PCI Compliance: Understand and Implement Effective PCI Data Security Standard Complianceby Branden R. Williams, Anton Chuvakin, Tony Bradley (Editor)
The credit card industry established the PCI Data Security Standards to provide a minimum standard for how vendors should protect data to ensure it is not stolen by fraudsters. PCI Compliance, 3e, provides the information readers need to understand the current PCI Data Security standards, which have recently been updated to version 2.0, and how to/i>
The credit card industry established the PCI Data Security Standards to provide a minimum standard for how vendors should protect data to ensure it is not stolen by fraudsters. PCI Compliance, 3e, provides the information readers need to understand the current PCI Data Security standards, which have recently been updated to version 2.0, and how to effectively implement security within your company to be compliant with the credit card industry guidelines and protect sensitive and personally identifiable information. Security breaches continue to occur on a regular basis, affecting millions of customers and costing companies millions of dollars in fines and reparations. That doesn’t include the effects such security breaches have on the reputation of the companies that suffer attacks. PCI Compliance, 3e, helps readers avoid costly breaches and inefficient compliance initiatives to keep their infrastructure secure.
- Provides a clear explanation of PCI
- Provides practical case studies, fraud studies, and analysis of PCI
- The first book to address version 2.0 updates to the PCI DSS, security strategy to keep your infrastructure PCI compliant
- Elsevier Science
- Publication date:
- Product dimensions:
- 7.46(w) x 9.18(h) x 0.92(d)
Read an Excerpt
PCI ComplianceImplementing Effective PCI Data Security Standards
SyngressCopyright © 2007 Elsevier, Inc.
All right reserved.
Chapter OneAbout PCI and This Book
There are plenty of standards and regulations out there. If you are a publicly traded company in the United States, you must adhere to the (SOX) mandates. If you are in the health care industry your network must comply with the Health Insurance Portability and Accountability Act (HIPAA) standards. The list goes on.
The bottom line is that organizations need to secure and protect their networks. In some cases, weak network security may only affect the company. However, when the data on the corporate network contains personal information about patients, customers, or employees, a breach of security can have implications far beyond the company.
The credit card industry banded together to develop the Payment Card Industry (PCI) Data Security Standards (DSS) to ensure that credit card customer information is adequately protected and to protect the industry. Breaches of customer information lead to lost money and damaged reputations, and the credit card industry wants to protect itself from financial loss or eroded consumer confidence in credit cards as a means of transacting money.
This book will explain the PCI DSS guidelines to you. However, it will do so in a broader, more holistic approach. The goal of this book is to not only teach you the PCI DSS requirements, but to help you understand how the PCI DSS requirements fit into an organization's network security framework, and how to effectively implement network security controls so that you can be both compliant and secure.
Who Should Read This Book?
Every company that accepts credit card payments, processes credit card transactions, stores credit card data, or in any other way touches personal or sensitive data associated with credit card payment processing, is affected by the PCI DSS. Virtually all businesses, no matter how big or how small, need to understand the scope of the PCI DSS and how to implement network security that is compliant with the PCI guidelines, or face penalties or the possibility of having their merchant status revoked and potentially being banned from accepting or processing credit cards.
Even with such a broad audience compelled to comply with the PCI DSS, this book had to be written for a Specific technical level. The book could have been written in very simple terms in order to educate the general population about PCI DSS. We could have written an in-depth technical tome providing every bit of detail a network engineer or security administrator might need to configure and implement compliance. This book is more of a strategic business guide to help executive management understand the implications of PCI DSS and what it takes to be compliant
This book is for the Information Technology (IT) managers and company executives who need to understand how the PCI DSS apply to them. This book is for the small- and medium-size business that doesn't have an IT department to delegate to. For organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is compliant. This book is intended as an introduction to PCI, but with a deeper and more technical understanding of how to put it into action.
Organization of the Book
Each chapter of the book is designed to provide you the information you need to know in a way that you can easily understand and apply. To aid in that goal, the chapters have a consistent look and feel and are each made up of the same basic sections, listed here.
Solutions In This Chapter
At the beginning of each chapter is a bulleted list called Solutions In This Chapter. This list shows you a high-level overview of the concepts that are covered in this chapter and what you can expect to learn.
