Understand and Implement Effective PCI Data Security Standard Compliance
By Anton A. Chuvakin Branden R. Williams
SYNGRESS Copyright © 2010 Elsevier Inc.
All right reserved. ISBN: 978-1-59749-539-4
Chapter One About PCI and This Book
Information in this chapter
Who Should Read This Book? 3 How to Use the Book in Your Daily Job 4 What This Book Is NOT 4 Organization of the Book 4
If you are like most information technology (IT) and information security professionals, the idea of becoming compliant with Payment Card Industry Data Security Standard (PCI DSS) or countless other regulations does not sound like much fun. It is much more common to associate compliance efforts with the other extreme, and that is PAIN. Whether it is the pain of not knowing what to do, pain of failing the assessment, or pain of "doing compliance" on a $0 budget, there are plenty of challenges that earned compliance – PCI DSS compliance in particular – have in common with pain.
Thus, we face the seemingly impossible challenge to write a fun and insightful book about PCI DSS. We realize all the difficulties of achieving this, and we are committed to the challenge. We'd like to invite you, our reader, to travel with us in the hopes that when you turn the last page, you would come to realize that PCI DSS compliance can indeed be (YES) fun!
There are many standards and regulations out there. If your company's stock is publicly traded in the United States, you must adhere to the Sarbanes–Oxley (SOX) mandates. Financial companies fall under the Gramm–Leach–Bliley Act (GLBA). Those in the energy sector work toward North American Electric Reliability Corporation (NERC), Federal Energy Regulatory Commission (FERC), or Critical Infrastructure Protection (CIP) standards. If you are in the health care industry, your network must comply with the Health Insurance Portability and Accountability Act (HIPAA) standards. Other countries have their own "alphabet soup" of standards such as British BSI, Russian GOST (Russian for "gosudarstvennyy standart" or "state standard"), worldwide International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC), and so on. However, the PCI DSS occupies a special place among the standards due to two reasons: broad, worldwide applicability and the presence of enforcement mechanism that is seen as imminent and unavoidable, unlike for some other mentioned regulations.
The overarching theme of all these standards, laws, and regulations is that organizations need to secure their data and protect their networks to keep citizens' data safe. In some cases, weak information security may only affect the company. However, when the data on the corporate network contains personal information about patients, customers, or employees, a breach of security can have implications far beyond the company. A breach of a company dealing with hundreds of millions of customers, such as a card payment processor, will have implications touching nearly the entire society and, thus, decreasing such occurrences is in the public interest.
Visa, MasterCard, American Express, Discover, and JCB banded together to develop PCI DSS to ensure that credit-card customer information is adequately protected and to protect the card industry. Breaches of customer information lead to money loss and damaged reputations, and the credit-card industry wants to protect itself from financial loss or eroded consumer confidence in credit cards as a means of transacting money.
We will use its experience with PCI DSS, both from the PCI Qualified Security Assessor (QSA) side and from information security side, to explain the most up-to-date PCI DSS guidelines to you. However, we will do so in a broader, more holistic approach. The objective of this book is not only to teach you about the PCI DSS requirements but to help you understand how the PCI DSS requirements fit into an organization's information security framework, and how to effectively implement information security controls so that you can be both compliant and secure. In addition, we will focus on how to do this in the easiest and most painless way, but without compromising security in the process.
This book will make constant reference to the PCI DSS. PCI DSS, and its related standards, is owned by the PCI Security Standards Council (PCI SSC), sometimes known in the industry as PCI Co. Before you start reading this book, you should go to the Council's Web site at www.pcisecuritystandards.org and download PCI DSS version 1.2.1 under the Security Standards/PCI DSS heading.
As of this publication, PCI DSS is at version 1.2.1. The changes between versions 1.2 and 1.2.1 are not enough to differentiate in this book, so when we refer to PCI DSS version 1.2, assume that includes version 1.2.1.
WHO SHOULD READ THIS BOOK?
Every company that accepts card payments, processes credit- or debit-card transactions, stores payment card data, or in any other way touches personal or sensitive data associated with payment card processing is affected by the PCI DSS. Nowadays, it means that virtually all businesses, no matter how big or small, need to understand their scope of PCI DSS and how to implement PCI controls to work toward reducing their risk, or face penalties or even the possibility of having their merchant status revoked.
Even with such a broad audience compelled to comply with the PCI DSS, this book had to be written for a specific technical level. This book could have been written in very simple terms to educate the general population about PCI DSS. We could have written an in-depth technical tome providing every bit of detail a network engineer or security administrator might need to configure and implement all controls mandated by PCI DSS. This book aims in the middle and is more of a strategic guide to help executive management understand the implications of PCI DSS and what it takes to be compliant. Overall, the book would be useful for everybody in IT and in management of the organization that deal with credit cards. This would include executive management, IT and IT security management, network, server, application developers, database managers, as well as everyone interested in payment security.
