PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance

Overview

Identity theft and other confidential information theft have now topped the charts as the leading cybercrime. In particular, credit card data is preferred by cybercriminals. Is your payment processing secure and compliant? The new Fourth Edition of PCI Compliance has been revised to follow the new PCI DSS standard version 3.0, which is the official version beginning in January 2014. Also new to the Fourth Edition: additional case studies and clear guidelines and instructions for maintaining PCI compliance ...

See more details below
PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK
  • NOOK HD/HD+ Tablet
  • NOOK
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$59.95
BN.com price

Overview

Identity theft and other confidential information theft have now topped the charts as the leading cybercrime. In particular, credit card data is preferred by cybercriminals. Is your payment processing secure and compliant? The new Fourth Edition of PCI Compliance has been revised to follow the new PCI DSS standard version 3.0, which is the official version beginning in January 2014. Also new to the Fourth Edition: additional case studies and clear guidelines and instructions for maintaining PCI compliance globally, including coverage of technologies such as NFC, P2PE, CNP/Mobile, and EMV. This is the first book to address the recent updates to PCI DSS. The real-world scenarios and hands-on guidance are also new approaches to this topic. All-new case studies and fraud studies have been added to the Fourth Edition.

Each chapter has how-to guidance to walk you through implementing concepts, and real-world scenarios to help you relate to the information and better grasp how it impacts your data. This book provides the information that you need in order to understand the current PCI Data Security standards and how to effectively implement security on network infrastructure in order to be compliant with the credit card industry guidelines, and help you protect sensitive and personally-identifiable information.

  • Completely updated to follow the most current PCI DSS standard, version 3.0
  • Packed with help to develop and implement an effective strategy to keep infrastructure compliant and secure
  • Includes coverage of new and emerging technologies such as NFC, P2PE, CNP/Mobile, and EMV
  • Both authors have broad information security backgrounds, including extensive PCI DSS experience
Read More Show Less

Editorial Reviews

From the Publisher

"Williams and Chuvakin provide background on Version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS), the minimum standard with which vendors must comply to ensure data security. They also provide instruction on how to implement security that is in compliance with industry guidelines and successfully ensures the safety of sensitive and personally identifiable information."--Reference and Research Book News, August 2013

Read More Show Less

Product Details

  • ISBN-13: 9780128015797
  • Publisher: Elsevier Science
  • Publication date: 10/24/2014
  • Edition number: 4
  • Pages: 400
  • Sales rank: 1,141,874

Meet the Author

Branden R. Williams (CISSP, CISM, CPISA, CPISM) leads an information security practice in a Global Security Consulting group at a major security firm in Flower Mound, TX and teaches in the NSA Certified Information Assurance program at the University of Dallas's Graduate School of Management. Branden has been involved in information technology since 1994, and focused on information security since 1996. He started consulting on payment security in 2004, assessing companies against the Visa CISP and Mastercard SDP programs. He has a Bachelors of Business Administration in Marketing from the University of Texas, Arlington, and a Masters of Business Administration in Supply Chain Management and Market Logistics from the University of Dallas.
Branden publishes a monthly column in the ISSA Journal entitled "Herding Cats," and authors a blog at http://www.brandenwilliams.com/.

Dr. Anton Chuvakin is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of the books "Security Warrior" and "PCI
Compliance" and has contributed to many others, while also publishing dozens of papers on log management, correlation, data analysis, PCI DSS, and security management. His blog
(http://www.securitywarrior.org) is one of the most popular in the industry.
Additionaly, Anton teaches classes and presents at many security conferences across the world and he works on emerging security standards and serves on the advisory boards of several security start-ups. Currently, Anton is developing his security consulting practice,
focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations.
Anton earned his Ph.D. from Stony Brook University.

Read More Show Less

Read an Excerpt

PCI Compliance

Implementing Effective PCI Data Security Standards

Syngress

Copyright © 2007 Elsevier, Inc.
All right reserved.

ISBN: 978-0-08-055638-3


Chapter One

About PCI and This Book

Introduction

There are plenty of standards and regulations out there. If you are a publicly traded company in the United States, you must adhere to the (SOX) mandates. If you are in the health care industry your network must comply with the Health Insurance Portability and Accountability Act (HIPAA) standards. The list goes on.

The bottom line is that organizations need to secure and protect their networks. In some cases, weak network security may only affect the company. However, when the data on the corporate network contains personal information about patients, customers, or employees, a breach of security can have implications far beyond the company.

The credit card industry banded together to develop the Payment Card Industry (PCI) Data Security Standards (DSS) to ensure that credit card customer information is adequately protected and to protect the industry. Breaches of customer information lead to lost money and damaged reputations, and the credit card industry wants to protect itself from financial loss or eroded consumer confidence in credit cards as a means of transacting money.

