and professional.

12.75 Points

Summary is

effective, thorough and professional.

10.5 Points

Summary is

somewhat effective, thorough

and professional.

9 Points

Summary is

lacking.

0-8 Points

Stated

requirements

for this section

are severely

lacking or

absent.

15

Background

and

Importance

(to the Client)

of Data

Security and

Insider

Threats

10 Points

Discussion of

ba5ckground, data

security and insider threats is

highly effective, thorough, and

professional.

8.5 Points

Discussion of

background, data

security and insider threats is effective,

thorough, and professional.

7 Points

Discussion of

background, data

security and insider threats is

somewhat effective,

thorough, and

professional.

6 Points

Discussion of

background, data

security and insider threats is

lacking.

0-5 Points

Stated

requirements

for this section are severely

lacking or absent.

10

Concerns,

Standards,

Best Practices:

Justify

Concerns and

Clarify

Standards

15 Points

Discussion of concerns and

standards is highly effective,

thorough, and professional.

12.75 Points

Discussion of concerns and

standards is effective, thorough,

and professional.

10.5 Points

Discussion of concerns and

standards is somewhat

effective, thorough, and

professional.

9 Points

Discussion of concerns or

standards is lacking.

0-8 Points

Stated requirements

for this section are severely

lacking or absent.

15

Concerns,

Standards,

Best Practices:

Three current

practices

identified and

justified as

best practice

15 Points

Three highly

relevant current practices are

offered and justified as best

practices. Overall

presentation is clear, concise, and

professional.

12.75 Points

Section may be

lacking in number of

recommendations or relevancy or

justification or

overall presentation.

10.5 Points

Section is lacking

in number of recommendations

or relevancy or justification or

overall

presentation.

9 Points

Section is lacking

in two or more of the following:

number of recommendations

or relevancy or

justification or overall

presentation.

0-8 Points

Stated

requirements for this section

are severely lacking or

absent.

15

Professional Memo 7

Action Steps:

Three

recommendati

ons minimum

identified and

justified

including

some

discussion of

cost

considerations

20 Points

Three highly

relevant recommendations

are offered and justified, with

effective

discussion of cost considerations.

Overall presentation is

clear, concise, and

professional.

17 Points

Section may be

lacking in number of

recommendations or relevancy or

justification or a

discussion of cost considerations or

overall presentation.

14 Points

Section is lacking

in number of recommendations

or relevancy or justification or a

discussion of cost

considerations or overall

presentation.

12 Points

Section is lacking

in two or more of the following:

number of recommendations

or relevancy or

justification or a discussion of cost

considerations or overall

presentation.

0-11 Points

Stated

requirements for this section

are severely lacking or

absent.

20

Basic

Attribution

(overall)

10 Points

Overall use of basic attribution is

highly effective in establishing

credibility and authority.

8.5 Points

Overall use of basic attribution is

effective in establishing

credibility and authority.

7 Points

Overall use of basic attribution is

partially effective in establishing

credibility and authority.

6 Points

Overall use of basic attribution

is partially effective in

establishing credibility and

authority.

Additional basic attribution may

have been needed.

0-5 Points

Overall use of basic

attribution was minimally

effective or not used.

10

Overall

Format:

APA

documentatio

n needed only

if sources

external to the

assignment

are introduced

15 Points

Submission

reflects effective

organization and sophisticated

writing; follows instructions

provided; uses

correct structure, grammar, and

spelling; presented in a professional

format; any references used

are appropriately

incorporated and cited using APA

style.

12.75 Points

Submission reflects

effective

organization and clear writing;

follows instructions provided; uses

correct structure,

grammar, and spelling; presented

in a professional format; any

references used are appropriately

incorporated and

cited using APA style.

10.5 Points

Submission is

adequate, is

somewhat organized, follows

instructions provided; contains

minimal grammar

and/or spelling errors; and follows

APA style for any references and citations.

9 Points

Submission is not

well organized,

and/or does not follow

instructions provided; and/or

contains

grammar and/or spelling errors;

and/or does not follow APA style

for any references and

citations. May

demonstrate inadequate level

of writing.

0-8 Points

Document is

poorly written

and does not convey the

necessary information.

15

TOTAL Points

Possible

100

2/23/22, 11:27 AM Privacy

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128674/View 1/11

Privacy

Introduction to Privacy

You might say that your entire life is stored somewhere online—in medical records, tax

records, driver's license records, credit reports, and so on. Because so many of the records

that contain identifying information about you are stored on computers, it is important

that the places where these records are kept are readily accessible but still secure from

unauthorized users. You have a role as well in keeping your own information secure. In

this module, we will look at what constitutes personally identifiable information (PII) and

the steps to ensure it is accessed only by those who have a need to see it.

Consequences of Identity Theft

Learning Resource

2/23/22, 11:27 AM Privacy

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128674/View 2/11

A Host of Emails

Maya's friends and family started asking her about the barrage of emails she was

sending to everyone. The subject lines in the e-mails were blank, and the messages

contained only links to unknown websites.

Maya checked her sent messages and found that numerous messages had been sent

to her friends and family from her account without her knowledge. She started to

think something was wrong. She didn't know what to do.

Later that day, Maya was checking Facebook and noticed that a message had been

sent to all her friends on Facebook with a link to a video she had never seen before.

"What is going on?" she wondered.

Finally, she got a call from her friend Alvin, who told her that he had received one of

the suspicious emails, and he recognized it as a malware infection.

Many people find themselves in situations similar to Maya's. This scenario addresses some

of the threats and consequences encountered in the online environment. They parallel the

threats and consequences of everyday life. We all know there are bad people in the world.

We learn at a young age not to take candy from strangers, not to let a stranger in the

door, and not to leave valuables unattended. We lock our doors, park in well-lit areas, and

avoid seedy neighborhoods at night. We learn how to be safe and avoid the threats in the

world. The same goes for the online world.

Personally Identifiable Information

So, what are the threats you might encounter in the online world? Theft, particularly of

your personally identifiable information (PII), tops the list of information data thieves are

after. PII is any piece of information that can potentially be used to uniquely identify,

contact, or locate a particular person. PII includes your full name, or first initial with your

last name, linked to your social security, bank account, credit card, or driver's license

number. PII is generally kept private and is often used for financial, medical, or research

identification.

2/23/22, 11:27 AM Privacy

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128674/View 3/11

Personally Identifiable Information (PII)

Source: Janet Zimmer.

With this kind of information, malicious individuals and intruders can commit identity

theft. Identity theft occurs when someone uses another person's PII to take on that

person's identity in order to commit fraud or other crimes. Imagine the inconvenience of

having to close your bank account and open a new one, or trying to convince your credit

card company that you are not responsible for certain charges.

Your online user ID and password are at the top of the list of information that malicious

people are after. You probably have multiple user IDs and passwords for websites you

visit, various online accounts, and your email account. User IDs and passwords can

provide access to additional PII or other information you would like to keep confidential.

For example, you may have stored personal information in your email account profile,

privacy settings, and security settings. If someone gets access to your e-mail ID and

password, he or she may gain access to additional PII. Also, users sometimes include their

calendars or vacation plans in email or online postings, which can make those users

potential targets for home robberies.

2/23/22, 11:27 AM Privacy

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128674/View 4/11

Other than trying to access your account and personal information, malicious individuals

may also be interested in compromising your computer and other connected resources,

such as an iPad, smartphone, or Xbox. What do intruders do when they compromise these

resources? They send spam, launch attacks on others, store files, advertise services,

capture keystrokes, snoop for additional targets of value, and generally exploit whatever is

available or profitable.

Why Would Someone Want to Trick You into Providing PII?

An attacker may be trying to steal your personal information for financial gain. For

example, an attacker could use your bank account number, or the username and password

for your online banking site, to withdraw money from your account.

Stolen PII can also be used to obtain and create personal documents, such as obtaining a

birth certificate to create a driver's license, and then using the documents to get a fake

passport. An attacker might steal your social security number to open a credit card in your

name. For this and other reasons, it is recommended that you provide only the last four

digits of your social security number to verify your identity.

Social Engineering

The "Lost" USB Drive

On the floor of a hallway in her office building, Mary finds a USB drive, also called a

USB flash drive. Thinking that it must belong to one of her coworkers, she plugs the

USB drive into her computer so that she can look at what is stored on it and attempt

to find its owner. Two days later, Mary's computer is suspended from the network

due to a malware infection. A malicious person had left the USB drive on the floor,

hoping to lure someone into launching the malware that was set up to run

automatically when the USB drive was plugged into a computer.

Social engineering is a technique whereby a malicious person uses deception to gain your

trust and to trick you into providing information you would not freely give. Social

engineering is usually associated with identity theft.

2/23/22, 11:27 AM Privacy

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128674/View 5/11

Trying to Help

For instance, if a stranger calls your cell phone to ask for your company ID and

password, you would likely refuse to provide the information and hang up. But when

the same person calls you and introduces himself as a staff member from the help

desk, you might not hesitate to provide any information the caller is asking for, even

your personally identifiable information.

Types of Social Engineering

Social engineering by e-mail. You may receive an email explaining that your Yahoo

account is about to be disconnected. In order to prevent this from happening, you are

prompted to provide personal information such as your user ID, password, and full name.

If you respond to this phishing email with the requested information, you will have given a

hacker access to your email and to PII located within your account.

Social engineering by phone. Pretending to be someone in a position of authority at a

phone company or bank, a hacker calls to persuade the user to provide sensitive

information.

