PCI Compliance book cover

PCI Compliance

Understand and Implement Effective PCI Data Security Standard Compliance

PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance, Second Edition, discusses not only how to apply PCI in a practical and cost-effective way but more importantly why. The book explains what the Payment Card Industry Data Security Standard (PCI DSS) is and why it is here to stay; how it applies to information technology (IT) and information security professionals and their organization; how to deal with PCI assessors; and how to plan and manage PCI DSS project. It also describes the technologies referenced by PCI DSS and how PCI DSS relates to laws, frameworks, and regulations. This book is for IT managers and company managers who need to understand how PCI DSS applies to their organizations. It is for the small- and medium-size businesses that do not have an IT department to delegate to. It is for large organizations whose PCI DSS project scope is immense. It is also for all organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is also compliant.

Audience

IT Professionals responsible for implementing cardholder environments. This would include Network, Server, application developers, database managers, as well as numerous security personnel.

,

Published: December 2009

Imprint: Syngress

ISBN: 978-1-59749-499-1

Reviews

  • "Finally we have a solid and comprehensive reference for PCI. This book explains in great detail not only how to apply PCI in a practical and cost-effective way, but more importantly why."--Joel Weise, Information Systems Security Association (ISSA) founder and chairman of the ISSA Journal Editorial Advisory Board

    "Overall, PCI Compliance is a valuable book for one of the most sensible security standards ever put forth. Anyone who has PCI responsibilities or wants to gain a quick understanding of the PCI DSS requirements will find it quite valuable."--Security Management

    "Intended for IT managers, this guide introduces the payment card industry data security standard (PCI DSS), describes the components of a secure network, and suggests steps for planning a project to meet compliance. The 12 PCI DSS requirements are addressed individually with action items for access control, cardholder data protection, wireless network security, vulnerability management, and event logging. The second edition covers PCI DSS version 1.2.1."--SciTech Book News


Contents


  • Foreword

    Acknowledgments

    Author the Authors

    Chapter 1 About PCI and This Book

        Who Should Read This Book?

        How to Use the Book in Your Daily Job

        What this Book is NOT

        Organization of the Book

        Summary

    Chapter 2 Introduction to Fraud, ID Theft, and Regulatory Mandates

        Summary

    Chapter 3 Why Is PCI Here?

        What Is PCI and Who Must Comply?

             Electronic Card Payment Ecosystem

             Goal of PCI DSS

             Applicability of PCI DSS

        PCI DSS in Depth

             Compliance Deadlines

             Compliance and Validation

             History of PCI DSS

             PCI Council

             QSAs

             ASVs

        Quick Overview of PCI Requirements

             Changes to PCI DSS

        PCI DSS and Risk

        Benefits of Compliance

        Case Study

             The Case of the Developing Security Program

             The Case of the Confusing Validation Requirements

        Summary

        References

    Chapter 4 Building and Maintaining a Secure Network

        Which PCI DSS Requirements Are in This Domain?

             Establish Firewall Configuration Standards

             Denying Traffic from Untrusted Networks and Hosts

             Restricting Connections

             Personal Firewalls

             Other Considerations for Requirement 1

             The Oddball Requirement 11.4

             Requirement 2: Defaults and Other Security Parameters

             Develop Configuration Standards

             Implement Single Purpose Servers

             Configure System Security Parameters

             Encrypt Nonconsole Administrative Access

             Hosting Providers Must Protect Shared Hosted Environment

        What Else Can You Do to Be Secure?

        Tools and Best Practices

        Common Mistakes and Pitfalls

             Egress Filtering

             Documentation

             System Defaults

        Case Study

             The Case of the Small, Flat Store Network

             The Case of the Large, Flat Corporate Network

        Summary

    Chapter 5 Strong Access Controls

        Which PCI DSS Requirements Are in This Domain?

             Principles of Access Control

             Requirement 7: How Much Access Should a User Have?

             Requirement 8: Authentication Basics

             Windows and PCI Compliance

             POSIX (UNIX/Linux-like Systems) Access Control

             Cisco and PCI Requirements

             Requirement 9: Physical Security

        What Else Can You Do To Be Secure?

        Tools and Best Practices

             Random Password for Users

        Common Mistakes and Pitfalls

        Case Study

             The Case of the Stolen Database

             The Case of the Loose Permissions

        Summary

    Chapter 6 Protecting Cardholder Data

        What Is Data Protection and Why Is It Needed?

             The Confidentiality, Integrity, Availability Triad

        Requirements Addressed in This Chapter

        PCI Requirement 3: Protect Stored Cardholder Data

             Requirement 3 Walk-through

             Encryption Methods for Data at Rest

             PCI and Key Management

        What Else Can You Do to Be Secure?

        PCI Requirement 4 Walk-through

             Transport Layer Security and Secure Sockets Layer

             IPsec Virtual Private Networks

             Wireless Transmission

             Misc Card Transmission Rules

        Requirement 12 Walk-through

        Appendix A of PCI DSS

        How to Become Compliant and Secure

             Step 1: Identify Business Processes with Card Data

             Step 2: Focus on Shrinking the Scope

             Step 3: Identify Where the Data Is Stored

             Step 4: Determine What to Do About Data

             Step 5: Determine Who Needs Access

             Step 6: Develop and Document Policies

        Common Mistakes and Pitfalls

        Case Study

             The Case of the Data Killers

        Summary

        References

    Chapter 7 Using Wireless Networking

        What Is Wireless Network Security?

