PCI Compliance
Understand and Implement Effective PCI Data Security Standard Compliance
- 2nd Edition - November 13, 2009
- Authors: Anton Chuvakin, Branden R. Williams
- Language: English
- eBook ISBN:9 7 8 - 1 - 5 9 7 4 9 - 5 3 9 - 4
PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance, Second Edition, discusses not only how to apply PCI in a practical and cost-e… Read more
Purchase options
Institutional subscription on ScienceDirect
Request a sales quotePCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance, Second Edition, discusses not only how to apply PCI in a practical and cost-effective way but more importantly why. The book explains what the Payment Card Industry Data Security Standard (PCI DSS) is and why it is here to stay; how it applies to information technology (IT) and information security professionals and their organization; how to deal with PCI assessors; and how to plan and manage PCI DSS project. It also describes the technologies referenced by PCI DSS and how PCI DSS relates to laws, frameworks, and regulations.
This book is for IT managers and company managers who need to understand how PCI DSS applies to their organizations. It is for the small- and medium-size businesses that do not have an IT department to delegate to. It is for large organizations whose PCI DSS project scope is immense. It is also for all organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is also compliant.
This book is for IT managers and company managers who need to understand how PCI DSS applies to their organizations. It is for the small- and medium-size businesses that do not have an IT department to delegate to. It is for large organizations whose PCI DSS project scope is immense. It is also for all organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is also compliant.
- Completely updated to follow the PCI DSS standard 1.2.1
- Packed with help to develop and implement an effective security strategy to keep infrastructure compliant and secure
- Both authors have broad information security backgrounds, including extensive PCI DSS experience
IT Professionals responsible for implementing cardholder environments. Network, Server, application developers, database managers, as well as numerous security personnel
Foreword
Acknowledgments
Author the Authors
Chapter 1 About PCI and This Book
Who Should Read This Book?
How to Use the Book in Your Daily Job
What this Book is NOT
Organization of the Book
Summary
Chapter 2 Introduction to Fraud, ID Theft, and Regulatory Mandates
Summary
Chapter 3 Why Is PCI Here?
What Is PCI and Who Must Comply?
Electronic Card Payment Ecosystem
Goal of PCI DSS
Applicability of PCI DSS
PCI DSS in Depth
Compliance Deadlines
Compliance and Validation
History of PCI DSS
PCI Council
QSAs
ASVs
Quick Overview of PCI Requirements
Changes to PCI DSS
PCI DSS and Risk
Benefits of Compliance
Case Study
The Case of the Developing Security Program
The Case of the Confusing Validation Requirements
Summary
References
Chapter 4 Building and Maintaining a Secure Network
Which PCI DSS Requirements Are in This Domain?
Establish Firewall Configuration Standards
Denying Traffic from Untrusted Networks and Hosts
Restricting Connections
Personal Firewalls
Other Considerations for Requirement 1
The Oddball Requirement 11.4
Requirement 2: Defaults and Other Security Parameters
Develop Configuration Standards
Implement Single Purpose Servers
Configure System Security Parameters
Encrypt Nonconsole Administrative Access
Hosting Providers Must Protect Shared Hosted Environment
What Else Can You Do to Be Secure?
Tools and Best Practices
Common Mistakes and Pitfalls
Egress Filtering
Documentation
System Defaults
Case Study
The Case of the Small, Flat Store Network
The Case of the Large, Flat Corporate Network
Summary
Chapter 5 Strong Access Controls
Which PCI DSS Requirements Are in This Domain?
Principles of Access Control
Requirement 7: How Much Access Should a User Have?
Requirement 8: Authentication Basics
Windows and PCI Compliance
POSIX (UNIX/Linux-like Systems) Access Control
Cisco and PCI Requirements
Requirement 9: Physical Security
What Else Can You Do To Be Secure?
Tools and Best Practices
Random Password for Users
Common Mistakes and Pitfalls
Case Study
The Case of the Stolen Database
The Case of the Loose Permissions
Summary
Chapter 6 Protecting Cardholder Data
What Is Data Protection and Why Is It Needed?
The Confidentiality, Integrity, Availability Triad
Requirements Addressed in This Chapter
PCI Requirement 3: Protect Stored Cardholder Data
Requirement 3 Walk-through
Encryption Methods for Data at Rest
PCI and Key Management
What Else Can You Do to Be Secure?
PCI Requirement 4 Walk-through
Transport Layer Security and Secure Sockets Layer
IPsec Virtual Private Networks
Wireless Transmission
Misc Card Transmission Rules
Requirement 12 Walk-through
Appendix A of PCI DSS
How to Become Compliant and Secure
Step 1: Identify Business Processes with Card Data
Step 2: Focus on Shrinking the Scope
Step 3: Identify Where the Data Is Stored
Step 4: Determine What to Do About Data
Step 5: Determine Who Needs Access
Step 6: Develop and Document Policies
Common Mistakes and Pitfalls
Case Study
The Case of the Data Killers
Summary
References
Chapter 7 Using Wireless Networking
What Is Wireless Network Security?
Where Is Wireless Network Security in PCI DSS?
Requirements 1 and 12: Documentation
Actual Security of Wireless Devices: Requirements 2, 4, and 9
Logging and Wireless Networks: Requirement 10.5.4
Testing for Unauthorized Wireless: Requirement 11.1
Why Do We Need Wireless Network Security?
Tools and Best Practices
Common Mistakes and Pitfalls
Why Is WEP So Bad?
Case Study
The Case of the Untethered Laptop
The Case of the Expansion Plan
The Case of the Double Secret Wireless Network
Summary
Chapter 8 Vulnerability Management
PCI DSS Requirements Covered
Vulnerability Management in PCI
Stages of Vulnerability Management Process
Requirement 5 Walk-through
What to Do to Be Secure and Compliant?
