PCI Compliance - 2nd Edition - ISBN: 9781597494991, 9781597495394

PCI Compliance

2nd Edition

Understand and Implement Effective PCI Data Security Standard Compliance

Authors: Anton Chuvakin Branden Williams
eBook ISBN: 9781597495394
Paperback ISBN: 9781597494991
Imprint: Syngress
Published Date: 1st December 2009
Page Count: 368
Sales tax will be calculated at check-out Price includes VAT/GST
Price includes VAT/GST

Institutional Subscription

Secure Checkout

Personal information is secured with SSL technology.

Free Shipping

Free global shipping
No minimum order.


PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance, Second Edition, discusses not only how to apply PCI in a practical and cost-effective way but more importantly why. The book explains what the Payment Card Industry Data Security Standard (PCI DSS) is and why it is here to stay; how it applies to information technology (IT) and information security professionals and their organization; how to deal with PCI assessors; and how to plan and manage PCI DSS project. It also describes the technologies referenced by PCI DSS and how PCI DSS relates to laws, frameworks, and regulations.
This book is for IT managers and company managers who need to understand how PCI DSS applies to their organizations. It is for the small- and medium-size businesses that do not have an IT department to delegate to. It is for large organizations whose PCI DSS project scope is immense. It is also for all organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is also compliant.

Key Features

  • Completely updated to follow the PCI DSS standard 1.2.1
  • Packed with help to develop and implement an effective security strategy to keep infrastructure compliant and secure
  • Both authors have broad information security backgrounds, including extensive PCI DSS experience


IT Professionals responsible for implementing cardholder environments. This would include Network, Server, application developers, database managers, as well as numerous security personnel.

Table of Contents



Author the Authors

Chapter 1 About PCI and This Book

Who Should Read This Book?

How to Use the Book in Your Daily Job

What this Book is NOT

Organization of the Book


Chapter 2 Introduction to Fraud, ID Theft, and Regulatory Mandates


Chapter 3 Why Is PCI Here?

What Is PCI and Who Must Comply?

Electronic Card Payment Ecosystem

Goal of PCI DSS

Applicability of PCI DSS

PCI DSS in Depth

Compliance Deadlines

Compliance and Validation

History of PCI DSS

PCI Council



Quick Overview of PCI Requirements

Changes to PCI DSS

PCI DSS and Risk

Benefits of Compliance

Case Study

The Case of the Developing Security Program

The Case of the Confusing Validation Requirements



Chapter 4 Building and Maintaining a Secure Network

Which PCI DSS Requirements Are in This Domain?

Establish Firewall Configuration Standards

Denying Traffic from Untrusted Networks and Hosts

Restricting Connections

Personal Firewalls

Other Considerations for Requirement 1

The Oddball Requirement 11.4

Requirement 2: Defaults and Other Security Parameters

Develop Configuration Standards

Implement Single Purpose Servers

Configure System Security Parameters

Encrypt Nonconsole Administrative Access

Hosting Providers Must Protect Shared Hosted Environment

What Else Can You Do to Be Secure?

Tools and Best Practices

Common Mistakes and Pitfalls

Egress Filtering


System Defaults

Case Study

The Case of the Small, Flat Store Network

The Case of the Large, Flat Corporate Network


Chapter 5 Strong Access Controls

Which PCI DSS Requirements Are in This Domain?

Principles of Access Control

Requirement 7: How Much Access Should a User Have?

Requirement 8: Authentication Basics

Windows and PCI Compliance

POSIX (UNIX/Linux-like Systems) Access Control

Cisco and PCI Requirements

Requirement 9: Physical Security

What Else Can You Do To Be Secure?

Tools and Best Practices

Random Password for Users

Common Mistakes and Pitfalls

Case Study

The Case of the Stolen Database

The Case of the Loose Permissions


Chapter 6 Protecting Cardholder Data

What Is Data Protection and Why Is It Needed?