This book will explain the PCI DSS guidelines to you. However, it will do so in a broader, more holistic approach. The goal of this book is to not only teach you the PCI DSS requirements, but to help you understand how the PCI DSS requirements fit into an organization's network security framework, and how to effectively implement network security controls so that you can be both compliant and secure.

Who Should Read This Book?

Every company that accepts credit card payments, processes credit card transactions, stores credit card data, or in any other way touches personal or sensitive data associated with credit card payment processing, is affected by the PCI DSS. Virtually all businesses, no matter how big or how small, need to understand the scope of the PCI DSS and how to implement network security that is compliant with the PCI guidelines, or face penalties or the possibility of having their merchant status revoked and potentially being banned from accepting or processing credit cards.

Even with such a broad audience compelled to comply with the PCI DSS, this book had to be written for a Specific technical level. The book could have been written in very simple terms in order to educate the general population about PCI DSS. We could have written an in-depth technical tome providing every bit of detail a network engineer or security administrator might need to configure and implement compliance. This book is more of a strategic business guide to help executive management understand the implications of PCI DSS and what it takes to be compliant

This book is for the Information Technology (IT) managers and company executives who need to understand how the PCI DSS apply to them. This book is for the small- and medium-size business that doesn't have an IT department to delegate to. For organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is compliant. This book is intended as an introduction to PCI, but with a deeper and more technical understanding of how to put it into action.

Organization of the Book

Each chapter of the book is designed to provide you the information you need to know in a way that you can easily understand and apply. To aid in that goal, the chapters have a consistent look and feel and are each made up of the same basic sections, listed here.

Solutions In This Chapter

At the beginning of each chapter is a bulleted list called Solutions In This Chapter. This list shows you a high-level overview of the concepts that are covered in this chapter and what you can expect to learn.

Summary

Every chapter has a summary. As the name implies, the summary summarizes the information covered in the chapter and provides a brief recap of the concepts discussed to reinforce what you read, or to help you identify areas that you may need to re-read if you don't feel you understand them yet.

Solutions Fast Track

The Solutions Fast Track provides a bulleted outline of the pertinent points and key information covered in the chapter. This section can be used as a sort of study guide or reminder system to help trigger your brain to recall the information or to review in one short list the key points from the chapter

Frequently Asked Questions

Frequently asked questions contain questions designed to clarify areas of potential confusion from the chapter or reinforce the information that was covered. This section can also serve as a sort of mini-quiz to demonstrate that you grasp the concepts and information discussed in the chapter.

Chapter Descriptions

This section provides a brief description of the information covered in each chapter:

* Chapter 1: Foreword A discussion of the state of credit card data security and how this book came about

* Chapter 2: Introduction A brief look at the target audience of the book, as well as an overview of the chapter formats and content.

* Chapter 3: Why PCI Is Important An overview of PCI DSS and why the credit card industry was compelled to create it. This chapter also includes some discussion about the benefits of PCI DSS compliance and the risks and consequences of non-compliance.

* Chapter 4: Building and Maintaining a Secure Network The first step in protecting any kind of data, and for PCI DSS compliance, is to have a secure network in the first place. This chapter discusses the basic components of a secure network and lays the foundation for building the rest of your PCI DSS compliance.

* Chapter 5: Protect Cardholder Data This chapter explains how to protect data that is stored on your network, as well as how to protect data while it is in transit. It also covers access controls and logging so that you can determine who accessed a given file and whether or not they were authorized to do so.

* Chapter 6: Logging Access and Events A discussion about how to configure logging and event auditing to capture the information you need to be able to demonstrate and maintain PCI compliance.

* Chapter 7: Strong Access Control This chapter covers one of the most important aspects of PCI DSS compliance- access controls. The information in this chapter includes the need to restrict access to only those individuals that need it, as well as restricting physical access to computer systems.

* Chapter 8: Vulnerability Management Performing vulnerability assessments to identify weaknesses in systems and applications, and how to mitigate or remediate the vulnerabilities to protect and secure your data.

* Chapter 9: Monitoring and Testing How to monitor your network and test your security controls to ensure your network is protected and compliant.

* Chapter 10: How To Plan a Project To Meet Compliance An overview of the steps involved and tasks necessary to implement a successful PCI compliance project. This chapter includes a discussion of the basic elements that should be included in any future projects as well to proactively ensure they are PC I compliant.

* Chapter 11: Responsibilities An effective incident response process requires that the groups and individuals responsible for responding understand their roles. This chapter discusses the different components of incident response and how to respond effectively to breaches of PCI DSS.

* Chapter 12: Planning to Fail Your First Audit Understand that an auditor is there to work with you to achieve compliance. They are not the enemy. This chapter explains how to use the findings from a failed audit to ensure compliance.