Social engineering by dumpster diving. Also known as trashing, a hacker searches for

sensitive information such as bank statements, preapproved credit cards, and student loan

paperwork in the garbage. To prevent becoming a victim of dumpster diving, it is wise to

shred documents with sensitive information.

Online social engineering. Hackers often try to trick users into providing sensitive

information via e-mail, instant messaging, chat rooms, social networking sites, and the like.

For instance, a hacker will send a fraudulent email claiming to be a banking institution,

credit card company, or department store. The hacker requests that the user verify his or

her user name, password, and user ID, either by responding to the email or by clicking on

a link that directs the user to a legitimate-looking, but fake, website.

Reverse social engineering. A hacker poses as a technical aide to fix a computer problem

that he or she actually created, or that doesn't exist at all. The user contacts this aide and

is then prompted to give sensitive information to the aide in order to fix the problem. The

user provides the required information and the problem seems to be solved.

2/23/22, 11:27 AM Privacy

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128674/View 6/11

Social engineering with USB drives. Hackers can also use USB drives to gain access to

sensitive information kept on a computer or network. Hackers may infect one or more

USB drives with a virus or Trojan horse, that, when run, will provide hackers with access

to log-ins, passwords, and information on a user's computer. The hacker may then leave

the infected USB unattended on the floor, in or next to a computer in an open lab, in

hallways, in restrooms, or in any other area with a relatively high volume of traffic. A user

who finds the USB drive may install the device in order to locate its owner, thus allowing

the virus or Trojan horse to infect the computer. The hacker is then able to get PII from

the infected computer and proceeds to victimize the user of that machine.

Note that social engineering, as illustrated in these examples, does not rely on technical

prowess, but rather on tricking other people into deviating from normal security

procedures. Being aware of some of the commonly used social engineering schemes

should make you more alert and help you avoid becoming a victim.

Phishing

The most common online social engineering method is "phishing," when an attacker goes

"fishing" for personal information, such as a user account name and password, a credit

card number, a social security number, or some other piece of information that is

considered valuable. Typically, an attacker lures victims into providing this information

using fraudulent emails or websites as bait.

In this section, you will be introduced to the most common methods of phishing, some key

indicators that can help you recognize phishing attempts, and strategies to protect

yourself from falling victim to a phishing attack.

In a study conducted at Carnegie Mellon University in 2009, researchers found that across

university departments, years of study, and gender, students aged 18 to 25 were

consistently more vulnerable to phishing attacks than older participants. A complete

presentation of the study results can be found at

http://www.cs.cmu.edu/~jasonh/publications/soups2009-school-of-phish-final.pdf

Here is a summary of the study (Blair, Cranor, & Kumaraguru, 2009):

Some Study Findings

In 2005, it was estimated that 73 million US adults received more than 50 phishing

emails each.

2007 statistics estimate that 3.6 million adults lost $3.2 billion in phishing attacks.

2/23/22, 11:27 AM Privacy

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128674/View 7/11

Financial institutions, corporations, and military communities are also victims.

Why Phishing Works

Phishers take advantage of internet users' trust in legitimate organizations.

Internet users may lack computer and security knowledge.

Not all internet users use good strategies to protect themselves.

What Are Antiphishing Strategies?

Find and take down phishing websites.

Detect and delete phishing emails.

Warn other users about the threat.

Use antiphishing toolbars and web browser features.

Train users not to fall for attacks.

Carnegie Mellon designed a training package and a laboratory experiment to determine if

training helped users detect phishing emails.

Things learned from the laboratory experiment (Blair, Cranor, & Kumaraguru, 2009):

Security notices are ineffective for training users.

Users with embedded training make better decisions than those sent security

notices.

Participants retained knowledge after seven days.

Training does not increase false positive errors.

Before training, traditional-age students (18-22 years of age) are significantly more

likely than staff to fall for phishing schemes.

How Would a Cyber Criminal Attempt to Phish Your Personal

Information?

Email is one of the most common vehicles for phishing. You may receive an email that

looks and feels legitimate—from a friend, an entity with whom you have an account (such

as eBay, PayPal, or Citibank), or a business contact. The message might prompt you to

2/23/22, 11:27 AM Privacy

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128674/View 8/11

verify your account number or your user ID and password, either by immediately replying

to the email or by clicking a link that directs you to a fraudulent web page.

Sample Phishing Email

Recently, many Fakebank account holders received an email message from

"[email protected]" with the subject "Important Security Update." The message,

shown below, claimed to be from Fakebank and prompted recipients to validate their

"account ownership security" to avoid suspension by clicking on a link to a fake version of

Fakebank's web log-in page. Account holders who visited the fake website and provided

their user IDs and passwords gave a cyber criminal access to their online financial records.

Subject: Important Security Update

Date: Monday, 5 April 5, 2016

From: Fakebank ([email protected])

Dear Valued User,

Your Account security validation has expired. This may be as a result of wrong or

incomplete data entered during the last update.

It's strongly required that you should validate your account ownership security, to avoid

service suspension.

Login to Fakebank at www.fakebank.com

We apologize for any inconveniences caused.

Security Department,

Fakebank

Protecting Yourself Against Phishing

Since protecting your PII is important in protecting yourself against identity theft, let's

take a deeper look at how you can distinguish legitimate emails from phishing attempts.

Keep in mind that most phishing messages have an urgency, warning you to respond

immediately.

The email is most likely a phishing attempt if:

2/23/22, 11:27 AM Privacy

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128674/View 9/11

the message is alarmist and warns you to respond immediately to verify account

information or take advantage of an offer. Often there's a threat of dire

consequences.

the message does not address you by name or include other identifying information.

the message includes long links that don't make sense or misspells the company

name in a URL.

the message includes misspellings and grammatical errors.

If you suspect you received a phish, simply delete the email. Do not respond to the email,

click on an embedded link, or open the attachment. If you are not sure, verify the

legitimacy of the message by contacting the supposed sender through an alternate

communication channel. Don't use the contact information provided in the suspicious

email; instead, use a phone number you obtain directly from a bank statement, use an

existing bookmarked URL to log in to your provider's site, or use an email address that

you've successfully used before.

Putting It All Together

Threats on the internet are similar in concept to threats on the highway. You are better

protected when you follow traffic regulations and take certain precautions. Good safety

measures include keeping your car maintained, fastening your seatbelt, stopping at stop

signs and traffic lights, and avoiding potholes. To avoid theft, you keep your valuables

locked away, out of sight. You lock your car.

Take the same types of security and safety measures with your computer and on the

network. Keep your computer running well by updating your software and backing up

your files regularly. Install antivirus software and make sure it updates daily. Avoid

opening the door to untrusted sources by not opening their attachments, not clicking on

their links, not installing their software, and not providing them with your sensitive data or

password. Protect your personal information from theft by locking it behind strong

passwords that you do not share with others. Physically lock your computing devices

when unattended.

Remember, prevention is the best protection.

Visit the Federal Trade Commission's website at

https://www.consumer.ftc.gov/topics/privacy-identity-online-security for resources on

deterring, detecting, and defending against identity theft.

2/23/22, 11:27 AM Privacy

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128674/View 10/11

Protecting Your Privacy

Considering every possible threat to your information and resources is probably not

realistic. Most of us don't have the time or resources to commit to predicting the long-

term outcomes of our every action.

Rather than trying to analyze every action, it's helpful to rely on some general rules to

protect your PII.

Keep your passwords to yourself and change them regularly. Most cases of PII can

be avoided simply by maintaining a strong password and not sharing it.

Use different passwords for different accounts. Remembering multiple passwords

can be a challenge, and it's often convenient to use the same password for multiple

accounts, from Facebook and your bank account to your UMGC ID and Twitter

accounts. The danger is that a compromise of any one of these accounts could also

result in the compromise of others, if the same password is used for multiple

accounts.

Use strong passwords. Many of your user IDs require strong passwords to gain entry

into one or more systems. In those instances when you can choose any password

configuration, pick a strong password to protect your information. Changing strong

passwords often is the most important thing you can do to keep your PII safe.

Check your credit reports annually. Sometimes people don't learn that they are

victims of identity theft until their credit rating and identity are destroyed. It's

proactive to get copies of your credit reports from the credit bureaus and review

them for errors. Follow up with the credit bureaus to make corrections to your

reports if needed. By law, you can get one free credit report from each of the three

credit bureaus every year.

"Google" yourself. Enter your name in a search engine and see what data comes up.

Investigate postings about yourself in the information that you find. Look for

suggestions that your PII may be compromised.

Remember that people can be a weak link in security. No matter how secure you

make passwords and how careful you are with technology, there is always a human

element to protecting your information.

Control physical access to your devices. It's important not to leave laptops and

other mobile devices unattended in public locations, like a coffee shop or other

places with free Wi-Fi. An unattended machine is at risk, both for theft and for other

security threats. When you aren't controlling physical access to your machine (by

locking it in your room), don't let it out of your sight.

2/23/22, 11:27 AM Privacy

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128674/View 11/11

Remember to log out or lock your computer when you are finished using

it. Whether it's your email, bank account, Target shopping account, or library

account, always remember to log out when you leave the website.

Remember to lock your computer with a password when you are finished using

it. By requiring a password to access your computer or other electronic device, you

are helping to protect your information. You are also making your computer useless

to a thief who cannot break password locks.