The Confidentiality, Integrity, Availability Triad

Requirements Addressed in This Chapter

PCI Requirement 3: Protect Stored Cardholder Data

Requirement 3 Walk-through

Encryption Methods for Data at Rest

PCI and Key Management

What Else Can You Do to Be Secure?

PCI Requirement 4 Walk-through

Transport Layer Security and Secure Sockets Layer

IPsec Virtual Private Networks

Wireless Transmission

Misc Card Transmission Rules

Requirement 12 Walk-through

Appendix A of PCI DSS

How to Become Compliant and Secure

Step 1: Identify Business Processes with Card Data

Step 2: Focus on Shrinking the Scope

Step 3: Identify Where the Data Is Stored

Step 4: Determine What to Do About Data

Step 5: Determine Who Needs Access

Step 6: Develop and Document Policies

Common Mistakes and Pitfalls

Case Study

The Case of the Data Killers



Chapter 7 Using Wireless Networking

What Is Wireless Network Security?

Where Is Wireless Network Security in PCI DSS?

Requirements 1 and 12: Documentation

Actual Security of Wireless Devices: Requirements 2, 4, and 9

Logging and Wireless Networks: Requirement 10.5.4

Testing for Unauthorized Wireless: Requirement 11.1

Why Do We Need Wireless Network Security?

Tools and Best Practices

Common Mistakes and Pitfalls

Why Is WEP So Bad?

Case Study

The Case of the Untethered Laptop

The Case of the Expansion Plan

The Case of the Double Secret Wireless Network


Chapter 8 Vulnerability Management

PCI DSS Requirements Covered

Vulnerability Management in PCI

Stages of Vulnerability Management Process

Requirement 5 Walk-through

What to Do to Be Secure and Compliant?

Requirement 6 Walk-through

Web-Application Security and Web Vulnerabilities

What to Do to Be Secure and Compliant?

Requirement 11 Walk-through

External Vulnerability Scanning with ASV

Considerations when Picking an ASV

How ASV Scanning Works

PCI DSS Scan Validation Walk-through

Operationalizing ASV Scanning

What Do You Expect from an ASV?

Internal Vulnerability Scanning

Penetration Testing

Common PCI Vulnerability Management Mistakes

Case Study

PCI at a Retail Chain

PCI at an E-Commerce Site



Chapter 9 Logging Events and Monitoring the Cardholder Data Environment

PCI Requirements Covered

Why Logging and Monitoring in PCI DSS?

Logging and Monitoring in Depth

PCI Relevance of Logs

Logging in PCI Requirement 10

Monitoring Data and Log Security Issues

Logging and Monitoring in PCI – All Other Requirements

Tools for Logging in PCI

Log Management Tools

Other Monitoring Tools

Intrusion Detection and Prevention

Integrity Monitoring

Common Mistakes and Pitfalls

Case Study

The Case of the Risky Risk-Based Approach

The Case of Tweaking to Comply



Chapter 10 Managing a PCI DSS Project to Achieve Compliance

Justifying a Business Case for Compliance

Figuring Out If You Need to Comply

Compliance Overlap

The Level of Validation

W hat Is the Cost for Noncompliance?

Bringing the Key Players to the Table

Obtaining Corporate Sponsorship

Forming Your Compliance Team

Getting Results Fast

Notes from the Front Line

Budgeting Time and Resources

Setting Expectations

Establishing Goals and Milestones

Having Status Meetings

Educating Staff

Training Your Compliance Team

Training the Company on Compliance

Setting Up the Corporate Compliance Training Program

Project Quickstart Guide

The Steps

PCI SSC New Prioritized Approach



Chapter 11 Don’t Fear the Assessor

Remember, Assessors Are There to Help

Balancing Remediation Needs


Dealing With Assessors’ Mistakes

Planning for Remediation

Fun Ways to Use Common Vulnerability Scoring System

Planning for Reassessing


Chapter 12 The Art of Compensating Control

What Is a Compensating Control?

Where Are Compensating Controls in PCI DSS?

What a Compensating Control Is Not

Funny Controls You Didn’t Design

How to Create a Good Compensating Control


Chapter 13 You’re Compliant, Now What?