Every chapter has a summary. As the name implies, the summary summarizes the information covered in the chapter and provides a brief recap of the concepts discussed to reinforce what you read, or to help you identify areas that you may need to re-read if you don't feel you understand them yet.
Solutions Fast Track
The Solutions Fast Track provides a bulleted outline of the pertinent points and key information covered in the chapter. This section can be used as a sort of study guide or reminder system to help trigger your brain to recall the information or to review in one short list the key points from the chapter
Frequently Asked Questions
Frequently asked questions contain questions designed to clarify areas of potential confusion from the chapter or reinforce the information that was covered. This section can also serve as a sort of mini-quiz to demonstrate that you grasp the concepts and information discussed in the chapter.
This section provides a brief description of the information covered in each chapter:
* Chapter 1: Foreword A discussion of the state of credit card data security and how this book came about
* Chapter 2: Introduction A brief look at the target audience of the book, as well as an overview of the chapter formats and content.
* Chapter 3: Why PCI Is Important An overview of PCI DSS and why the credit card industry was compelled to create it. This chapter also includes some discussion about the benefits of PCI DSS compliance and the risks and consequences of non-compliance.
* Chapter 4: Building and Maintaining a Secure Network The first step in protecting any kind of data, and for PCI DSS compliance, is to have a secure network in the first place. This chapter discusses the basic components of a secure network and lays the foundation for building the rest of your PCI DSS compliance.
* Chapter 5: Protect Cardholder Data This chapter explains how to protect data that is stored on your network, as well as how to protect data while it is in transit. It also covers access controls and logging so that you can determine who accessed a given file and whether or not they were authorized to do so.
* Chapter 6: Logging Access and Events A discussion about how to configure logging and event auditing to capture the information you need to be able to demonstrate and maintain PCI compliance.
* Chapter 7: Strong Access Control This chapter covers one of the most important aspects of PCI DSS compliance- access controls. The information in this chapter includes the need to restrict access to only those individuals that need it, as well as restricting physical access to computer systems.
* Chapter 8: Vulnerability Management Performing vulnerability assessments to identify weaknesses in systems and applications, and how to mitigate or remediate the vulnerabilities to protect and secure your data.
* Chapter 9: Monitoring and Testing How to monitor your network and test your security controls to ensure your network is protected and compliant.
* Chapter 10: How To Plan a Project To Meet Compliance An overview of the steps involved and tasks necessary to implement a successful PCI compliance project. This chapter includes a discussion of the basic elements that should be included in any future projects as well to proactively ensure they are PC I compliant.
* Chapter 11: Responsibilities An effective incident response process requires that the groups and individuals responsible for responding understand their roles. This chapter discusses the different components of incident response and how to respond effectively to breaches of PCI DSS.
* Chapter 12: Planning to Fail Your First Audit Understand that an auditor is there to work with you to achieve compliance. They are not the enemy. This chapter explains how to use the findings from a failed audit to ensure compliance.
* Chapter 13: You're Compliant! Now What? This chapter covers the details you need to keep in mind once you have achieved compliance. Security is not as simple as just getting it implemented. You have to monitor and maintain it. This chapter contains information about ongoing training and periodic reviews, as well as how to conduct a self-audit to ensure continued compliance.
Chapter TwoIntroduction to Fraud, ID Theft, and Regulatory Mandates
By Tony Bradley, CISSP-ISSAP, Microsoft MVP-Windows Security BT INS Security Consultant
Credit card fraud and identity theft are both epic problems that continue to grow each year. Certainly, credit card fraud and identity theft pre-date the age of the Internet. It is an ironic fact that the things that make your life easier, improve efficiency, and make things more convenient, also make crime easier, efficient, and more convenient.
Criminals have gone high-tech and they have discovered that there is a significant amount of money to be acquired with very little risk. Hacking a company database or orchestrating a phishing attack while sitting in your pajamas eating chocolate ice cream in the living room of your house has much more appeal than robbing banks or convenience stores, and the risk of getting shot or killed is much lower. Depending on the company being targeted, the sophistication of the attack, and sometimes sheer luck, the high-tech crime may also be significantly more lucrative than traditional armed robbery.
