PCI Compliance
eBook - ePub

PCI Compliance

Understand and Implement Effective PCI Data Security Standard Compliance

  1. 386 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

PCI Compliance

Understand and Implement Effective PCI Data Security Standard Compliance

About this book

Identity theft and other confidential information theft have now topped the charts as the leading cybercrime. In particular, credit card data is preferred by cybercriminals. Is your payment processing secure and compliant? The new Fourth Edition of PCI Compliance has been revised to follow the new PCI DSS standard version 3.0, which is the official version beginning in January 2014. Also new to the Fourth Edition: additional case studies and clear guidelines and instructions for maintaining PCI compliance globally, including coverage of technologies such as NFC, P2PE, CNP/Mobile, and EMV. This is the first book to address the recent updates to PCI DSS. The real-world scenarios and hands-on guidance are also new approaches to this topic. All-new case studies and fraud studies have been added to the Fourth Edition.Each chapter has how-to guidance to walk you through implementing concepts, and real-world scenarios to help you relate to the information and better grasp how it impacts your data. This book provides the information that you need in order to understand the current PCI Data Security standards and how to effectively implement security on network infrastructure in order to be compliant with the credit card industry guidelines, and help you protect sensitive and personally-identifiable information.- Completely updated to follow the most current PCI DSS standard, version 3.0- Packed with help to develop and implement an effective strategy to keep infrastructure compliant and secure- Includes coverage of new and emerging technologies such as NFC, P2PE, CNP/Mobile, and EMV- Both authors have broad information security backgrounds, including extensive PCI DSS experience

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā€” even offline. Perfect for commutes or when youā€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access PCI Compliance by Branden R. Williams,Anton Chuvakin in PDF and/or ePUB format, as well as other popular books in Computer Science & Business Intelligence. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Syngress
Year
2014
eBook ISBN
9780128016510
Edition
4
Topic
Computer Science
Subtopic
Business Intelligence
Index
Computer Science
Chapter 1

About PCI DSS and this book

Abstract

About PCI DSS and this book explains why PCI DSS is special and what the book is about.