Security Is a Process, Not an Event

Plan for Periodic Review and Training

PCI Requirements with Periodic Maintenance

Build and Maintain a Secure Network

Protect Cardholder Data

Maintain a Vulnerability Management Program

Implement Strong Access Control Measures

Regularly Monitor and Test Networks

Maintain an Information Security Policy

PCI Self-Assessment

Case Study

The Case of the Compliant Company


Chapter 14 PCI and Other Laws, Mandates, and Frameworks

PCI and State Data Breach Notification Laws

Origins of State Data Breach Notification Laws

Commonalities Among State Data Breach Laws

How Does It Compare to PCI?

Final Thoughts on State Laws

PCI and the ISO27000 Series

PCI and Sarbanes–Oxley (SOX)

Regulation Matrix

How Do You Leverage Your Efforts for PCI DSS?



Chapter 15 Myths and Misconceptions of PCI DSS

Myth #1 PCI Doesn’t Apply

Myth #2 PCI Is Confusing

Myth #3 PCI DSS Is Too Onerous

Myth #4 Breaches Prove PCI DSS Irrelevant

Myth #5 PCI Is All We Need for Security

Myth #6 PCI DSS Is Really Easy

Myth #7 My Tool Is PCI Compliant

Myth #8 PCI Is Toothless

Case Study

The Case of the Cardless Merchant





No. of pages:
© Syngress 2010
eBook ISBN:
Paperback ISBN:

About the Author

Anton Chuvakin

Dr. Anton Chuvakin is a recognized security expert in the field of log

management and PCI DSS compliance. He is an author of the books "Security Warrior" and "PCI

Compliance" and has contributed to many others, while also publishing dozens of papers on

log management, correlation, data analysis, PCI DSS, and security management. His blog

(http://www.securitywarrior.org) is one of the most popular in the industry.

Additionaly, Anton teaches classes and presents at many security conferences across the world

and he works on emerging security standards and serves on the advisory boards of

several security start-ups. Currently, Anton is developing his security consulting practice,

focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations.

Anton earned his Ph.D. from Stony Brook University.

Affiliations and Expertise

is a recognized security expert in the field of log management and PCI DSS compliance.

Branden Williams

Branden R. Williams (CISSP, CISM, CPISA, CPISM) leads an information security practice in a Global Security Consulting group at a major security firm in Flower Mound, TX and teaches in the NSA Certified Information Assurance program at the University of Dallas's Graduate School of Management. Branden has been involved in information technology since 1994, and focused on information security since 1996. He started consulting on payment security in 2004, assessing companies against the Visa CISP and Mastercard SDP programs. He has a Bachelors of Business Administration in Marketing from the University of Texas, Arlington, and a Masters of Business Administration in Supply Chain Management and Market Logistics from the University of Dallas.

Branden publishes a monthly column in the ISSA Journal entitled "Herding Cats," and authors a blog at http://www.brandenwilliams.com/.

Affiliations and Expertise

CISSP, CISM, CPISA, CPISM, and CTO of a Global Security Consulting group at a major security firm in Flower Mound, TX


"Finally we have a solid and comprehensive reference for PCI. This book explains in great detail not only how to apply PCI in a practical and cost-effective way, but more importantly why."--Joel Weise, Information Systems Security Association (ISSA) founder and chairman of the ISSA Journal Editorial Advisory Board

"Overall, PCI Compliance is a valuable book for one of the most sensible security standards ever put forth. Anyone who has PCI responsibilities or wants to gain a quick understanding of the PCI DSS requirements will find it quite valuable."--Security Management

"Intended for IT managers, this guide introduces the payment card industry data security standard (PCI DSS), describes the components of a secure network, and suggests steps for planning a project to meet compliance. The 12 PCI DSS requirements are addressed individually with action items for access control, cardholder data protection, wireless network security, vulnerability management, and event logging. The second edition covers PCI DSS version 1.2.1."--SciTech Book News

Ratings and Reviews