References

Blair, M. A., Cranor, L. F., & Kumaraguru, P. (2009). Results from "Help us protect the

Carnegie Mellon community from identity theft" study. Retrieved from

https://www.cmu.edu/iso/aware/presentation/identitytheftstudy_041009.pdf

Kumaraguru, P., Cranshaw, J., Acquisti, A., Cranor, L., Hong, J., Blair, M. A., & Pham, T.

(2009). School of phish: A real-world evaluation of anti-phishing training. Retrieved from

http://www.cs.cmu.edu/~jasonh/publications/soups2009-school-of-phish-final.pdf

Licenses and Attributions

Personally Identifiable Information (PII) by Janet Zimmer is available under a Creative

Commons Attribution-ShareAlike 3.0 Unported (https://creativecommons.org/licenses/by-

sa/3.0/deed.en) license.

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 1/18

Security

Most people think of security as a protective measure that's physical, like a home security

alarm to prevent theft, or a door with a lock and key to prevent unauthorized entry. While

it's true that security is physical, we'll be looking at security from an information

technology (IT) perspective. Moreover, we'll focus on the IT view: security is a safeguard.

Security is something that we need online—to protect personally identifiable information

(PII) and to protect our computers from cyber criminal attack.

Security in practice applies to all types of information. However, in this module we will

discuss protecting a specific type of information—PII.

Understanding Compromise and Risk

Many people assume that protecting their information is strictly about safeguarding PII by

using strong passwords, making sure to log out of online accounts, using a password to

lock your computer, and keeping your computer physically secured. These habits are

important, but blindly using these methods ignores other components of your

responsibility and capability to protect information and resources. Two of the most

important aspects are:

having a clear understanding of just what is at risk—how extensive and sensitive are

the information and resources that you are protecting, and how accessible are they?

recognizing the role that your personal behaviors and decisions play in increasing or

mitigating the risk to your information and resources.

When we talk about risk, in most cases we're considering the threat of compromising the

resource. In the context of information security, compromise may have a slightly different

meaning than you are used to:

Compromise

Learning Resource

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 2/18

In the field of information security, a compromise is a breach in the security of a

specific resource—potentially a computer, an account, a file or another resource. A

resource can be compromised in many ways, including actions by a malicious

attacker hacking into a system, but also by a well-intentioned user forgetting to log

out of a machine.

Confidentiality, Integrity, and Availability

We have already talked about compromise and risk, but let's quickly summarize the

concepts. A compromise is a specific breach in security. Risk is a threat that the potential

security compromise may actually occur.

So what comes first: a compromise or a risk?

If there's a risk to security, does that mean it might happen, or that it already happened?

Of course, a risk means that something might happen. Taking a risk or chance comes

before acting on that risk. For example, since I left the computer unprotected (taking a

risk), a virus infected the computer.

On the other hand, if there's a security compromise, does it mean that it might happen, or

that it already happened? Yes, it already happened. A compromise or security breach is a

completed action. It's a done deal. For example, since someone took advantage of the

unprotected computer to install and activate a virus, the computer is compromised.

Since risk is a chance that something might happen, and compromise is a completed

action, then risk comes before compromise.

Why do you need to know that risk comes before compromise? To answer that question,

let's zero in on risk. Risk is key to how the compromise happened. Risk isn't singular; it has

three dimensions—confidentiality, integrity, and availability (often referred to as "CIA").

Let's look at an example of each of the three risk dimensions. Keep in mind that we're

looking at one example of each. In reality, each dimension can have lots of examples.

Confidentiality risk: exposing a secret password and user ID

Example: Gabe gives Taylor his user ID and password so that she can finish the

report they are coauthoring by the end of the day. Gabe's user ID and

password are compromised because they aren't secret once he gives them to

Taylor. When the user ID and password are no longer secret, that's a breach of

confidentiality.

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 3/18

Integrity risk: an unauthorized change to shared documents

Example: Evelyn accidentally changes the wrong pages on a shared document

at work; she changes Robin's pages instead of her own. Robin is furious

because she had spent all day making changes to the document, and now she

doesn't know whether she can remember all of them.

Availability risk: improper control of physical access

Example: Thomas, a supervisor, finds that he cannot access the data in a

personnel file because the permissions for access to that database and the

data contained therein have been changed by another supervisor, Martha. The

data has not been compromised (there is no security breach), nor has there

been a violation of the integrity of the data. But that data is not available to

Thomas, and thus there has been a breach of availability.

Each example has a different risk and a single compromise or breach.

Why do we need to know that risk comes before compromise?

When we know the risk, we can sometimes prevent the compromise.

Now, we have a preview into the dimensions of risk—confidentiality, integrity, and

availability. Our next step is to learn more about each dimension so we can apply some

techniques and best practices to making good decisions using risk and compromise.

Dimensions of Risk

How Is Risk Assessed?

Assessing risk involves a consideration of how well protected a resource might be, and

what the consequences could be if the resource is compromised. Simply asking yourself

whether you are doing something that might "put resources at risk" is probably not a

useful approach for most people, though. To some extent, all actions have a degree of risk;

your real goal is to assess that risk in a useful way.

That assessment can be a real challenge—security and risk are complicated and

multifaceted. Because information protection can seem like a large and all-encompassing

issue, security experts break the problem of security into three distinct aspects,

considering the confidentiality, integrity, and availability of resources, first as discrete

pieces and then collectively.

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 4/18

Confidentiality, Integrity, Availability (CIA)

Source: Janet Zimmer

By focusing on one specific dimension at a time, you're able to break the process of

evaluation down into more manageable parts. And by then considering these parts

collectively, you can make decisions that can best reflect your own priorities and

responsibilities.

Confidentiality

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 5/18

Confidentiality

Source: Janet Zimmer

Confidentiality

The confidentiality of a resource refers to who is able to read or access it.

Maintaining the confidentiality of a resource does not require that it be completely

secret or inaccessible; rather, it is about ensuring that only authorized users—the

right people—have access and that unauthorized users—the wrong people—do not.

Confidentiality is at risk whenever unauthorized users have access to information,

whether explicitly (such as password sharing) or unintentionally (such as mistaken

file-sharing permissions or a virus accessing files). "A loss of confidentiality is an

unauthorized disclosure of information" (NIST, 2008).

A Loss of Confidentiality

Morgan provides computer support for the HiTech organization. She gets a request from Robert, the human resources director, to recover files that were accidentally deleted. After Morgan successfully finishes the file recovery process, she opens a file to make sure its contents are complete. Morgan opens the file and sees the annual salary of each employee at HiTech.

Although Robert authorized Morgan to recover the deleted files, he did not intend

to release any information about employees' salaries—so the confidentiality of the

salary information has been compromised or breached.

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 6/18

Integrity

Source: Janet Zimmer

Integrity

Maintaining the integrity of information means ensuring that the data has not been

changed inappropriately, whether these changes are accidental and innocent or

intentional and malicious. As the name implies, integrity addresses the question of

how confident you can be about the state of your resources and information. "A loss

of integrity is the unauthorized modification or destruction of information" (NIST,

2008).

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 7/18

A Loss of Integrity

Nicholas, a technical writer on the systems development team, is writing the new user guide for the Masters Plumbing Supplies inventory system. He sends the Version 1 draft of the user guide to the development team for review, received all of their editorial changes two weeks ago, and incorporated them into a new Version 2 of the user guide. He sent Version 2 of the guide to team members for review last week and has already incorporated some of their changes into the next version of the user guide.

Just as Nicholas finishes incorporating Jim's comments into the new Version 3 user

guide, Jim, one of the team members, calls Nicholas and tells him that he

incorporated his comments into the wrong version. Jim incorporated his Version 3

comments into Version 1 instead of Version 2.

Now Nicholas doesn't know the new information from the original information in

the user guide. Since the information in the user guide is mixed up between versions

2 and 3, the information in the user guide has lost its integrity. Nicholas can't be

sure which version of the user guide is correct; the integrity of the user guide is

compromised because of Jim's error in using the wrong version for his editorial

changes.

Availability

Availability

Source: Janet Zimmer

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 8/18

Availability

The availability of a resource refers to how timely and reliable access to that

resource is. Maintaining the availability of a resource means that authorized users

are able to reliably get to the specific machine or information when needed;

availability can be threatened by technical malfunctions (such as a networking

problem that prevents access) or by human factors, such as a changed password. "A

loss of availability is the disruption of access to or use of information or an

information system" (NIST, 2008).

A Loss of Availability

Xing had set up a workstation for new employees to use until their permanent computers are assigned, but he hasn't been diligent about keeping it up-to-date. This carelessness comes back to haunt him when someone maliciously attacks the computer by exploiting a software vulnerability to access his machine and change the passwords on it. Now Xing can't log in to the computer to perform the updates.

Because he has physical access to the machine, Xing will eventually be able to get

the work done. The process won't be fast, and during that time he won't be able to

perform the updates; the availability of this resource has been compromised.

As you can see, considering how you protect your information and resources using these

three dimensions can allow for more focus in evaluating your risks. It can also help you

more clearly identify the consequences if your resources are compromised.

Confidentiality, Integrity, and Availability in Practice

So far, we've learned about the three dimensions of risk—confidentiality, integrity, and

availability—one at a time. The reality is that most threats and compromises can involve

multiple dimensions. Sharing your password, for example, can compromise both the

availability and the confidentiality of your information if someone changes your password

and looks at what the password is protecting. It can also compromise the integrity of your

information if someone changes it without your permission. In practice, this means you

should consider possible dangers and threats in the context of all three of the dimensions.

What's at Stake?

