PCI Compliance

PCI Compliance

Understand and Implement Effective PCI Data Security Standard Compliance

2nd Edition - November 13, 2009

Write a review

  • Authors: Anton Chuvakin, Branden Williams
  • eBook ISBN: 9781597495394

Purchase options

Purchase options
DRM-free (EPub, PDF, Mobi)
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order


PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance, Second Edition, discusses not only how to apply PCI in a practical and cost-effective way but more importantly why. The book explains what the Payment Card Industry Data Security Standard (PCI DSS) is and why it is here to stay; how it applies to information technology (IT) and information security professionals and their organization; how to deal with PCI assessors; and how to plan and manage PCI DSS project. It also describes the technologies referenced by PCI DSS and how PCI DSS relates to laws, frameworks, and regulations.This book is for IT managers and company managers who need to understand how PCI DSS applies to their organizations. It is for the small- and medium-size businesses that do not have an IT department to delegate to. It is for large organizations whose PCI DSS project scope is immense. It is also for all organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is also compliant.

Key Features

  • Completely updated to follow the PCI DSS standard 1.2.1
  • Packed with help to develop and implement an effective security strategy to keep infrastructure compliant and secure
  • Both authors have broad information security backgrounds, including extensive PCI DSS experience


IT Professionals responsible for implementing cardholder environments. Network, Server, application developers, database managers, as well as numerous security personnel

Table of Contents

  • Foreword


    Author the Authors

    Chapter 1 About PCI and This Book

        Who Should Read This Book?

        How to Use the Book in Your Daily Job

        What this Book is NOT

        Organization of the Book


    Chapter 2 Introduction to Fraud, ID Theft, and Regulatory Mandates


    Chapter 3 Why Is PCI Here?

        What Is PCI and Who Must Comply?

             Electronic Card Payment Ecosystem

             Goal of PCI DSS

             Applicability of PCI DSS

        PCI DSS in Depth

             Compliance Deadlines

             Compliance and Validation

             History of PCI DSS

             PCI Council



        Quick Overview of PCI Requirements

             Changes to PCI DSS

        PCI DSS and Risk

        Benefits of Compliance

        Case Study

             The Case of the Developing Security Program

             The Case of the Confusing Validation Requirements



    Chapter 4 Building and Maintaining a Secure Network

        Which PCI DSS Requirements Are in This Domain?

             Establish Firewall Configuration Standards

             Denying Traffic from Untrusted Networks and Hosts

             Restricting Connections

             Personal Firewalls

             Other Considerations for Requirement 1

             The Oddball Requirement 11.4

             Requirement 2: Defaults and Other Security Parameters

             Develop Configuration Standards

             Implement Single Purpose Servers

             Configure System Security Parameters

             Encrypt Nonconsole Administrative Access

             Hosting Providers Must Protect Shared Hosted Environment

        What Else Can You Do to Be Secure?

        Tools and Best Practices

        Common Mistakes and Pitfalls

             Egress Filtering


             System Defaults

        Case Study

             The Case of the Small, Flat Store Network

             The Case of the Large, Flat Corporate Network


    Chapter 5 Strong Access Controls

        Which PCI DSS Requirements Are in This Domain?

             Principles of Access Control

             Requirement 7: How Much Access Should a User Have?

             Requirement 8: Authentication Basics

             Windows and PCI Compliance

             POSIX (UNIX/Linux-like Systems) Access Control

             Cisco and PCI Requirements

             Requirement 9: Physical Security

        What Else Can You Do To Be Secure?

        Tools and Best Practices

             Random Password for Users

        Common Mistakes and Pitfalls

        Case Study

             The Case of the Stolen Database

             The Case of the Loose Permissions


    Chapter 6 Protecting Cardholder Data

        What Is Data Protection and Why Is It Needed?