        Where Is Wireless Network Security in PCI DSS?

             Requirements 1 and 12: Documentation

             Actual Security of Wireless Devices: Requirements 2, 4, and 9

             Logging and Wireless Networks: Requirement 10.5.4

             Testing for Unauthorized Wireless: Requirement 11.1

        Why Do We Need Wireless Network Security?

        Tools and Best Practices

        Common Mistakes and Pitfalls

             Why Is WEP So Bad?

        Case Study

             The Case of the Untethered Laptop

             The Case of the Expansion Plan

             The Case of the Double Secret Wireless Network

        Summary

    Chapter 8 Vulnerability Management

        PCI DSS Requirements Covered

        Vulnerability Management in PCI

             Stages of Vulnerability Management Process

        Requirement 5 Walk-through

             What to Do to Be Secure and Compliant?

        Requirement 6 Walk-through

             Web-Application Security and Web Vulnerabilities

             What to Do to Be Secure and Compliant?

        Requirement 11 Walk-through

             External Vulnerability Scanning with ASV

             Considerations when Picking an ASV

             How ASV Scanning Works

             PCI DSS Scan Validation Walk-through

             Operationalizing ASV Scanning

             What Do You Expect from an ASV?

        Internal Vulnerability Scanning

             Penetration Testing

        Common PCI Vulnerability Management Mistakes

        Case Study

             PCI at a Retail Chain

             PCI at an E-Commerce Site

        Summary

        References

    Chapter 9 Logging Events and Monitoring the Cardholder Data Environment

        PCI Requirements Covered

        Why Logging and Monitoring in PCI DSS?

        Logging and Monitoring in Depth

        PCI Relevance of Logs

        Logging in PCI Requirement 10

        Monitoring Data and Log Security Issues

        Logging and Monitoring in PCI - All Other Requirements

        Tools for Logging in PCI

        Log Management Tools

        Other Monitoring Tools

        Intrusion Detection and Prevention

        Integrity Monitoring

        Common Mistakes and Pitfalls

        Case Study

             The Case of the Risky Risk-Based Approach

             The Case of Tweaking to Comply

        Summary

        References

    Chapter 10 Managing a PCI DSS Project to Achieve Compliance

        Justifying a Business Case for Compliance

             Figuring Out If You Need to Comply

             Compliance Overlap

             The Level of Validation

             W hat Is the Cost for Noncompliance?

        Bringing the Key Players to the Table

             Obtaining Corporate Sponsorship

             Forming Your Compliance Team

             Getting Results Fast

             Notes from the Front Line

        Budgeting Time and Resources

             Setting Expectations

             Establishing Goals and Milestones

             Having Status Meetings

        Educating Staff

             Training Your Compliance Team

             Training the Company on Compliance

             Setting Up the Corporate Compliance Training Program

        Project Quickstart Guide

             The Steps

        PCI SSC New Prioritized Approach

        Summary

        Reference

    Chapter 11 Don’t Fear the Assessor

        Remember, Assessors Are There to Help

             Balancing Remediation Needs

             How FAIL == WIN

        Dealing With Assessors’ Mistakes

        Planning for Remediation

             Fun Ways to Use Common Vulnerability Scoring System

        Planning for Reassessing

        Summary

    Chapter 12 The Art of Compensating Control

        What Is a Compensating Control?

        Where Are Compensating Controls in PCI DSS?

        What a Compensating Control Is Not

        Funny Controls You Didn’t Design

        How to Create a Good Compensating Control

        Summary

    Chapter 13 You’re Compliant, Now What?

        Security Is a Process, Not an Event

        Plan for Periodic Review and Training

        PCI Requirements with Periodic Maintenance

             Build and Maintain a Secure Network

             Protect Cardholder Data

             Maintain a Vulnerability Management Program

             Implement Strong Access Control Measures

             Regularly Monitor and Test Networks

             Maintain an Information Security Policy

        PCI Self-Assessment

        Case Study

             The Case of the Compliant Company

        Summary

    Chapter 14 PCI and Other Laws, Mandates, and Frameworks

        PCI and State Data Breach Notification Laws

             Origins of State Data Breach Notification Laws

             Commonalities Among State Data Breach Laws

             How Does It Compare to PCI?

             Final Thoughts on State Laws

        PCI and the ISO27000 Series

        PCI and Sarbanes-Oxley (SOX)

        Regulation Matrix

             How Do You Leverage Your Efforts for PCI DSS?

        Summary

        References

    Chapter 15 Myths and Misconceptions of PCI DSS

        Myth #1 PCI Doesn’t Apply

        Myth #2 PCI Is Confusing

        Myth #3 PCI DSS Is Too Onerous

        Myth #4 Breaches Prove PCI DSS Irrelevant

        Myth #5 PCI Is All We Need for Security

        Myth #6 PCI DSS Is Really Easy

        Myth #7 My Tool Is PCI Compliant

        Myth #8 PCI Is Toothless

        Case Study

             The Case of the Cardless Merchant

        Summary

        References

    Index




Advertisement

advert image