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 9/18

Although some of the examples that are included above may seem extreme or unlikely, it's

important to understand just what is at stake if your user ID and password are

compromised. If you worked at Monumental Corporation with Michael and Sammy, what

type of data can be exposed if your user ID and password are used without your

permission? Is there really a danger of someone changing your files or information?

Recognize that your user ID and password are the key to an exceptional amount of

corporate and personal information. With regard to confidentiality, for example, someone

with your credentials may be able to see:

your email

your work schedule

your salary and other human resource-related information

your work records, including your active and inactive files

In addition to being able to review information that most people would consider

confidential, your user ID and password allow you (and anyone who has your access) to

change information, including:

altering your work schedule for meetings

sending and changing any emails

changing or deleting your work files

Finally, using your user ID and password, someone can place severe limits on the

availability of some of your resources by:

changing your password

deleting your files

canceling or changing access to some programs or files

These are not just theoretical possibilities; all of the bullet points above represent actual

resource compromises that have affected people. Sometimes these compromises have

been the result of malicious actions. Sometimes they've occurred by mistake or been

intended as pranks. However, they are situations that real people have had to face.

Cyber Criminal Tactics

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 10/18

A Damaging Link

Since starting his new job in another city, Gustaph finds himself relying on Facebook

to stay connected with friends and family. Shortly after logging in one afternoon,

Gustaph receives a Facebook message with a link to "Funny Party Pictures" from his

cousin Vivian. Certain the pictures must be from his family's annual picnic that he

missed the previous weekend, Gustaph clicks the link to view the pictures, but they

don't appear. Then he tries to move and click the mouse again, but the mouse arrow

freezes. Frustrated, he presses the power button until the computer turns off. When

he powers it back on again, the computer boots to a blue screen, rather than the

login screen Gustaph expected. He restarts his computer a few more times, only to

get the same result. Giving up, Gustaph takes his computer to a computer repair

shop in town, where he learns that his computer was infected with malware. A virus

had erased his hard drive and all the information he had on it.

Gustaph ended up spending a lot of time finding all the CDs containing the software

applications he had loaded on his machine. In some cases, he had to dig up records

of legal copies he had downloaded from the software provider. He looked through

his emails for links to software purchases. He did his best to give the repair shop all

the software to configure his computer back to the way it was before the crash.

Some software could not be recovered because Gustaph had obtained it from a

friend without a user license. The cost of restoring his computer was more than

$400. Since Gustaph had never backed up his files, all his personal files, resume,

photos, music, and movies were lost. All he has left is the information in his emails.

Cyber Criminals

In computing, cyber criminals are people who circumvent security controls in order to gain

unauthorized access to computers and networks. In the past, these individuals were often

motivated by the intellectual exercise of defeating security controls. Today, cyber

criminals are often motivated by money or political ambitions such as revenge or

competitive advantage. Much like in the physical world, where thieves must use tools and

specialized knowledge to bypass locks, alarm systems, guards, and other lines of defense,

cyber criminals similarly use tools and specialized knowledge to bypass computer security

controls.

In the previous module on privacy, you learned how cyber criminals try to lure you into

providing access to your computing resources and personal information through social

engineering scams, particularly phishing. It's important that you also know about other

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 11/18

methods cyber criminals use to force their way into your computer.

Malware

The tools that cyber criminals often use can be generalized as "malware" and may consist

of computer viruses, worms, Trojan horses, and spyware. These types of specialized

software take advantage of vulnerabilities in computer hardware and software. Malware is

short for "malicious software." Modern malware tends to combine from all four categories

to the point that the terms have become nearly synonymous.

Computer viruses

Computer viruses piggyback on other programs or files in order to infect your computer.

Viruses can spread to other computers via email, websites, file sharing, USB drives, and

other removable media. Cyber criminals rely on social engineering and require user

intervention to spread a computer virus, i.e., someone has to open an attachment or file,

click on a link, or plug in a USB drive. Viruses may cause a computer's processing function

to slow considerably.

Worms

Worms, unlike viruses, spread across networks by exploiting software vulnerabilities to

launch copies of themselves on new victims without user intervention. Simply connecting

to a network with a computer running outdated software may result in a worm infection.

Trojan horses

Trojan horses are malicious programs disguised as legitimate software. Victims are lured

into installing them with promises of desired functionality. Viruses and worms may silently

install Trojan horses to further compromise systems, or they may be buried deep within

legitimate software. "Backdoor" Trojan horses can even facilitate unauthorized access to

computers. Bolder Trojan horses may pretend to be security programs, which generate

imaginary virus warnings and demand payment to remove viruses that in reality do not

exist.

Spyware

Spyware is a type of malware that collects information about computers or their users and

sends it to third parties without consent. Besides secretly monitoring user actions (e.g.,

logging keystrokes, emails, or instant messages), spyware can collect personally

identifiable information (PII), which may lead to identity theft. Spyware may interfere with

web browsing; even when using bookmarks or typing in the URL for a website, the

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 12/18

browser will redirect to a fraudulent site designed to capture usernames and passwords or

inject malicious content. An example of this would be a phony form on a legitimate-

looking banking site asking for PII.

Spam

Spam messages are unsolicited messages sent to email accounts or cell phones from

advertisers or cyber criminals. Advertisers use spam to attract attention to their products.

Advertising spam can be a nuisance, but is often benign to computers. Spam messages can

also contain fraudulent information, like check overpayment scams, foreign lotteries,

investment schemes, and other cons. Although these kinds of spam can separate someone

from their money, they won't harm computers. Other spam messages have malware

attached or include links to malicious sites. Opening those attachments or clicking those

links may install malware.

Protection from Cyber Criminal Attacks

How do you protect yourself and your computer from cyber criminal attacks?

Install Antivirus Software

Antivirus software scans your computer and files to protect it from known viruses. Since

new malware is always being released, you'll need to update your antivirus software

regularly and configure it to scan your computer at least once a week.

Install Firewall Software

As related to information technology, a firewall is a protective layer or "wall" between the

computer and internet. While antivirus software scans your computer and files, firewall

software monitors, blocks, and filters activity between your computer and the internet.

Like antivirus software, firewall software needs to be updated regularly to maintain its

effectiveness. Antivirus and firewall software may sometimes be purchased in a single

package.

There are good, legal, and free software alternatives when considering antivirus and

firewall software. Just type "free antivirus software" or "free firewall software" into a

search engine. Be sure, however, that the site you choose is a trusted site such as a

recognized product review site: PCWorld, CNET, and Comodo are some of the best-

known.

Install Software Updates

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 13/18

Operating systems software developers continuously improve their products to add

security and to fix errors in previously released versions. It is important to download and

install updates as soon as you are notified that an update is available in order to keep your

devices (phones,computers, tablets, etc.) secure.

Use a Strong Password

It's a good practice to change all your passwords every 90 days. If you suspect that any of

your passwords have been compromised, change them immediately.

A strong password is reasonably difficult to guess in a short period of time, either through

human guessing or through the use of specialized software.

Password Guidelines

The following are general recommendations for creating a strong password.

A strong password should:

be at least eight characters in length

contain both upper and lowercase alphabetic characters (A-Z, a-z)

include at least one numeric character (0-9)

use at least one special character (e.g., ~ ! @ # $ % ^ & * ( ) _ – + =)

A strong password should not:

spell a word or series of words that can be found in a standard dictionary

spell a word with a number added to the beginning and/or the end

be based on any personal information such as user ID, family name, pet, birthday,

etc.

The following are several recommendations for maintaining a strong password:

Do not share your password with anyone for any reason. Passwords should not be

shared with anyone, including any managers, coworkers, or friends. If someone

needs information that's on your computer, email the file or place the file on a

shared network. Passwords should not be shared even for the purpose of computer

support or repair.

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 14/18

Change your password periodically. As a general rule, changing your password every

90 days is recommended. If you suspect someone has compromised your account,

change your password immediately. If you work in an office, report the incident to

computer security personnel.

Consider using a passphrase instead of a password. A passphrase is a password

made up of a sequence of words with numeric and/or symbolic characters inserted

throughout. A passphrase could be a lyric from a song or a favorite quote.

Passphrases typically have additional benefits such as being longer and easier to

remember. For example, the passphrase "My fav2rite N@SCAR dri4er!" is 26

characters long and includes alphabetic, numeric and special characters. It is also

relatively easy to remember. It is important to note the placement of numeric and

symbolic characters in this example as they prevent multiple words from being

found in a standard dictionary. The use of blank spaces also makes a password more

difficult to guess.

Do not write your password down or store it in an insecure manner. To the extent

possible, avoid writing down your passwords. In cases where it is necessary to write

down a password, that password should be stored in a secure location and properly

destroyed when no longer needed.

Avoid reusing a password. When changing an account password, you should avoid

reusing a previous password. If a user account was previously compromised, with or

without your knowledge, reusing a password could allow that user account to

become compromised once again. Similarly, if a password was shared for some

reason, reusing that password could allow someone unauthorized access to your

account.

Avoid using the same password for multiple accounts. Though using the same

password for multiple accounts makes it easier to remember your passwords, it can

also have a chain effect, allowing an attacker to gain unauthorized access to multiple

systems. This is particularly important when dealing with more sensitive accounts

such as your credit card account or your online banking account.

Do not use automatic log-on functionality. The option of storing your password so

that you can save time by skipping your password entry the next time you log on is

called automatic log-on functionality. Using automatic log-on functionality negates

much of the value of using a password. If a malicious user is able to gain physical

access to a system that has automatic log-on configured, he or she will be able to

take control of the system and access potentially sensitive information.

