PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance

Overview

The credit card industry established the PCI Data Security Standards to provide a minimum standard for how vendors should protect data to ensure it is not stolen by fraudsters. PCI Compliance, 3e, provides the information readers need to understand the current PCI Data Security standards, which have recently been updated to version 2.0, and how to effectively implement security within your company to be compliant with the credit card industry guidelines and protect sensitive and personally identifiable ...

See more details below
Paperback
$53.32
BN.com price
(Save 11%)$59.95 List Price

Pick Up In Store

Reserve and pick up in 60 minutes at your local store

Other sellers (Paperback)
  • All (10) from $53.31   
  • New (7) from $62.92   
  • Used (3) from $53.31   
PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$59.95
BN.com price

Overview

The credit card industry established the PCI Data Security Standards to provide a minimum standard for how vendors should protect data to ensure it is not stolen by fraudsters. PCI Compliance, 3e, provides the information readers need to understand the current PCI Data Security standards, which have recently been updated to version 2.0, and how to effectively implement security within your company to be compliant with the credit card industry guidelines and protect sensitive and personally identifiable information. Security breaches continue to occur on a regular basis, affecting millions of customers and costing companies millions of dollars in fines and reparations. That doesn’t include the effects such security breaches have on the reputation of the companies that suffer attacks. PCI Compliance, 3e, helps readers avoid costly breaches and inefficient compliance initiatives to keep their infrastructure secure.

• Provides a clear explanation of PCI.

• Provides practical case studies, fraud studies, and analysis of PCI.

• The first book to address version 2.0 updates to the PCI DSS, security strategy to keep your infrastructure PCI compliant.

Read More Show Less

Editorial Reviews

From the Publisher

"Williams and Chuvakin provide background on Version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS), the minimum standard with which vendors must comply to ensure data security. They also provide instruction on how to implement security that is in compliance with industry guidelines and successfully ensures the safety of sensitive and personally identifiable information."--Reference and Research Book News, August 2013

Read More Show Less

Product Details

  • ISBN-13: 9781597499484
  • Publisher: Elsevier Science
  • Publication date: 8/27/2012
  • Edition number: 3
  • Pages: 360
  • Sales rank: 940,685
  • Product dimensions: 7.30 (w) x 9.00 (h) x 1.00 (d)

Meet the Author

Branden R. Williams (CISSP, CISM, CPISA, CPISM) leads an information security practice in a Global Security Consulting group at a major security firm in Flower Mound, TX and teaches in the NSA Certified Information Assurance program at the University of Dallas's Graduate School of Management. Branden has been involved in information technology since 1994, and focused on information security since 1996. He started consulting on payment security in 2004, assessing companies against the Visa CISP and Mastercard SDP programs. He has a Bachelors of Business Administration in Marketing from the University of Texas, Arlington, and a Masters of Business Administration in Supply Chain Management and Market Logistics from the University of Dallas.
Branden publishes a monthly column in the ISSA Journal entitled "Herding Cats," and authors a blog at http://www.brandenwilliams.com/.

Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others.
Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management (see list www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most popular in the industry.
In addition, Anton teaches classes and presents at many security conferences across the world;
he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups.
Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.

Read More Show Less

Read an Excerpt

PCI Compliance

Implementing Effective PCI Data Security Standards

Syngress

Copyright © 2007 Elsevier, Inc.
All right reserved.

ISBN: 978-0-08-055638-3


Chapter One

About PCI and This Book

Introduction

There are plenty of standards and regulations out there. If you are a publicly traded company in the United States, you must adhere to the (SOX) mandates. If you are in the health care industry your network must comply with the Health Insurance Portability and Accountability Act (HIPAA) standards. The list goes on.

The bottom line is that organizations need to secure and protect their networks. In some cases, weak network security may only affect the company. However, when the data on the corporate network contains personal information about patients, customers, or employees, a breach of security can have implications far beyond the company.

The credit card industry banded together to develop the Payment Card Industry (PCI) Data Security Standards (DSS) to ensure that credit card customer information is adequately protected and to protect the industry. Breaches of customer information lead to lost money and damaged reputations, and the credit card industry wants to protect itself from financial loss or eroded consumer confidence in credit cards as a means of transacting money.