             The Confidentiality, Integrity, Availability Triad

        Requirements Addressed in This Chapter

        PCI Requirement 3: Protect Stored Cardholder Data

             Requirement 3 Walk-through

             Encryption Methods for Data at Rest

             PCI and Key Management

        What Else Can You Do to Be Secure?

        PCI Requirement 4 Walk-through

             Transport Layer Security and Secure Sockets Layer

             IPsec Virtual Private Networks

             Wireless Transmission

             Misc Card Transmission Rules

        Requirement 12 Walk-through

        Appendix A of PCI DSS

        How to Become Compliant and Secure

             Step 1: Identify Business Processes with Card Data

             Step 2: Focus on Shrinking the Scope

             Step 3: Identify Where the Data Is Stored

             Step 4: Determine What to Do About Data

             Step 5: Determine Who Needs Access

             Step 6: Develop and Document Policies

        Common Mistakes and Pitfalls

        Case Study

             The Case of the Data Killers



    Chapter 7 Using Wireless Networking

        What Is Wireless Network Security?

        Where Is Wireless Network Security in PCI DSS?

             Requirements 1 and 12: Documentation

             Actual Security of Wireless Devices: Requirements 2, 4, and 9

             Logging and Wireless Networks: Requirement 10.5.4

             Testing for Unauthorized Wireless: Requirement 11.1

        Why Do We Need Wireless Network Security?

        Tools and Best Practices

        Common Mistakes and Pitfalls

             Why Is WEP So Bad?

        Case Study

             The Case of the Untethered Laptop

             The Case of the Expansion Plan

             The Case of the Double Secret Wireless Network


    Chapter 8 Vulnerability Management

        PCI DSS Requirements Covered

        Vulnerability Management in PCI

             Stages of Vulnerability Management Process

        Requirement 5 Walk-through

             What to Do to Be Secure and Compliant?

        Requirement 6 Walk-through

             Web-Application Security and Web Vulnerabilities

             What to Do to Be Secure and Compliant?

        Requirement 11 Walk-through

             External Vulnerability Scanning with ASV

             Considerations when Picking an ASV

             How ASV Scanning Works

             PCI DSS Scan Validation Walk-through

             Operationalizing ASV Scanning

             What Do You Expect from an ASV?

        Internal Vulnerability Scanning

             Penetration Testing

        Common PCI Vulnerability Management Mistakes

        Case Study

             PCI at a Retail Chain

             PCI at an E-Commerce Site



    Chapter 9 Logging Events and Monitoring the Cardholder Data Environment

        PCI Requirements Covered

        Why Logging and Monitoring in PCI DSS?

        Logging and Monitoring in Depth

        PCI Relevance of Logs

        Logging in PCI Requirement 10

        Monitoring Data and Log Security Issues

        Logging and Monitoring in PCI – All Other Requirements

        Tools for Logging in PCI

        Log Management Tools

        Other Monitoring Tools

        Intrusion Detection and Prevention

        Integrity Monitoring

        Common Mistakes and Pitfalls

        Case Study

             The Case of the Risky Risk-Based Approach

             The Case of Tweaking to Comply



    Chapter 10 Managing a PCI DSS Project to Achieve Compliance

        Justifying a Business Case for Compliance

             Figuring Out If You Need to Comply

             Compliance Overlap

             The Level of Validation

             W hat Is the Cost for Noncompliance?

        Bringing the Key Players to the Table

             Obtaining Corporate Sponsorship

             Forming Your Compliance Team

             Getting Results Fast

             Notes from the Front Line

        Budgeting Time and Resources

             Setting Expectations

             Establishing Goals and Milestones

             Having Status Meetings

        Educating Staff

             Training Your Compliance Team

             Training the Company on Compliance

             Setting Up the Corporate Compliance Training Program

        Project Quickstart Guide

             The Steps

        PCI SSC New Prioritized Approach



    Chapter 11 Don’t Fear the Assessor

        Remember, Assessors Are There to Help

             Balancing Remediation Needs

             How FAIL == WIN

        Dealing With Assessors’ Mistakes

        Planning for Remediation

             Fun Ways to Use Common Vulnerability Scoring System

        Planning for Reassessing


    Chapter 12 The Art of Compensating Control

        What Is a Compensating Control?