Consider using a strong password generator to create passwords. There are many

such programs available. Type "strong password generator" into any search engine to

find programs that are available for use.

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 15/18

Consider using a password "base." Remembering a great number of different

passwords is challenging. Consider using a base portion of a password and then

changing some portion to use as a separate password. Do not just add numbers to

the end of the base portion, however. Scatter the changes into the middle of the

password base. For example, if the base is "UtahIowa" then one password might be:

Uta4hIo9wa. Then change the numbers in the password to be used with the next

site, keeping the Uta-hIo-wa.

Develop Good Security Habits

Throughout this module, you have been introduced to good security practices. Here's a

summary of good security habits:

Never open unexpected email attachments. If in doubt, verify the authenticity by

calling or sending a new email to the sender using a phone number or address from

a source other than the suspect email. An attachment could be malware in disguise.

Beware of links sent to you via email, on social networking sites, or through text

messages. Maliciously crafted links could direct you to malware or phishing sites.

Be sure to use log-on passwords. Never leave your computer unattended without

locking it, even if you're stepping away for only a minute.

Consider locking up laptops in a desk or cabinet drawer when not in use. Unsecured

laptops are easy targets.

Always lock your doors and never leave your computer unattended in a public

location.

If you share your computer with friends, watch what they might be doing to your

computer and with your identity.

When visiting websites that require logging in, make sure you log out when you're

done.

When you finish using a computer, log out of it.

Watch out for "shoulder surfing." Make sure no one is watching you enter your

password or other personal information.

Always back up your data and files, and lock the backups in a safe place.

Use encryption (see below) for sensitive data storage and transmission.

Encryption

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 16/18

Encryption is the process of transforming information from plaintext into an unreadable

format to keep it secret. Only authorized entities should be able to reverse the process.

Using encryption, information can be stored or transmitted via shared media without

risking disclosure.

When encrypting information, applications will typically ask for a password. The password

is the key to locking and unlocking the information. If you lose the password, you won't be

able to recover information. Certain applications like Microsoft Word provide optional

encryption functionality. Find out whether the applications you use support encryption. If

they don't, avoid using them when processing sensitive data including passwords and

other PII.

Certain websites, especially ones that allow financial transactions, use encryption

between your browser and their server. This can be discerned by looking at the URL. If

the URL begins with "http://", then the communication between your browser and the

web server is not encrypted. If the URL begins with "https://", then the communication is

encrypted. The "s" after "http" stands for "secure." Some browsers may provide additional

encryption indicators such as displaying lock icons and changing the color of the address

bar.

Encryption provides a way to keep private information private in an increasingly public

world.

What Are Some Signs That a Computer Is Compromised?

Symptoms computers may experience when compromised include system crashes (the

computer doesn't turn on), unexplained disk activity, frequent error messages, lots of

advertising pop-up windows that appear without actual web browsing, and unexplained

variations in the computer's performance and behavior.

The following is a list of indicators of a possible computer compromise or infection:

Pop-up ads increase in frequency.

Pop-up ads appear even when you're not browsing the web.

The home page of your web browser changes without your authorization.

Your computer seems less responsive.

Your internet access is persistently slower.

Programs fail to start because Windows is "low on resources."

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 17/18

Programs such as the Task Manager or the Control Panel fail to start and report

"permission denied" errors, even though you have administrative rights to your

machine.

Your firewall cannot be started.

Antivirus software cannot be updated or fails to enable.

Your computer is crashing or "blue-screening" often.

Responding to a Compromise

If you believe that your computer has been compromised, you may be able to run an up-

to-date antivirus scan and quarantine some of the infected files. There's a chance that file

quarantining followed by removing the quarantined files can fix the problem.

In almost all cases of computer compromise, you'll need to have your computer serviced

by a professional to get it working properly.

References

FIPS PUB 199 standards for security categorization of federal information and

information systems. Retrieved from

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.

Licenses and Attributions

Integrity by Janet Zimmer is available under a Creative Commons Attribution-ShareAlike

3.0 Unported (https://creativecommons.org/licenses/by-sa/3.0/deed.en) license.

Confidentiality, Integrity, Availability (CIA) by Janet Zimmer is available under a Creative

Commons Attribution-ShareAlike 3.0 Unported (https://creativecommons.org/licenses/by-

sa/3.0/deed.en) license

Confidentiality by Janet Zimmer is available under a Creative Commons Attribution-

ShareAlike 3.0 Unported (https://creativecommons.org/licenses/by-sa/3.0/deed.en)

license.

Availability by Janet Zimmer is available under a Creative Commons Attribution-

ShareAlike 3.0 Unported (https://creativecommons.org/licenses/by-sa/3.0/deed.en)

license.

2/23/22, 11:27 AM Security

https://learn.umgc.edu/d2l/le/content/628580/viewContent/25128675/View 18/18

© 2022 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity

of information located at external sites.

Payment Card Industry Security Standards Council

DATA SECURITY ESSENTIALS FOR SMALL MERCHANTS A PRODUCT OF THE PAYMENT CARD INDUSTRY SMALL MERCHANT TASK FORCE

Guide to Safe Payments Version 2.0 • August 2018

Data Security Essentials for Small Merchants: Guide to Safe Payments Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved. This Guide to Safe Payments is provided by the PCI Security Standards Council (PCI SSC) to inform and educate merchants and other entities involved in payment card processing. For more information about the PCI SSC and the standards we manage, please visit www.pcisecuritystandards.org. The intent of this document is to provide supplemental information, which does not replace or supersede PCI Standards or their supporting documents.

UNDERSTANDING YOUR RISK

UNDERSTANDING YOUR RISK

Understanding your risk

As a small business, you are a prime target for data thieves.

When your payment card data is breached, the fallout can strike quickly. Your customers lose trust in your ability to protect their personal information. They take their business elsewhere. There are potential financial penalties and damages from lawsuits, and your business may lose the ability to accept payment cards. A survey of 1,015 small and medium businesses found 60% of those breached close in six months. (NCSA)

OF BREACHES HIT SMALLER BUSINESSES

LAST YEAR, UP FROM THE PREVIOUS YEAR’S 53%

(Verizon 2017)

COST TO UK BUSINESS DUE TO CYBER SECURITY

BREACHES IN 2016 (Beaming UK)

OF SMALL BUSINESSES HAVE BEEN BREACHED

IN THE PAST 12 MONTHS. (Ponemon Institute)

50%

61%

£30 billion

39% ONLY

OF SMALL FIRMS HAVE FORMAL POLICIES COVERING CYBER

SECURITY RISKS IN 2017 (Dept for Culture Media and Sport)

4Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

What’s at risk?

WHAT IS PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that can help small merchants to protect customer card data located on payment cards.

Small merchants may be familiar with validating their PCI DSS compliance via a Self-Assessment Questionnaire (SAQ).

For more information on PCI DSS, see the Resources at the end of this guide.

TYPES OF DATA ON A PAYMENT CARD

Chip

PAN

Cardholder name

Expiration date

Magnetic stripe (Data on tracks 1 and 2)

Card security code (American Express)

Card security code (All other payment brands)

YOUR CUSTOMERS’ CARD DATA IS A GOLD MINE FOR CRIMINALS. DON’T LET THIS HAPPEN TO YOU! Follow the actions in this guide to protect against data theft.

Examples of payment card data are the primary account number (PAN) and three or four-digit card security code. The red arrows below point to types of data that require protection.

5Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

A PAYMENT SYSTEM includes the entire process for accepting card payments. Also called the cardholder data environment (CDE), your payment system may include a payment terminal, an electronic cash register, other devices or systems connected to a payment terminal (for example, Wi-Fi for connectivity or a PC used for inventory), and the connections out to a merchant bank. It is important to use only secure payment terminals and solutions to support your payment system. See page 21 for more information.

Understanding your payment system: Common payment terms

OR

123423487340 981230630736 034603740987 382929293846 262910304826 454900926344 153784

A PAYMENT TERMINAL is the device used to take customer card payments via swipe, dip, insert, tap, or manual entry of the card number. Point-of-sale (or POS) terminal, credit card machine, PDQ terminal, or EMV/chip- enabled terminal are also names used to describe these devices.

ENCRYPTION (or cryptography) makes card data unreadable to people without special information (called a key). Cryptography can be used on stored data and data transmitted over a network. Payment terminals that are part of a PCI-listed P2PE solution provide merchants the best assurance about the quality of the encryption. With a PCI-listed P2PE solution, card data is always entered directly into a PCI-approved payment terminal with something called “secure reading and exchange of data (SRED)” enabled. This approach minimizes risk to clear-text card data and protects merchants against payment-terminal exploits such as “memory scraping” malware. Any encryption that is not done within a PCI-listed P2PE should be discussed with your vendor.

Accepting face-to-face card payments from your customers requires special equipment. Depending on where in the world you are located, equipment used to take payments is called by different names. Here are the types we reference in this document and what they are commonly called.

A MERCHANT BANK is a bank or financial institution that processes credit and/or debit card payments on behalf of merchants. Acquirer, acquiring bank, and card or payment processor are also terms for this entity.

An INTEGRATED PAYMENT TERMINAL is a payment terminal and electronic cash register in one, meaning it takes payments, registers and calculates transactions, and prints receipts.

An ELECTRONIC CASH REGISTER (or till) registers and calculates transactions, and may print out receipts, but it does not accept customer card payments.

6Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Understanding your E-commerce Payment System

An E-COMMERCE WEBSITE houses and presents your business website and shopping pages to your customers. The website may be hosted and managed by you or by a third party hosting provider.