* Chapter 13: You're Compliant! Now What? This chapter covers the details you need to keep in mind once you have achieved compliance. Security is not as simple as just getting it implemented. You have to monitor and maintain it. This chapter contains information about ongoing training and periodic reviews, as well as how to conduct a self-audit to ensure continued compliance.

Chapter Two

Introduction to Fraud, ID Theft, and Regulatory Mandates

By Tony Bradley, CISSP-ISSAP, Microsoft MVP-Windows Security BT INS Security Consultant

Credit card fraud and identity theft are both epic problems that continue to grow each year. Certainly, credit card fraud and identity theft pre-date the age of the Internet. It is an ironic fact that the things that make your life easier, improve efficiency, and make things more convenient, also make crime easier, efficient, and more convenient.

Criminals have gone high-tech and they have discovered that there is a significant amount of money to be acquired with very little risk. Hacking a company database or orchestrating a phishing attack while sitting in your pajamas eating chocolate ice cream in the living room of your house has much more appeal than robbing banks or convenience stores, and the risk of getting shot or killed is much lower. Depending on the company being targeted, the sophistication of the attack, and sometimes sheer luck, the high-tech crime may also be significantly more lucrative than traditional armed robbery.

Malicious software (malware) and cyber-criminals are not the only threat. Sadly, the very companies and organizations that are entrusted with sensitive information are often to blame. Consumers and businesses are faced with a wide variety of threats to their data and personal information on any given day. Spyware, phishing attacks, and robot networks (botnets) are all computer attacks that are on the rise and pose a significant threat to users as they connect to the Web and use their computers. However, those threats pale in comparison with the amount of personally identifiable information and sensitive data that has been compromised through carelessness or negligence by corporations.

According to some sources, more than 50 million individual records were exposed in 2005, through the loss of mobile devices or portable storage media, or by attackers gaining access to the corporate network and extracting the data themselves. A security breach at CardSystems in June 2005, was responsible for 40 million of the 50 million total. Early in 2007, a security breach at TJX Companies, the parent of retail establishments such as T.J. Maxx, Bob's, Marshall's, HomeGoods, and AJ. Wright, may potentially have exposed more credit information and individual account data than even the 40 million records compromised by CardSystems data. Some estimates place the TJX breach at over 50 million compromised accounts by itself.

In an era when more consumers are using computers and the Internet to conduct business and make purchases, and more companies are storing more data, it is more important than ever that the proper steps are taken to secure and protect personally identifiable information and other sensitive data. It is bad for companies, individuals, and the economy at large if consumer confidence is eroded by having their personal information exposed or compromised.

The information security field has a number of laws and regulations to adhere to. Depending on what industry a company does business in, they may fall under Sarbanes-Oxley (SOX), the Gramm-Leach Bliley Act of 1999 (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and other regulatory mandates, or some combination thereof. However, as evidenced by the volume and continuing occurrence of data compromise and exposure, many organizations still fail to enforce adequate security measures.

These breaches are often targeted at consumer credit card information, and threatened to tarnish the reputation of the credit card industry, so the major credit card vendors banded together to develop the Payment Card Industry (PCI) Data Security Standards (DSS). In essence, the credit card industry has taken proactive steps "co assure the integrity and security of credit card data and transactions and maintain the public trust in credit cards as a primary means of transacting money. If you want to accept credit cards as payment or take part in any step of the processing of the credit card transaction, you must comply with the PCI DSS or face stiff consequences.

Unlike SOX or HIPAA, the PCI DSS are not a law; however, in many ways, they are more effective. Non-compliance won't land you in jail, but it can mean having your merchant status revoked. For some organizations, losing the ability to process credit card payments would drastically affect their ability to do business and possibly even bring about the death of the company.

There is nothing extraordinary or magical about the PCI DSS requirements, though. The guidelines spelled out are all essentially common sense that any organization should follow without being told. Even so, some of the requirements leave room for interpretation and complying with PCI DSS can be tricky.

(Continues...)



Excerpted from PCI Compliance Copyright © 2007 by Elsevier, Inc. . Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

  1. About PCI and This Book
  2. Introduction to Fraud, ID Theft, and Regulatory mandates
  3. Why PCI is Here
  4. Determining and Reducing the PCI Scope
  5. Building and Maintaining a Secure Network
  6. Strong Access Controls
  7. Protect Cardholder Data
  8. Using Wireless Networking
  9. Vulnerability Management and Testing
  10. Logging Events and Monitoring the Cardholder Data Environment
  11. Cloud and Virtualization
  12. Mobile
  13. PCI DSS for the Small Business
  14. Managing PCI DSS Projects to Achieve Compliance
  15. Don't Fear the Assessor
  16. The Art of Compensating Control
  17. So You're Compliant, Now What?
  18. Emerging Technology and Alternative Payment Schemes
  19. PCI DSS Myths and Misconceptions
Read More Show Less

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)