CS 4401 (A10): Software Security Engineering
BS/MS Assignment: Evaluating PCI

DUE by the start of B-term, by email to Professor Fisler

PCI is a standard for secure handling of payment account data (such as credit-card accounts). The website for the standard both defines requirements and provides some self-assessment tools for organizations to validate their data security.

For this assignment, assume you work for a university's fundraising division. The university wants to create a website through which alumni, parents, faculty, students, and others can donate money to the university. The university wants to support recurring donations (e.g. quarterly, yearly, etc); the site would store donors' credit-card or bank account numbers as part of this feature. It also wants to allow donors to view their donation history, and to compare their giving to that of other donors.

Your task is simply to assess PCI relative to this software development task. Do this from two perspectives:

  1. As a developer for the university website who has to explain to the rest of the team what using PCI would require, and
  2. as someone trained in security who has been asked to evaluate PCI as a security technique.

How you organize these assessments and what you focus on is up to you. This course has explored a number of issues in secure-system design (ie, session management, authorization, crypto, etc). I'm interested in seeing how you explore a security product in light of what we've covered this term. You are welcome to search for evaluations and discussions of PCI, but all wording and organization in your final writeup needs to be your own.

Turn in a single document (Word, PDF, etc). There's no firm length requirement for this (say what you think you should say), but I'd expect this will take a few pages in the general case. Include a list of sources you used in compiling your thoughts.


I'm going to be looking for evidence that you understand security issues at the level of someone who has taken a course on the subject. I'll be looking at how you organize your materials (as an indication of how you think about security in the big picture), whether you include sufficient technical depth to show that you understand what you're talking about, and whether you can explain security issues to other technical readers (some of whom may not be trained in security, but have good CS backgrounds).

Course homepage