An E-COMMERCE PAYMENT SYSTEM encompasses the entire process for a customer to select products or services and for the e-commerce merchant to accept card payments, including a website with shopping pages and a payment page or form, other connected devices or systems (for example Wi-Fi or a PC used for inventory), and connections to the merchant bank (also called a payment service provider or payment gateway). Depending on the merchant’s e-commerce payment scenario, an e-commerce payment system is either wholly outsourced to a third party, partially managed by the merchant with support from a third party, or managed exclusively by the merchant.

When you sell products or services online, you are classified as a e-commerce merchant. Here are some common terms you may see or hear and what they mean.

Your PAYMENT PAGE is the web page or form used to collect your customer’s payment card data after they have decided to purchase your product or services. Handling of card data may be 1) managed exclusively by the merchant using a shopping cart or payment application, 2) partially managed by the merchant with the support of a third party using a variety of methods, or 3) wholly outsourced to a third party. Most times, using a wholly outsourced third party is your the safest option – and it is important to make sure they are a PCI DSS validated third party.

Your SHOPPING PAGES are the web pages that show your product or services to your customers, allowing them to browse and select their purchase, and provide you with their personal and delivery details. No payment card data is requested or captured on these pages.

CHECKOUT

PAY NOW

CHECKOUT PAY NOW

MERCHANT E-COMMERCE WEBSITE

MERCHANT SHOPPING PAGES

INTERNET MERCHANT

PAYMENT PAGE

PCI DSS COMPLIANT THIRD-PARTY

SERVICE PROVIDER

7Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

How is your business at risk?

How do you sell your goods or services? There are three main ways:

1. A person walks into your shop and makes a purchase with their card.

2. A person visits your website and pays online.

3. A person calls your shop and provides card details over the phone, or sends the details in the mail or via fax.

The more features your payment system has, the more complex it is to secure.

Think carefully about whether you really need extra features such as Wi-Fi, remote access software, Internet- connected cameras, or call recording systems for your business. If not properly configured and managed, each of these features can provide criminals with easy access to your customers’ payment card data. If you are an e-commerce merchant, it is very important to understand how or if payment data is captured on your website. In most cases, using a wholly outsourced third party to capture and process payments is the safest option.

HARDER TO REDUCE RISK

COMPLEX ENVIRONMENT

EASIER TO REDUCE RISK

SIMPLE ENVIRONMENT

8Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Understanding your risk: Payment system types

Use the Common Payment Systems to help you identify what type of payment system you use, your risk, and the recommended security tips as a starting point for conversations with your merchant bank and vendor partners.

Your security risks vary greatly depending on the complexity of your payment system, whether face-to-face or online.

TYPE RISK PROFILE

123423487340 981230630736 034603740987 382929293846 262910304826 454900926344 153784

LOWER

Dial-up payment terminal Payments sent via phone line1

TYPE

Dial-up payment terminal shows it is dialing for each transaction

The payment terminal is connected to bank by a dial-up telephone line

PHONE LINE

Paper documents with card data

For this scenario, risks to card data are present at above. Risks explained on next page.

DIAL-UP PAYMENT TERMINAL

TYPE RISK PROFILEPayment terminal connects to electronic cash register, with additional connected equipment. Payments sent via Internet.

9 HIGHER

ELECTRONIC CASH REGISTER

CAMERAS

IP PHONES

ROUTER/ FIREWALL

INTERNET

GENERAL USE COMPUTERS

PAYMENT TERMINAL

Card data can be entered on electronic cash register or payment terminal

Merchant might also use Wi-Fi capability in addition to wired networking, and/or may offer Wi-Fi for customer use

For this scenario, risks to card data are present at above. Risks explained on next page. There are many risk points here due to numerous systems connected to the Internet and to payment terminals. Each system has to be configured and managed properly to minimize risk.

CHECKOUT PAY NOW

Complex payment system for in-shop purchases, with Wi-Fi, cameras, Internet phones, and other attached systems

Simple payment system for in-shop purchases

Complex e-commerce payment system for online shop purchases, with merchant managing their own website and payment page

9Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

PROTECT YOUR BUSINESS WITH THESE

SECURITY BASICS

PROTECT YOUR BUSINESS WITH THESE SECURITY BASICS

How do you protect your business?

These security basics are organized from easiest and least costly to implement to those that are more complex and costly to implement. The amount of risk reduction that each provides to small merchants is also indicated in the “Risk Mitigation” column.

The good news is, you can start protecting your business today with these security basics:

Use strong passwords and change default

ones

Cost

Ease

Risk Mitigation

Don’t give hackers easy access to your

systems

Cost

Ease

Risk Mitigation

Use anti-virus software

Cost

Ease

Risk Mitigation

Scan for vulnerabilities and fix issues

Cost

Ease

Risk Mitigation

Use secure payment terminals and

solutions

Cost

Ease

Risk Mitigation

Protect your business from the Internet

Cost

Ease

Risk Mitigation

For the best protection, make your data useless

to criminals

Cost

Ease

Risk Mitigation

Protect your card data and only store what

you need

Cost

Ease

Risk Mitigation

Inspect payment terminals for tampering

Cost

Ease

Risk Mitigation

Install patches from your vendors

Cost

Ease

Risk Mitigation

Use trusted business partners and know

how to contact them

Cost

Ease

Risk Mitigation

Protect in-house access to your

card data

Cost

Ease

Risk Mitigation

11Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Use strong passwords and change default ones

CHANGE YOUR PASSWORDS REGULARLY. Treat your passwords like a toothbrush. Don’t let anyone else use them and get new ones every three months.

TALK TO YOUR SERVICE PROVIDERS. Ask your vendors or service providers about default passwords and how to change them. Then do it! Also, if your service provider manages passwords for your systems, ask them if they’ve changed those vendor default passwords.

MAKE THEM HARD TO GUESS. The most common passwords are “password” and “123456.” Hackers try easily-guessed passwords because they’re used by half of all people. A strong password has seven or more characters and a combination of upper and lower case letters, numbers, and symbols (like !@#$&*). A phrase can also be a strong password (and may be easier to remember), like “B1gMac&frieS.”

DON’T SHARE. Insist on each employee having their own login IDs and passwords – never share!

65% Ponemon Institute

of SMBs that have a password policy do not strictly enforce it

Cost

Ease

Risk Mitigation

TYPICAL DEFAULT PASSWORDS THAT MUST BE CHANGED:

[none]

[name of product/ vendor]

1234 or 4321

access

admin

anonymous

company name

database

guest

manager

pass

password

root

sa

secret

sysadmin

user

Your passwords are vital for computer and card data security. Just like a lock on your door protects physical property, a password helps protect your business data. Also be aware that computer equipment and software out of the box (including your payment terminal) often come with default (preset) passwords such as “password” or “admin,” which are commonly known by hackers and are a frequent source of small merchant breaches.

INFOGRAPHIC It’s Time to Change Your Password

VIDEO Learn Password Security in 2 Minutes

For more about password security, see these resources on the PCI Council website:

12Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Protect card data and only store what you need

ASK AN EXPERT. Ask your payment terminal vendor, service provider, or merchant bank where (or if) your systems store data and if you can simplify how you process payments. Also ask how to conduct specific transactions (for example, for recurring payments) without storing the card’s security code.

OUTSOURCE. The best way to protect against data breaches is not to store card data at all. Consider outsourcing your card processing to a PCI DSS compliant service provider. See Resources on page 25 for lists of compliant service providers.

IF YOU DON’T NEED CARD DATA, DON’T STORE IT. Securely destroy/shred card data you don’t need. If you need to keep paper with sensitive card data, mark through the data with a thick, black marker until it is unreadable and secure the paper in a locked drawer or safe that only a few people have access to.

LIMIT RISK. Rather than accepting payment details via email, ask customers to provide it via phone, fax, or regular mail.

TOKENIZE OR ENCRYPT. Ask your merchant bank if you REALLY need to store that card data. If you do, ask your merchant bank or service provider about encryption or tokenization technologies that make card data useless even if stolen.

SEE PAGE 23

Cost

Ease

Risk Mitigation

ENCRYPTION PRIMER

Cryptography uses a mathematical formula to render plaintext unreadable to people without special knowledge (called a key). Cryptography is applied to stored data as well as data transmitted over a network.

ENCRYPTION changes plaintext into cyphertext.

DECRYPTION changes cyphertext back into plaintext.

For example:

It’s impossible to protect card data if you don’t know where it is.

What can you do?

Another place to consider whether you are storing payment data is in emails. If you receive card details via email, you can still process the transaction, but delete the email immediately and then let the sender know how you prefer to receive cardholder data (and that email is not the best way to send it). Do not simply reply using the original email from your customer. Instead delete the card details from the reply email, otherwise you are further exposing the card data via storing the original email, the sent email, etc.

Tokenization has a similar goal to encryption but works differently. It substitutes card data with meaningless data (a “token”) that has no value to a hacker. Merchants can use tokens to submit subsequent transactions, process a refund, etc. without needing to store the actual payment card details. The token is used by your payment processor to look up the card details, which they store instead of you.

ENCRYPTION KEY

DECRYPTION KEY

13Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Inspect payment terminals for tampering

Be vigilant and follow these steps:

KEEP A LIST of all payment terminals and take pictures (front, back, cords, and connections) so you know what they are supposed to look like.

LOOK FOR OBVIOUS SIGNS of tampering, such as broken seals over access cover plates or screws, odd/different cabling, or new devices or features you don’t recognize. The Council’s guide (referenced below) can help.