This book will explain the PCI DSS guidelines to you. However, it will do so in a broader, more holistic approach. The goal of this book is to not only teach you the PCI DSS requirements, but to help you understand how the PCI DSS requirements fit into an organization's network security framework, and how to effectively implement network security controls so that you can be both compliant and secure.

Who Should Read This Book?

Every company that accepts credit card payments, processes credit card transactions, stores credit card data, or in any other way touches personal or sensitive data associated with credit card payment processing, is affected by the PCI DSS. Virtually all businesses, no matter how big or how small, need to understand the scope of the PCI DSS and how to implement network security that is compliant with the PCI guidelines, or face penalties or the possibility of having their merchant status revoked and potentially being banned from accepting or processing credit cards.

Even with such a broad audience compelled to comply with the PCI DSS, this book had to be written for a Specific technical level. The book could have been written in very simple terms in order to educate the general population about PCI DSS. We could have written an in-depth technical tome providing every bit of detail a network engineer or security administrator might need to configure and implement compliance. This book is more of a strategic business guide to help executive management understand the implications of PCI DSS and what it takes to be compliant

This book is for the Information Technology (IT) managers and company executives who need to understand how the PCI DSS apply to them. This book is for the small- and medium-size business that doesn't have an IT department to delegate to. For organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is compliant. This book is intended as an introduction to PCI, but with a deeper and more technical understanding of how to put it into action.

Organization of the Book

Each chapter of the book is designed to provide you the information you need to know in a way that you can easily understand and apply. To aid in that goal, the chapters have a consistent look and feel and are each made up of the same basic sections, listed here.

Solutions In This Chapter

At the beginning of each chapter is a bulleted list called Solutions In This Chapter. This list shows you a high-level overview of the concepts that are covered in this chapter and what you can expect to learn.

Summary

Every chapter has a summary. As the name implies, the summary summarizes the information covered in the chapter and provides a brief recap of the concepts discussed to reinforce what you read, or to help you identify areas that you may need to re-read if you don't feel you understand them yet.

Solutions Fast Track

The Solutions Fast Track provides a bulleted outline of the pertinent points and key information covered in the chapter. This section can be used as a sort of study guide or reminder system to help trigger your brain to recall the information or to review in one short list the key points from the chapter

Frequently Asked Questions

Frequently asked questions contain questions designed to clarify areas of potential confusion from the chapter or reinforce the information that was covered. This section can also serve as a sort of mini-quiz to demonstrate that you grasp the concepts and information discussed in the chapter.

Chapter Descriptions

This section provides a brief description of the information covered in each chapter:

* Chapter 1: Foreword A discussion of the state of credit card data security and how this book came about

* Chapter 2: Introduction A brief look at the target audience of the book, as well as an overview of the chapter formats and content.

* Chapter 3: Why PCI Is Important An overview of PCI DSS and why the credit card industry was compelled to create it. This chapter also includes some discussion about the benefits of PCI DSS compliance and the risks and consequences of non-compliance.

* Chapter 4: Building and Maintaining a Secure Network The first step in protecting any kind of data, and for PCI DSS compliance, is to have a secure network in the first place. This chapter discusses the basic components of a secure network and lays the foundation for building the rest of your PCI DSS compliance.

* Chapter 5: Protect Cardholder Data This chapter explains how to protect data that is stored on your network, as well as how to protect data while it is in transit. It also covers access controls and logging so that you can determine who accessed a given file and whether or not they were authorized to do so.

* Chapter 6: Logging Access and Events A discussion about how to configure logging and event auditing to capture the information you need to be able to demonstrate and maintain PCI compliance.

* Chapter 7: Strong Access Control This chapter covers one of the most important aspects of PCI DSS compliance- access controls. The information in this chapter includes the need to restrict access to only those individuals that need it, as well as restricting physical access to computer systems.

* Chapter 8: Vulnerability Management Performing vulnerability assessments to identify weaknesses in systems and applications, and how to mitigate or remediate the vulnerabilities to protect and secure your data.