        Where Are Compensating Controls in PCI DSS?

        What a Compensating Control Is Not

        Funny Controls You Didn’t Design

        How to Create a Good Compensating Control


    Chapter 13 You’re Compliant, Now What?

        Security Is a Process, Not an Event

        Plan for Periodic Review and Training

        PCI Requirements with Periodic Maintenance

             Build and Maintain a Secure Network

             Protect Cardholder Data

             Maintain a Vulnerability Management Program

             Implement Strong Access Control Measures

             Regularly Monitor and Test Networks

             Maintain an Information Security Policy

        PCI Self-Assessment

        Case Study

             The Case of the Compliant Company


    Chapter 14 PCI and Other Laws, Mandates, and Frameworks

        PCI and State Data Breach Notification Laws

             Origins of State Data Breach Notification Laws

             Commonalities Among State Data Breach Laws

             How Does It Compare to PCI?

             Final Thoughts on State Laws

        PCI and the ISO27000 Series

        PCI and Sarbanes–Oxley (SOX)

        Regulation Matrix

             How Do You Leverage Your Efforts for PCI DSS?



    Chapter 15 Myths and Misconceptions of PCI DSS

        Myth #1 PCI Doesn’t Apply

        Myth #2 PCI Is Confusing

        Myth #3 PCI DSS Is Too Onerous

        Myth #4 Breaches Prove PCI DSS Irrelevant

        Myth #5 PCI Is All We Need for Security

        Myth #6 PCI DSS Is Really Easy

        Myth #7 My Tool Is PCI Compliant

        Myth #8 PCI Is Toothless

        Case Study

             The Case of the Cardless Merchant




Product details

  • No. of pages: 368
  • Language: English
  • Copyright: © Syngress 2009
  • Published: November 13, 2009
  • Imprint: Syngress
  • eBook ISBN: 9781597495394

About the Authors

Anton Chuvakin

Dr. Anton Chuvakin is a recognized security expert in the field of log

management and PCI DSS compliance. He is an author of the books "Security Warrior" and "PCI

Compliance" and has contributed to many others, while also publishing dozens of papers on

log management, correlation, data analysis, PCI DSS, and security management. His blog

(http://www.securitywarrior.org) is one of the most popular in the industry.

Additionaly, Anton teaches classes and presents at many security conferences across the world

and he works on emerging security standards and serves on the advisory boards of

several security start-ups. Currently, Anton is developing his security consulting practice,

focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations.

Anton earned his Ph.D. from Stony Brook University.

Affiliations and Expertise

is a recognized security expert in the field of log management and PCI DSS compliance.

Branden Williams

Branden R. Williams (CISSP, CISM, CPISA, CPISM) leads an information security practice in a Global Security Consulting group at a major security firm in Flower Mound, TX and teaches in the NSA Certified Information Assurance program at the University of Dallas's Graduate School of Management. Branden has been involved in information technology since 1994, and focused on information security since 1996. He started consulting on payment security in 2004, assessing companies against the Visa CISP and Mastercard SDP programs. He has a Bachelors of Business Administration in Marketing from the University of Texas, Arlington, and a Masters of Business Administration in Supply Chain Management and Market Logistics from the University of Dallas.

Branden publishes a monthly column in the ISSA Journal entitled "Herding Cats," and authors a blog at http://www.brandenwilliams.com/.

Affiliations and Expertise

CISSP, CISM, CPISA, CPISM, and CTO of a Global Security Consulting group at a major security firm in Flower Mound, TX

Ratings and Reviews

Write a review

There are currently no reviews for "PCI Compliance"