Requirement 6 Walk-through
Web-Application Security and Web Vulnerabilities
What to Do to Be Secure and Compliant?
Requirement 11 Walk-through
External Vulnerability Scanning with ASV
Considerations when Picking an ASV
How ASV Scanning Works
PCI DSS Scan Validation Walk-through
Operationalizing ASV Scanning
What Do You Expect from an ASV?
Internal Vulnerability Scanning
Penetration Testing
Common PCI Vulnerability Management Mistakes
Case Study
PCI at a Retail Chain
PCI at an E-Commerce Site
Summary
References
Chapter 9 Logging Events and Monitoring the Cardholder Data Environment
PCI Requirements Covered
Why Logging and Monitoring in PCI DSS?
Logging and Monitoring in Depth
PCI Relevance of Logs
Logging in PCI Requirement 10
Monitoring Data and Log Security Issues
Logging and Monitoring in PCI – All Other Requirements
Tools for Logging in PCI
Log Management Tools
Other Monitoring Tools
Intrusion Detection and Prevention
Integrity Monitoring
Common Mistakes and Pitfalls
Case Study
The Case of the Risky Risk-Based Approach
The Case of Tweaking to Comply
Summary
References
Chapter 10 Managing a PCI DSS Project to Achieve Compliance
Justifying a Business Case for Compliance
Figuring Out If You Need to Comply
Compliance Overlap
The Level of Validation
W hat Is the Cost for Noncompliance?
Bringing the Key Players to the Table
Obtaining Corporate Sponsorship
Forming Your Compliance Team
Getting Results Fast
Notes from the Front Line
Budgeting Time and Resources
Setting Expectations
Establishing Goals and Milestones
Having Status Meetings
Educating Staff
Training Your Compliance Team
Training the Company on Compliance
Setting Up the Corporate Compliance Training Program
Project Quickstart Guide
The Steps
PCI SSC New Prioritized Approach
Summary
Reference
Chapter 11 Don’t Fear the Assessor
Remember, Assessors Are There to Help
Balancing Remediation Needs
How FAIL == WIN
Dealing With Assessors’ Mistakes
Planning for Remediation
Fun Ways to Use Common Vulnerability Scoring System
Planning for Reassessing
Summary
Chapter 12 The Art of Compensating Control
What Is a Compensating Control?
Where Are Compensating Controls in PCI DSS?
What a Compensating Control Is Not
Funny Controls You Didn’t Design
How to Create a Good Compensating Control
Summary
Chapter 13 You’re Compliant, Now What?
Security Is a Process, Not an Event
Plan for Periodic Review and Training
PCI Requirements with Periodic Maintenance
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
PCI Self-Assessment
Case Study
The Case of the Compliant Company
Summary
Chapter 14 PCI and Other Laws, Mandates, and Frameworks
PCI and State Data Breach Notification Laws
Origins of State Data Breach Notification Laws
Commonalities Among State Data Breach Laws
How Does It Compare to PCI?
Final Thoughts on State Laws
PCI and the ISO27000 Series
PCI and Sarbanes–Oxley (SOX)
Regulation Matrix
How Do You Leverage Your Efforts for PCI DSS?
Summary
References
Chapter 15 Myths and Misconceptions of PCI DSS
Myth #1 PCI Doesn’t Apply
Myth #2 PCI Is Confusing
Myth #3 PCI DSS Is Too Onerous
Myth #4 Breaches Prove PCI DSS Irrelevant
Myth #5 PCI Is All We Need for Security
Myth #6 PCI DSS Is Really Easy
Myth #7 My Tool Is PCI Compliant
Myth #8 PCI Is Toothless
Case Study
The Case of the Cardless Merchant
Summary
References
Index
- No. of pages: 368
- Language: English
- Edition: 2
- Published: November 13, 2009
- Imprint: Syngress
- eBook ISBN: 9781597495394
AC
Anton Chuvakin
Dr. Anton Chuvakin is a recognized security expert in the field of log
management and PCI DSS compliance. He is an author of the books "Security Warrior" and "PCI
Compliance" and has contributed to many others, while also publishing dozens of papers on
log management, correlation, data analysis, PCI DSS, and security management. His blog
(http://www.securitywarrior.org) is one of the most popular in the industry.
Additionaly, Anton teaches classes and presents at many security conferences across the world
and he works on emerging security standards and serves on the advisory boards of
several security start-ups. Currently, Anton is developing his security consulting practice,
focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations.
Anton earned his Ph.D. from Stony Brook University.
Affiliations and expertise
is a recognized security expert in the field of log management and PCI DSS compliance.BW
Branden R. Williams
Branden R. Williams (CISSP, CISM, CPISA, CPISM) leads an information security practice in a Global Security Consulting group at a major security firm in Flower Mound, TX and teaches in the NSA Certified Information Assurance program at the University of Dallas's Graduate School of Management. Branden has been involved in information technology since 1994, and focused on information security since 1996. He started consulting on payment security in 2004, assessing companies against the Visa CISP and Mastercard SDP programs. He has a Bachelors of Business Administration in Marketing from the University of Texas, Arlington, and a Masters of Business Administration in Supply Chain Management and Market Logistics from the University of Dallas.
Branden publishes a monthly column in the ISSA Journal entitled "Herding Cats," and authors a blog at http://www.brandenwilliams.com/.
Affiliations and expertise
CISSP, CISM, CPISA, CPISM, and CTO of a Global Security Consulting group at a major security firm in Flower Mound, TXRead PCI Compliance on ScienceDirect