Keyword

PCI DSS
Information in this chapter
ā€¢ Who should read this book?
ā€¢ How to use the book in your daily job
ā€¢ What this book is not
ā€¢ Organization of the book
ā€¢ Summary
The Payment Card Industry Data Security Standard (PCI DSS) celebrated its ninth year (December 15, 2004) and the PCI Security Standards Council its eighth birthday (September 7, 2006) as of this writing. Most of you reading these words have probably heard about PCI DSS, worked on a project tied to PCI DSS compliance, or said a few words out loud about PCI DSS that would have earned at least one of the authors a big smack across the face from his mother. For those of you just starting with PCI DSS, we authors hope this book can be your guide to a successful end resultā€”a sustainable compliance program that exceeds the baseline security standards set forth in PCI DSS 3.0.
If you are like most professionals, the idea of becoming compliant with PCI DSS, or countless other regulations, does not sound fun. Information technologists and information security professionals arenā€™t the only ones who share this feeling. Not only have C-Level individuals and other non-information technology (IT) (business) personnel had to deal with compliance and regulation around payments at some point in the last 8 years of their career, but we have even given rise to a new C-Suite positionā€”the Chief Compliance Officer (CCO). While the CCO is not a new position with articles dating back to the mid-1970s referencing the moniker, the challenging landscape that companies must navigate necessitated more focus upon this function in the wake of Sarbanesā€“Oxley (SOX), PCI DSS, Health Insurance Portability and Accountability Act (HIPAA), and others.
Compliance efforts are rarely described as fun among those working with them. Painful is probably a better description. Whether it is the pain of not knowing what to do, pain of failing the assessment, or pain of ā€œdoing complianceā€ without an adequate budget, there are plenty of challenges that complianceā€”PCI DSS compliance in particularā€”have in common with pain.
Thus, we face the seemingly impossible challenge to write a fun and insightful book about PCI DSS. We realize the near impossible task ahead, and we are committed to the challenge. Weā€™d like to invite you, our reader, to travel with us in the hopes that when you turn the last page, you would come to realize that PCI DSS compliance can indeed be (YES) fun!
There are many standards and regulations out there. If your companyā€™s stock is publicly traded in the United States, you must adhere to the SOX mandates. Financial companies fall under the Grammā€“Leachā€“Bliley Act. Those in the energy sector work toward North American Electric Reliability Corporation, Federal Energy Regulatory Commission, or Critical Infrastructure Protection standards. If you are in the health care industry, your network must comply with the HIPAA standards as updated recently in legislation focused on electronic health records. Other countries have their own ā€œalphabet soupā€ of standards such as British Science Institute (BSI), Russian GOST (Russian for ā€œgosudarstvennyy standartā€ or ā€œstate standardā€), worldwide International Organization for Standardization/International Electrotechnical Commission, and so on. PCI DSS occupies a special place among the standards for two reasons: broad, worldwide applicability, and the presence of enforcement mechanism that is seen as imminent and unavoidable, unlike for some other mentioned regulations.
The overarching theme of all these standards, laws, and regulations is that organizations need to secure data and protect their networks to keep citizensā€™ data safe. In some cases, weak information security may only affect one company. However, when the data on the corporate network contains personal information about patients, customers, or employees, a breach of security can have implications far beyond the victimized company. A breach dealing with hundreds of millions of customers, such as a payment card processor, will have implications touching nearly every family; thus, decreasing such occurrences is in the public interest. Recent breaches have brought this concept back to the forefront as malware authors have advanced their capabilities and tenacity; thus, even subverting some of the very basic controls designed in many of these compliance initiatives.
Visa, MasterCard, American Express, Discover, and JCB developed PCI DSS together to ensure that credit card customer information and the associated payment systems are adequately protected from fraud. Breaches of customer information lead to financial loss and damaged reputations. The credit card industry wants to protect itself from financial loss or eroded consumer confidence in credit cards, which could lead to expensive and invasive governmental regulation.
We will use our experience with PCI DSS, both from the PCI Qualified Security Assessor (QSA) side and the information security side, to explain the most up-to-date PCI DSS guidelines to you (version 3.0 as of this writing). The objective of this book is not only to teach you about the PCI DSS requirements but to help you understand how the PCI DSS requirements fit into an organizationā€™s information security framework and how to effectively implement information security controls so that you can be both compliant and secure. In addition, we will cover ways to do this in the easiest and most pain-free way without compromising security in the process.
This book will make constant reference to the PCI DSS. PCI DSS, and its related standards, is owned by the PCI Security Standards Council, sometimes known in the industry as PCI Co. Before you start reading this book, you should go to the Councilā€™s Web site at www.pcisecuritystandards.org and download PCI DSS version 3.0 and the Report on Compliance Reporting Instructions. You can find the relevant documents by clicking on ā€œPCI Standards & Documents,ā€ then ā€œDocuments Library.ā€
As of this publication, PCI DSS is at version 3.0. This book will highlight any significant changes between the previous version 2.0 and this version, and give you compliance tips as someone complying with the standard.

Who should read this book?

Every company that accepts card payments, processes credit- or debit card transactions, stores payment card data, or in any other way touches personal or sensitive data associated with payment card processing is affected by the PCI DSS. Nowadays, it means that virtually all businesses, no matter how big or small, need to understand their scope of PCI DSS and how to implement PCI controls to reduce their compliance risk, or face penalties potentially to the point of losing their ability to cost-effectively and legally process payments.
Even with such a broad audience compelled to comply with PCI DSS, this book had to be written for a specific technical level. This book could have been written in very simple terms to educate the general population about PCI DSS. We could have written an in-depth technical tome providing every bit of detail a network engineer or security administrator might need to configure and implement all controls mandated by PCI DSS. This book aims in the middle and is more of a strategic guide to help management and practitioners understand the implications of PCI DSS and what it takes to be compliant. Ultimately, our goal in writing this book was to demystify some of the challenges with PCI DSS and allow readers to understand the right questions to ask of their peers to work toward compliance.
Overall, the book is useful for every stakeholder in an organization dealing with credit cards. This would include executive management, IT and IT security management, network, server, application developers, database managers, legal, marketing, sales, HR, front-line managers, and anyone interested in payment security.
Because of the wide impact that PCI DSS has on any organization, this book is like the small business with five employeesā€”it can wear multiple hats and will appeal to multiple audiences. This book is for the IT managers and company managers who need to understand how PCI DSS applies to their organizations. This book is for the small- and medium-size businesses that donā€™t have an IT department to delegate to. This book is also for large organizations whose PCI DSS project scope is immense. It is for all organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is also compliant. This book is intended as an introduction to PCI DSS, but with a deeper and more technical understanding of how to put it into action. Finally, even PCI (and anti-PCI) ā€œliteratiā€ will benefit from the stories and case studies presented by us!

