PCI Compliance

Foreword

Acknowledgments

Author the Authors

Chapter 1 About PCI and This Book

    Who Should Read This Book?

    How to Use the Book in Your Daily Job

    What this Book is NOT

    Organization of the Book

    Summary

Chapter 2 Introduction to Fraud, ID Theft, and Regulatory Mandates

    Summary

Chapter 3 Why Is PCI Here?

    What Is PCI and Who Must Comply?

         Electronic Card Payment Ecosystem

         Goal of PCI DSS

         Applicability of PCI DSS

    PCI DSS in Depth

         Compliance Deadlines

         Compliance and Validation

         History of PCI DSS

         PCI Council

         QSAs

         ASVs

    Quick Overview of PCI Requirements

         Changes to PCI DSS

    PCI DSS and Risk

    Benefits of Compliance

    Case Study

         The Case of the Developing Security Program

         The Case of the Confusing Validation Requirements

    Summary

    References

Chapter 4 Building and Maintaining a Secure Network

    Which PCI DSS Requirements Are in This Domain?

         Establish Firewall Configuration Standards

         Denying Traffic from Untrusted Networks and Hosts

         Restricting Connections

         Personal Firewalls

         Other Considerations for Requirement 1

         The Oddball Requirement 11.4

         Requirement 2: Defaults and Other Security Parameters

         Develop Configuration Standards

         Implement Single Purpose Servers

         Configure System Security Parameters

         Encrypt Nonconsole Administrative Access

         Hosting Providers Must Protect Shared Hosted Environment

    What Else Can You Do to Be Secure?

    Tools and Best Practices

    Common Mistakes and Pitfalls

         Egress Filtering

         Documentation

         System Defaults

    Case Study

         The Case of the Small, Flat Store Network

         The Case of the Large, Flat Corporate Network

    Summary

Chapter 5 Strong Access Controls

    Which PCI DSS Requirements Are in This Domain?

         Principles of Access Control

         Requirement 7: How Much Access Should a User Have?

         Requirement 8: Authentication Basics

         Windows and PCI Compliance

         POSIX (UNIX/Linux-like Systems) Access Control

         Cisco and PCI Requirements

         Requirement 9: Physical Security

    What Else Can You Do To Be Secure?

    Tools and Best Practices

         Random Password for Users

    Common Mistakes and Pitfalls

    Case Study

         The Case of the Stolen Database

         The Case of the Loose Permissions

    Summary

Chapter 6 Protecting Cardholder Data

    What Is Data Protection and Why Is It Needed?

         The Confidentiality, Integrity, Availability Triad

    Requirements Addressed in This Chapter

    PCI Requirement 3: Protect Stored Cardholder Data

         Requirement 3 Walk-through

         Encryption Methods for Data at Rest

         PCI and Key Management

    What Else Can You Do to Be Secure?

    PCI Requirement 4 Walk-through

         Transport Layer Security and Secure Sockets Layer

         IPsec Virtual Private Networks

         Wireless Transmission

         Misc Card Transmission Rules

    Requirement 12 Walk-through

    Appendix A of PCI DSS

    How to Become Compliant and Secure

         Step 1: Identify Business Processes with Card Data

         Step 2: Focus on Shrinking the Scope

         Step 3: Identify Where the Data Is Stored

         Step 4: Determine What to Do About Data

         Step 5: Determine Who Needs Access

         Step 6: Develop and Document Policies

    Common Mistakes and Pitfalls

    Case Study

         The Case of the Data Killers

    Summary

    References

Chapter 7 Using Wireless Networking

    What Is Wireless Network Security?

    Where Is Wireless Network Security in PCI DSS?

         Requirements 1 and 12: Documentation

         Actual Security of Wireless Devices: Requirements 2, 4, and 9

         Logging and Wireless Networks: Requirement 10.5.4

         Testing for Unauthorized Wireless: Requirement 11.1

    Why Do We Need Wireless Network Security?

    Tools and Best Practices

    Common Mistakes and Pitfalls

         Why Is WEP So Bad?

    Case Study

         The Case of the Untethered Laptop

         The Case of the Expansion Plan

         The Case of the Double Secret Wireless Network

    Summary

Chapter 8 Vulnerability Management

    PCI DSS Requirements Covered

    Vulnerability Management in PCI

         Stages of Vulnerability Management Process

    Requirement 5 Walk-through

         What to Do to Be Secure and Compliant?