PROTECT TERMINALS. Keep them out of customers’ reach when not in use and restrict public viewing of the screens. Make sure your payment terminals are secure before you close your shop for the day, including any devices that read your customers’ payment cards or accept their personal identification numbers (PINs).

CONTROL REPAIRS. Only allow payment terminal repairs from authorized repair personnel, and only if you are expecting them. Tell your staff too. Monitor any third-parties with physical access to your payment terminals, even if they are there for another reason, to make sure they don’t modify your payment terminals.

CALL your payment terminal vendor or merchant bank immediately if you suspect anything!

Cost

Ease

Risk Mitigation

“Skimming devices” sweep up your customers’ card data as it enters a payment terminal. It’s vital that you and your staff know how to spot a skimming device, what your payment terminals should look like, and how many you have. You need to regularly check your payment terminals to make sure they have not been tampered with. If there is any suspicion that a terminal has been tampered with, DO NOT USE it, and report this immediately to your merchant bank and/or terminal vendor.

See the PCI Council’s guide: Skimming Prevention – Overview of Best Practices for Merchants

14Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Use trusted business partners and know how to contact them

COMMON VENDORS

Refer to the table in the Questions to ask your Vendors for more details about these common vendors:

• Payment terminal vendors

• Payment application vendors

• Payment system installers (called Integrators/ Resellers)

• Service providers that perform payment processing, or e-commerce hosting or processing

• Service providers that help you meet PCI DSS requirement(s) (for example, providing firewall or antivirus services)

• Providers of Software as a Service

KNOW WHO TO CALL. Who is your merchant bank? Who else helps you process payments? Who did you buy your payment device/software from and who installed it for you? Who are your service providers?

KEEP A LIST. Now that you know who to call, keep company and contact names, phone numbers, website addresses, and other contact details where you can easily find them in an emergency.

CONFIRM THE SECURITY OF YOUR SERVICE PROVIDERS. Is your service provider adhering to PCI DSS requirements? For e-commerce merchants, it is important that your payment service provider is PCI DSS compliant too! See Resources on page 25 for lists of compliant service providers.

ASK QUESTIONS. Once you know who your outside providers are and what they do for you, talk to them to understand how they protect card data. Use Questions to ask your Vendors to help you know what to ask.

UNDERSTAND COMMON VENDORS. Review the sidebar to the right to understand common types of vendors or service providers you may work with.

Cost

Ease

Risk Mitigation

You use outside providers for payment-related services, devices and applications. You may also have service providers that you share card data with, that support or manage your payment systems, or that you give access to card data. You may call them processors, vendors, third parties, or service providers. All of these impact your ability to protect your card data, so it’s critical you know who they are and what security questions to ask them.

15Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Install patches from your vendors Cost

Ease

Risk Mitigation

ASK your vendor or service provider how it notifies you of new security patches, and make sure you receive and read these notices.

WHICH VENDORS SEND YOU PATCHES? You may get patches from vendors of your payment terminal, payment applications, other payment systems (tills, cash registers, PCs, etc.), operating systems (Android, Windows, iOS, etc.), application software (including your web browser), and business software.

MAKE SURE your vendors update your payment terminals, operating systems, etc. so they can support the latest security patches. Ask them.

E-COMMERCE MERCHANTS. Installing patches as soon as possible is very important for you too. Also look out for patches from your payment service provider. Ask your e-commerce hosting provider whether they patch your system (and how often). Make sure they update the operating system, e-commerce platform and/ or web application so it can support the latest patches.

FOLLOW your vendor’s/service provider’s instructions and install those patches as soon as possible.

Software can have flaws that are discovered after release, caused by mistakes made by programmers when they wrote the code. These flaws are also called security holes, bugs or vulnerabilities. Hackers exploit these mistakes to break into your computer and steal account data. Protect your systems by applying vendor-supplied “patches” to fix coding errors. Timely installation of security patches is crucial!

It is important that you know how your software is being regularly updated with patches and who is responsible (it could be you!). Also, some patches install automatically when they become available. If you’re not sure how patches get added or who is responsible, make it a point to ask your vendor/ supplier.

16Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Protect in-house access to your data

ACCESS CONTROL IS ALL IMPORTANT. Set up your system to grant access only based on a “business need-to-know.” As the owner, you have access to everything. But most employees can do their job with access only to a subset of data, applications, and functions.

LIMIT ACCESS to payment systems and unencrypted card data to only those employees that need access, and only to the data, applications and functions they need to do their jobs.

KEEP A LOG. Track all “behind the counter” visitors in your establishment. Include name, reason for visit, and name of employee that authorized visitor’s access. Keep the log for at least a year.

SECURELY DISPOSE OF DEVICES. Ask your payment system vendor or service provider how to securely remove card data before selling or disposing of payment devices (so data cannot be recovered).

SHARE THIS INFORMATION. Give this guide to your employees, business partners, and third-party service providers (such as e-commerce hosting providers) so they know what is expected.

MAKE USER IDS UNIQUE for each person with access to your payment system whenever possible. This will help you keep track of who logs in and when, and any changes they make.

Cost

Ease

Risk Mitigation

Consider giving employees access to take payments but not to process refunds, or to take new bookings/ orders but not to access payment card data related to existing booking/orders. Some employees should have no access at all.

Verizon 2017

25%

Privilege abuse means a person using…

Someone else’s information and details to gain access to systems or data that person is not authorized to have access to.

25% OF BREACHES INVOLVE INTERNAL ACTORS.

17Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Don’t give hackers easy access to your systems

If your vendor supports or troubleshoots your payment system from their office (and not from your location) they are using the Internet and remote access software to do this.

Examples of products your vendor may install on your terminal and use to support you remotely include VNC & LogMeIn.

Cost

Ease

Risk Mitigation

FIND OUT. Ask your payment system vendor or service provider if they use remote access to support or access your business systems.

ASK HOW TO LIMIT USE OF REMOTE ACCESS. Many remote access programs are always on, or always available by default, meaning the vendor can access your systems remotely all the time (this also means that hackers can access your systems too since many vendors use commonly-known passwords for remote access). Reduce your risk – ask your vendor how to disable remote access when not needed, and how to enable it when your vendor or service provider specifically requests it.

DISABLE IT WHEN DONE. To protect your business, it’s important that you take a part in managing how and when your vendors can access your systems.

USE STRONG AUTHENTICATION. If you must allow remote access, require multi-factor authentication and strong cryptography.

ENSURE SERVICE PROVIDERS USE UNIQUE CREDENTIALS. Each one must use remote access credentials that are unique to your business and that are not the same ones used for other customers.

ASK FOR HELP. Ask your vendor or service provider for help disabling remote access, or (if your vendor or service provider needs remote access) for help setting up multi-factor authentication. See Questions to ask your Vendors to help you know exactly what to ask them.

HACKERS = THREATS

One of the easiest ways for hackers to get into your system is through people you trust. You need to know how your vendors are accessing your system to make sure it’s not opening up any holes for hackers.

Multi-factor authentication uses a username and password plus at least one other factor (like a smart card, dongle*, or one-time passcode). *a handy device that connects to a computer to allow access to wireless, software features, etc.

18Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Use anti-virus software

INSTALL ANTI-VIRUS SOFTWARE TO PROTECT YOUR PAYMENT SYSTEM. It is easy to install and can be obtained from your local office supply shop or IT retailer.

SET THE SOFTWARE TO “AUTOMATIC UPDATE” so you always get the most recent protection available.

GET ADVICE. Ask your IT retailer about products they recommend for anti-virus/anti-malware protection.

RUN AUTOMATIC SCANS. Schedule regular full system scans, since your systems may have been infected by new malware that was released before your anti-virus software was able to detect it.

E-COMMERCE MERCHANTS. Installing anti-virus software is very important for you too. Ask your service provider(s) whether they have installed anti-virus software on your system (and how often it is updated). Make sure they keep the anti-virus software up-to-date and regularly scan your system for malware.

Cost

Ease

Risk Mitigation

Hackers write viruses and other malicious code to exploit software features and coding mistakes, so they can break into your systems and steal card data. Using up-to-date anti-virus (also called anti- malware) software helps to protect your systems.

19Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Scan for vulnerabilities and fix issues

GET ADVICE. Ask your merchant bank if they have partnerships with any PCI Approved Scanning Vendors (ASVs). Ask your vendors and service providers too.

TALK TO A PCI ASV. These vendors can help you with tools that automatically identify vulnerabilities and misconfigurations in your Internet-facing payment systems, e-commerce website, and/or networks and provide you with a report if, for example, you need to apply a patch. The PCI Council’s list (referenced to the left) can help you find a scanning vendor.

SELECT A SCANNER. Contact several PCI ASVs to find one with a program suitable for your small business.

ADDRESS VULNERABILITIES. Ask your ASV, payment system vendor or service provider, or merchant bank for help correcting issues found by scanning.

Cost

Ease

Risk Mitigation

The PCI Council’s Approved Scanning Vendors (ASVs) perform external vulnerability scanning and reporting. See PCI’s List of PCI-Approved Scanning Vendors

New vulnerabilities, security holes, and bugs are being discovered daily. It’s vital to have your Internet-facing systems tested regularly to identify these new risks and address them as soon as possible. Your Internet-facing systems (like many payment systems) are the most vulnerable because they can be easily exploited by criminals, allowing them to sneak into your systems.

20Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Use secure payment terminals and solutions

USE SECURE PAYMENT TERMINALS AND PIN ENTRY DEVICES. The PCI Council approves payment terminals that protect PIN data. Make sure your payment terminal or device is on the List of PCI Approved PTS Devices for equipment that provides the best security, and supports “EMV chip.” USE SECURE SOFTWARE. Make sure your payment software is on the List of PCI Validated Payment Applications. USE QUALIFIED PROFESSIONALS. Make sure the person installing your payment system does it correctly and securely. Choose from the List of PCI QIRs to help you. Ask your merchant bank to help you make the selection. USE SECURE E-COMMERCE PAYMENT SERVICE PROVIDERS. If you don’t already, consider using a PCI DSS complaint service provider to help you securely process your e-commerce payment transactions, and/or to manage your e-commerce website. LOOK FOR PCI DSS COMPLIANT SERVICE PROVIDERS. Make sure your payment service provider is compliant with PCI DSS. Check Mastercard’s and Visa’s lists to confirm that they are listed: MasterCard’s List of Compliant Service Providers Visa’s Global Registry of Service Providers Visa Europe’s Registered Agents REFER TO THIS LIST OF VENDOR QUESTIONS. Use Questions to ask your Vendors to help you know what to ask your vendors and service providers.

Cost

Ease

Risk Mitigation

Your customers enter their personal identification numbers (PINs) for their payment cards into your payment terminal or PIN entry device. It is important to use secure devices to protect your customers’ PIN data.

A sure way to better protect your business is to use secure payment solutions and trained professionals to help you. Here’s how to choose safe products and make sure they are set up securely.

For PCI payment terminals and secure card readers that encrypt card data, see page 23.

21Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Protect your business from the Internet

ISOLATE USAGE. Don’t use the device or system you take payments with for anything else. For example, don’t surf the web or check emails or social media from the same device or computer that you use for payment transactions. When necessary for business (for example, updating your business’s social media page), use another computer and not your payment device for these updates.

PROTECT YOUR “VIRTUAL TERMINAL.” If you enter customer payments via a virtual terminal (a web page you access with a computer or a tablet), minimize your risk – don’t attach an external card reader to it.

PROTECT WI-FI. If your shop offers free Wi-Fi for your customers, make sure you use another network for your payment system (this is called “network segmentation”). Ask your network installer for help with safely configuring Wi-Fi.

USE A FIREWALL. A properly configured firewall acts as a buffer to keep hackers and malicious software from getting access to your payment systems, your e-commerce website, and/or your card data. Check with your payment terminal vendor or service provider to make sure you have one and ask them for help configuring it correctly.

USE PERSONAL FIREWALL SOFTWARE OR EQUIVALENT when payment systems are not protected by your business firewall (for example, when connected to public Wi-Fi).

Cost

Ease

Risk Mitigation

The Internet is the main highway used by data thieves to attack and steal your customers’ card data. For this reason, if your business is on the Internet, anything you use for card payments needs extra protection.

A firewall is equipment or software that sits between your payment system and the Internet. It acts as a barrier to keep traffic out of your network and systems that you don’t want and didn’t authorize. Firewalls are configured (in hardware, software, or both) with specific criteria to block or prevent unauthorized access to a network. Firewalls are often included in the router “box” provided by your Internet provider.

For simple tips on configuring your firewall, see PCI Firewall Basics

22Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Cost

Ease

Risk Mitigation

For the best protection, make your data useless to criminals

WORK WITH YOUR PAYMENT SYSTEMS VENDOR OR SERVICE PROVIDER. You should encrypt all card data you store or send. Make sure your payment system is using encryption and/or tokenization technology. If you are not sure, ask them.

USE PCI DEVICES THAT ENCRYPT CARD DATA. The PCI Council approves payment terminals that protect PIN data and payment terminals and “secure card readers” that additionally encrypt card data. See the List of PCI Approved PTS Devices.

USE SECURE PCI ENCRYPTION SOLUTIONS. Ask whether your payment terminal encryption is done via a Point-to-Point Encryption solution and is on the PCI Council’s List of PCI P2PE Validated Solutions.

ARE YOU A MERCHANT NOW MOVING TO EMV CHIP TERMINALS? This is a great opportunity to make an investment in a terminal that supports EMV and also provides the added security of encryption and tokenization.

UPGRADE YOUR SOLUTION. Reduce your risk – consider getting a new payment terminal that uses both encryption and tokenization technology to remove the value of card data for hackers.

ASK. See Questions to ask your Vendors for help with questions to ask your vendor or service provider.

SEE PAGE 21

PCI-approved secure card readers and payment terminals that encrypt card data do it using technology called “Secure Reading and Exchange of Data (SRED)” – ask your vendor if your payment terminal encrypts card data with SRED.

E-commerce websites must encrypt card data that is sent over the Internet, for example, using something called transport-layer security (TLS). Ask your service provider how they encrypt your card data.

Your data is vulnerable when it travels to your merchant bank, and when it’s kept or stored on your computers and devices. The best way to keep it safe is to make it useless even if it’s stolen by encrypting it whenever you store it or send it, and removing it altogether when it’s not needed. While this can be more complex to put in place, in the long run, it can make security much easier to manage.

What is tokenization? See page 13 for an explanation.

23Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

WHERE TO GET HELP

WHERE TO GET HELP

Resources

PCI Council Listings Resource URL List of Validated Payment Applications https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement List of Approved PTS Devices https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices List of Approved Scanning Vendors https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors List of Qualified Integrators / Resellers https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_integrators_and_resellers List of P2PE Validated Solutions https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions

Payment Brand Lists Resource URL Lists of Compliant Service Providers

MasterCard’s List of Compliant Service Providers https://www.mastercard.us/en-us/merchants/safety-security/security- recommendations/merchants-need-to-know.html

Visa’s Global Registry of Service Providers http://www.visa.com/splisting/

Visa Europe’s Registered Merchant Agents https://www.visaeurope.com/receiving-payments/security/downloads-and- resources

PCI DSS and Related Guidance Resource URL More about PCI DSS https://www.pcisecuritystandards.org/pci_security/how PCI DSS Self-Assessment Questionnaires https://www.pcisecuritystandards.org/pci_security/completing_self_assessment Guide: Skimming Prevention: Overview of Best Practices for Merchants

https://www.pcisecuritystandards.org/documents/Skimming_Prevention_At-a-Glance_Sept2014.pdf

25Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Resources

Infographics and Videos Resource URL Infographic: It’s Time to Change Your Password

https://www.pcisecuritystandards.org/pdfs/its_time_to_change_your_password_infographic.pdf

Infographic: Fight Cybercrime by Making Stolen Data Worthless to Thieves

https://www.pcisecuritystandards.org/documents/PCI-CyberCrime-FinalR.pdf

Video: Learn Password Security in 2 Minutes https://www.youtube.com/watch?v=FsrOXgZKa7U Video: Passwords https://www.youtube.com/watch?v=dNVQk65KL8g Infographic: Passwords https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Strong-Passwords.pdf Video: Patching https://www.youtube.com/watch?v=0NGz1mGO3Jg Infographic: Patching https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Patching.pdf Video: Remote Access https://www.youtube.com/watch?v=MxgSNFgvAVc Infographic: Remote Access https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Secure-Remote-Access.pdf

PCI Data Security Essentials for Small Merchants and Related Guidance Resource URL Common Payment Systems https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Common_Payment_Systems.pdf Small Merchant Questions for Vendors https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Questions_To_Ask_Your_Vendors.pdf Small Merchant Glossary https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Glossary_of_Payment_and_Information_Security_

Terms.pdf Infographic: PCI Firewall Basics https://www.pcisecuritystandards.org/pdfs/Small-Merchant-Firewall-Basics.pdf Evaluation Tool: Acquirer Overview https://www.pcisecuritystandards.org/pdfs/PCI-DSE-Overview-for-Acquirers.pdf Evaluation Tool: Small Merchant Overview https://www.pcisecuritystandards.org/pdfs/PCI-DSE-Overview-for-Small-Merchants.pdf

26Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

Sources and Helpful References

Dept for Culture Media and Sport – Cyber security breaches survey 2017

Ponemon Institute – 2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB) (Sponsored by Keeper Security), June 2016

National Cyber Security Centre – Cyber Security Small Business Guide, 2017

Beaming UK – Cyber security breaches cost British Businesses almost £30 billion in 2016, March 2017

Verizon 2017 – Verizon Data Breach Investigations Report

27Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.

This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.

The PCI Security Standards Council is a global forum for the industry to come together to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Read more about PCI SSC’s Global Payment Security Engagement Initiative at www.pcisecuritystandards.org/pdfs/PCI_SSC_Partnering_for_ Global_Payment_Security.pdf The Council maintains, evolves, and promotes the Payment Card Industry Security Standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs. The Council’s founding members, American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc., have agreed to incorporate the PCI Data Security Standard (PCI DSS) as part of the technical requirements for each of their data security compliance programs. Each founding member also recognizes the Qualified Security Assessors and Approved Scanning Vendors qualified by the PCI Security Standards Council. All five payment brands, along with Strategic Members, share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization. Other industry stakeholders are encouraged to join the Council as Strategic or Affiliate members and Participating Organizations to review proposed additions or modifications to the standards. Participating Organizations may include merchants, banks, processors, hardware and software developers, and point-of-sale vendors.

PCI SSC FOUNDERS

PARTICIPATING ORGANIZATIONS

Merchants, Banks, Processors, Hardware and Software Developers

and Point-of-Sale Vendors

About the PCI Security Standards Council

28Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.