Malicious software (malware) and cyber-criminals are not the only threat. Sadly, the very companies and organizations that are entrusted with sensitive information are often to blame. Consumers and businesses are faced with a wide variety of threats to their data and personal information on any given day. Spyware, phishing attacks, and robot networks (botnets) are all computer attacks that are on the rise and pose a significant threat to users as they connect to the Web and use their computers. However, those threats pale in comparison with the amount of personally identifiable information and sensitive data that has been compromised through carelessness or negligence by corporations.
According to some sources, more than 50 million individual records were exposed in 2005, through the loss of mobile devices or portable storage media, or by attackers gaining access to the corporate network and extracting the data themselves. A security breach at CardSystems in June 2005, was responsible for 40 million of the 50 million total. Early in 2007, a security breach at TJX Companies, the parent of retail establishments such as T.J. Maxx, Bob's, Marshall's, HomeGoods, and AJ. Wright, may potentially have exposed more credit information and individual account data than even the 40 million records compromised by CardSystems data. Some estimates place the TJX breach at over 50 million compromised accounts by itself.
In an era when more consumers are using computers and the Internet to conduct business and make purchases, and more companies are storing more data, it is more important than ever that the proper steps are taken to secure and protect personally identifiable information and other sensitive data. It is bad for companies, individuals, and the economy at large if consumer confidence is eroded by having their personal information exposed or compromised.
The information security field has a number of laws and regulations to adhere to. Depending on what industry a company does business in, they may fall under Sarbanes-Oxley (SOX), the Gramm-Leach Bliley Act of 1999 (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and other regulatory mandates, or some combination thereof. However, as evidenced by the volume and continuing occurrence of data compromise and exposure, many organizations still fail to enforce adequate security measures.
These breaches are often targeted at consumer credit card information, and threatened to tarnish the reputation of the credit card industry, so the major credit card vendors banded together to develop the Payment Card Industry (PCI) Data Security Standards (DSS). In essence, the credit card industry has taken proactive steps "co assure the integrity and security of credit card data and transactions and maintain the public trust in credit cards as a primary means of transacting money. If you want to accept credit cards as payment or take part in any step of the processing of the credit card transaction, you must comply with the PCI DSS or face stiff consequences.
Unlike SOX or HIPAA, the PCI DSS are not a law; however, in many ways, they are more effective. Non-compliance won't land you in jail, but it can mean having your merchant status revoked. For some organizations, losing the ability to process credit card payments would drastically affect their ability to do business and possibly even bring about the death of the company.
There is nothing extraordinary or magical about the PCI DSS requirements, though. The guidelines spelled out are all essentially common sense that any organization should follow without being told. Even so, some of the requirements leave room for interpretation and complying with PCI DSS can be tricky.
Excerpted from PCI Compliance Copyright © 2007 by Elsevier, Inc. . Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Meet the Author
Branden R. Williams (CISSP, CISM, CPISA, CPISM) leads an information security practice in a Global Security Consulting group at a major security firm in Flower Mound, TX and teaches in the NSA Certified Information Assurance program at the University of Dallas's Graduate School of Management. Branden has been involved in information technology since 1994, and focused on information security since 1996. He started consulting on payment security in 2004, assessing companies against the Visa CISP and Mastercard SDP programs. He has a Bachelors of Business Administration in Marketing from the University of Texas, Arlington, and a Masters of Business Administration in Supply Chain Management and Market Logistics from the University of Dallas.
Branden publishes a monthly column in the ISSA Journal entitled "Herding Cats," and authors a blog at http://www.brandenwilliams.com/.
Dr. Anton Chuvakin is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of the books "Security Warrior" and "PCI
Compliance" and has contributed to many others, while also publishing dozens of papers on log management, correlation, data analysis, PCI DSS, and security management. His blog
(http://www.securitywarrior.org) is one of the most popular in the industry.
Additionaly, Anton teaches classes and presents at many security conferences across the world and he works on emerging security standards and serves on the advisory boards of several security start-ups. Currently, Anton is developing his security consulting practice,
focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations.
Anton earned his Ph.D. from Stony Brook University.
Most Helpful Customer Reviews
See all customer reviews
"No. Stop this right now."
Walks in and says brb later in 20 minutes as he lays on the bed naked