    Requirement 6 Walk-through

         Web-Application Security and Web Vulnerabilities

         What to Do to Be Secure and Compliant?

    Requirement 11 Walk-through

         External Vulnerability Scanning with ASV

         Considerations when Picking an ASV

         How ASV Scanning Works

         PCI DSS Scan Validation Walk-through

         Operationalizing ASV Scanning

         What Do You Expect from an ASV?

    Internal Vulnerability Scanning

         Penetration Testing

    Common PCI Vulnerability Management Mistakes

    Case Study

         PCI at a Retail Chain

         PCI at an E-Commerce Site

    Summary

    References

Chapter 9 Logging Events and Monitoring the Cardholder Data Environment

    PCI Requirements Covered

    Why Logging and Monitoring in PCI DSS?

    Logging and Monitoring in Depth

    PCI Relevance of Logs

    Logging in PCI Requirement 10

    Monitoring Data and Log Security Issues

    Logging and Monitoring in PCI – All Other Requirements

    Tools for Logging in PCI

    Log Management Tools

    Other Monitoring Tools

    Intrusion Detection and Prevention

    Integrity Monitoring

    Common Mistakes and Pitfalls

    Case Study

         The Case of the Risky Risk-Based Approach

         The Case of Tweaking to Comply

    Summary

    References

Chapter 10 Managing a PCI DSS Project to Achieve Compliance

    Justifying a Business Case for Compliance

         Figuring Out If You Need to Comply

         Compliance Overlap

         The Level of Validation

         W hat Is the Cost for Noncompliance?

    Bringing the Key Players to the Table

         Obtaining Corporate Sponsorship

         Forming Your Compliance Team

         Getting Results Fast

         Notes from the Front Line

    Budgeting Time and Resources

         Setting Expectations

         Establishing Goals and Milestones

         Having Status Meetings

    Educating Staff

         Training Your Compliance Team

         Training the Company on Compliance

         Setting Up the Corporate Compliance Training Program

    Project Quickstart Guide

         The Steps

    PCI SSC New Prioritized Approach

    Summary

    Reference

Chapter 11 Don’t Fear the Assessor

    Remember, Assessors Are There to Help

         Balancing Remediation Needs

         How FAIL == WIN

    Dealing With Assessors’ Mistakes

    Planning for Remediation

         Fun Ways to Use Common Vulnerability Scoring System

    Planning for Reassessing

    Summary

Chapter 12 The Art of Compensating Control

    What Is a Compensating Control?

    Where Are Compensating Controls in PCI DSS?

    What a Compensating Control Is Not

    Funny Controls You Didn’t Design

    How to Create a Good Compensating Control

    Summary

Chapter 13 You’re Compliant, Now What?

    Security Is a Process, Not an Event

    Plan for Periodic Review and Training

    PCI Requirements with Periodic Maintenance

         Build and Maintain a Secure Network

         Protect Cardholder Data

         Maintain a Vulnerability Management Program

         Implement Strong Access Control Measures

         Regularly Monitor and Test Networks

         Maintain an Information Security Policy

    PCI Self-Assessment

    Case Study

         The Case of the Compliant Company

    Summary

Chapter 14 PCI and Other Laws, Mandates, and Frameworks

    PCI and State Data Breach Notification Laws

         Origins of State Data Breach Notification Laws

         Commonalities Among State Data Breach Laws

         How Does It Compare to PCI?

         Final Thoughts on State Laws

    PCI and the ISO27000 Series

    PCI and Sarbanes–Oxley (SOX)

    Regulation Matrix

         How Do You Leverage Your Efforts for PCI DSS?

    Summary

    References

Chapter 15 Myths and Misconceptions of PCI DSS

    Myth #1 PCI Doesn’t Apply

    Myth #2 PCI Is Confusing

    Myth #3 PCI DSS Is Too Onerous

    Myth #4 Breaches Prove PCI DSS Irrelevant

    Myth #5 PCI Is All We Need for Security

    Myth #6 PCI DSS Is Really Easy

    Myth #7 My Tool Is PCI Compliant

    Myth #8 PCI Is Toothless

    Case Study

         The Case of the Cardless Merchant

    Summary

    References

Index