As a result, this book is for the IT managers and company managers who need to understand how PCI DSS applies to their organizations. This book is for the small- and medium-size businesses that don't have an IT department to delegate to. The book is also for large organizations whose PCI DSS project scope is immense. It is for all organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is also compliant. This book is intended as an introduction to PCI DSS, but with a deeper and more technical understanding of how to put it into action. Finally, even PCI "literati" will benefit from the stories and case studies presented by us!
HOW TO USE THE BOOK IN YOUR DAILY JOB
You can use the book during the entire lifecycle from complete PCI unawareness to ultimate security and compliance enlightenment. Specifically, you can use it as provided in the following:
* Learn what PCI DSS is and why it is here to stay
* Figure out how it applies to you and your organization
* Learn what to do about each of the 12 main requirements
* Gain knowledge about dealing with PCI assessors
* Learn how to plan and manage PCI DSS project
* Understand all the technologies referenced by PCI DSS
* Get the best experience out of what can be seen as a painful assessment process
WHAT THIS BOOK IS NOT
While reading the book, it is useful to remember that this is not the book that will unambiguously answer every PCI DSS esoteric question. Also, there is simply no way to create a book that will answer PCI DSS questions as the regulation applies to your own environment. Indeed, there are a lot of similarity in how networks and systems are deployed, but given broad applicability of PCI DSS – from small e-commerce sites to huge worldwide retailers – there is no way to have a book "customized" for your networks, systems, and applications. It is not meant to be the final authority for all issues related to PCI DSS, and it is not the unabridged guide to all things of PCI DSS. Finally, even though the book is written using one of the authors' QSA1 experience, your QSA is the ultimate judge of most PCI "puzzles" you will face on your journey to compliance.
ORGANIZATION OF THE BOOK
Each chapter of the book is designed to provide you the information you need to know in a way that you can easily understand and apply. To aid in that goal, the chapters follow a common structure which, wherever possible, includes the description of the PCI DSS requirement, the value of the requirement for PCI DSS and security, common tips and select tools useful for satisfying the requirement, as well as common mistakes and pitfalls.
Specifically, we are trying to first explain what is the control or a concept we are talking about, whether it is log management or compensating controls. Then, we explain where in PCI DSS this concept sits and why it is needed for information security – how it reduces risk. Next, we explain what you should do with this concept to be secure and compliant using examples, common practices, etc. Most chapters have a detailed and entertaining case study. When we said that we will make PCI fun, we really mean it! Most chapters have a summary that provides a brief recap of the concepts discussed to reinforce what you read or to help you identify areas that you may need to re-read if you feel you don't understand them yet. Where possible, we also try to highlight common mistakes and pitfalls with these requirements or PCI concepts.
This section provides a brief description of the information covered in each chapter:
* Chapter 1: About PCI and This Book – This chapter explains why PCI DSS is special and what this book is about.
* Chapter 2: Introduction to Fraud, ID Theft, and Regulatory Mandates – This chapter explains cybercrime and regulations and is a brief look at payment card fraud, cybercrime, ID theft, and other things around PCI DSS.
* Chapter 3: Why Is PCI Here? – This chapter gives an overview of PCI DSS and why the card industry was compelled to create it. This chapter also includes some discussion about the benefits of PCI DSS compliance and the risks of noncompliance.
* Chapter 4: Building and Maintaining a Secure Network – This chapter explains the necessary steps in protecting data for PCI DSS compliance and other reasons: to have a secure network in the first place. This chapter discusses the basic components of a secure network and lays the foundation for building the rest of your PCI DSS compliance.
* Chapter 5: Strong Access Controls – This chapter covers one of the most important aspects of PCI DSS compliance access control. The information in this chapter includes the need to restrict access to only those individuals that need it, as well as restricting physical access to computer systems.
* Chapter 6: Protecting Cardholder Data – This chapter explains how to protect card data that is stored on your systems, as well as how to protect data while it is in transit on your network.
* Chapter 7: Using Wireless Networking – This chapter covers wireless security issues and wireless security controls and safeguards managed by PCI DSS.
* Chapter 8: Vulnerability Management – This chapter explains performing vulnerability assessments to identify weaknesses in systems and applications, and how to mitigate or remediate the vulnerabilities to protect and secure your data.
* Chapter 9: Logging Events and Monitoring the Cardholder Data Environment – This chapter discusses how to configure logging and event assessment to capture the information you need to be able to show and maintain PCI compliance, as well as how to perform other security monitoring tasks.
Excerpted from PCI Compliance by Anton A. Chuvakin Branden R. Williams Copyright © 2010 by Elsevier Inc. . Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.