How to use the book in your daily job

You can use the book during the entire lifecycle from complete PCI unawareness to ultimate security and compliance enlightenment. Specifically, you can use it as provided in the following:
ā€¢ Learn what PCI DSS is and why it is here to stay
ā€¢ Understand how it applies to you and your organization
ā€¢ Learn what to do about each of the 12 main requirements
ā€¢ Learn how to deal with PCI assessors and internal auditors
ā€¢ Learn how to plan and manage your PCI DSS project
ā€¢ Understand all the technologies referenced by PCI DSS
ā€¢ Learn how to form strategies for removing portions (or indeed all) of your company from scope
ā€¢ Get the best experience out of what can be seen as a painful assessment and remediation process.

What this book is not

While reading the book, remember that this is not the book that will unambiguously answer every esoteric PCI DSS question. There is simply no way to create a book with every use case in it with the goal of answering PCI DSS questions as the regulation applies to your own environment. Indeed, there is similarity in how networks and systems are deployed, but given the broad applicability of PCI DSSā€”from small e-commerce sites to huge worldwide retailersā€”there is no way to have a book ā€œcustomizedā€ for your networks, systems, and applications. It is not meant to be the final authority for all issues related to PCI DSS, and it is not the unabridged guide to all things of PCI DSS. Finally, even though the book is written using one of the authorsā€™ QSA1 and consulting experiences, your Acquiring Bank is the ultimate judge of most PCI ā€œpuzzlesā€ you will face on your journey to compliance and your QSA (or other similarly credentialed and experienced individual) should be your guide to lead you to top of PCI Compliance Mountain.

Organization of the book

Each chapter of the book is designed to provide you the information you need to know in a way that you can easily understand and apply. The chapters in this book follow a common structure which, wherever possible, includes the description of the PCI DSS requirement, the value of the requirement for PCI DSS and security, common tips and select tools useful for satisfying the requirement, as well as common mistakes and pitfalls.
In simple and direct terms, we will first explain the control or concept we are talking about in a way that illustrates its intent. Then, we explain where this concept sits in PCI DSS and why it is needed for information security, that is, how it reduces...

Table of contents

  1. Cover
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Foreword
  6. Acknowledgments
  7. Chapter 1: About PCI DSS and this book
  8. Chapter 2: Introduction to fraud, data theft, and related regulatory mandates
  9. Chapter 3: Why is PCI here?
  10. Chapter 4: Determining and reducing the PCI scope
  11. Chapter 5: Building and maintaining a secure network
  12. Chapter 6: Strong access controls
  13. Chapter 7: Protecting cardholder data
  14. Chapter 8: Using wireless networking
  15. Chapter 9: Vulnerability management
  16. Chapter 10: Logging events and monitoring the cardholder data environment
  17. Chapter 11: PCI DSS and cloud computing
  18. Chapter 12: Mobile
  19. Chapter 13: PCI for the small business
  20. Chapter 14: Managing a PCI DSS project to achieve compliance
  21. Chapter 15: Donā€™t fear the assessor
  22. Chapter 16: The art of compensating control
  23. Chapter 17: Youā€™re compliant, now what?
  24. Chapter 18: Emerging technology and alternative payment schemes
  25. Chapter 19: Myths and misconceptions of PCI DSS
  26. Index