* Chapter 9: Monitoring and Testing How to monitor your network and test your security controls to ensure your network is protected and compliant.

* Chapter 10: How To Plan a Project To Meet Compliance An overview of the steps involved and tasks necessary to implement a successful PCI compliance project. This chapter includes a discussion of the basic elements that should be included in any future projects as well to proactively ensure they are PC I compliant.

* Chapter 11: Responsibilities An effective incident response process requires that the groups and individuals responsible for responding understand their roles. This chapter discusses the different components of incident response and how to respond effectively to breaches of PCI DSS.

* Chapter 12: Planning to Fail Your First Audit Understand that an auditor is there to work with you to achieve compliance. They are not the enemy. This chapter explains how to use the findings from a failed audit to ensure compliance.

* Chapter 13: You're Compliant! Now What? This chapter covers the details you need to keep in mind once you have achieved compliance. Security is not as simple as just getting it implemented. You have to monitor and maintain it. This chapter contains information about ongoing training and periodic reviews, as well as how to conduct a self-audit to ensure continued compliance.

Chapter Two

Introduction to Fraud, ID Theft, and Regulatory Mandates

By Tony Bradley, CISSP-ISSAP, Microsoft MVP-Windows Security BT INS Security Consultant

Credit card fraud and identity theft are both epic problems that continue to grow each year. Certainly, credit card fraud and identity theft pre-date the age of the Internet. It is an ironic fact that the things that make your life easier, improve efficiency, and make things more convenient, also make crime easier, efficient, and more convenient.

Criminals have gone high-tech and they have discovered that there is a significant amount of money to be acquired with very little risk. Hacking a company database or orchestrating a phishing attack while sitting in your pajamas eating chocolate ice cream in the living room of your house has much more appeal than robbing banks or convenience stores, and the risk of getting shot or killed is much lower. Depending on the company being targeted, the sophistication of the attack, and sometimes sheer luck, the high-tech crime may also be significantly more lucrative than traditional armed robbery.

Malicious software (malware) and cyber-criminals are not the only threat. Sadly, the very companies and organizations that are entrusted with sensitive information are often to blame. Consumers and businesses are faced with a wide variety of threats to their data and personal information on any given day. Spyware, phishing attacks, and robot networks (botnets) are all computer attacks that are on the rise and pose a significant threat to users as they connect to the Web and use their computers. However, those threats pale in comparison with the amount of personally identifiable information and sensitive data that has been compromised through carelessness or negligence by corporations.

According to some sources, more than 50 million individual records were exposed in 2005, through the loss of mobile devices or portable storage media, or by attackers gaining access to the corporate network and extracting the data themselves. A security breach at CardSystems in June 2005, was responsible for 40 million of the 50 million total. Early in 2007, a security breach at TJX Companies, the parent of retail establishments such as T.J. Maxx, Bob's, Marshall's, HomeGoods, and AJ. Wright, may potentially have exposed more credit information and individual account data than even the 40 million records compromised by CardSystems data. Some estimates place the TJX breach at over 50 million compromised accounts by itself.

In an era when more consumers are using computers and the Internet to conduct business and make purchases, and more companies are storing more data, it is more important than ever that the proper steps are taken to secure and protect personally identifiable information and other sensitive data. It is bad for companies, individuals, and the economy at large if consumer confidence is eroded by having their personal information exposed or compromised.

The information security field has a number of laws and regulations to adhere to. Depending on what industry a company does business in, they may fall under Sarbanes-Oxley (SOX), the Gramm-Leach Bliley Act of 1999 (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and other regulatory mandates, or some combination thereof. However, as evidenced by the volume and continuing occurrence of data compromise and exposure, many organizations still fail to enforce adequate security measures.

These breaches are often targeted at consumer credit card information, and threatened to tarnish the reputation of the credit card industry, so the major credit card vendors banded together to develop the Payment Card Industry (PCI) Data Security Standards (DSS). In essence, the credit card industry has taken proactive steps "co assure the integrity and security of credit card data and transactions and maintain the public trust in credit cards as a primary means of transacting money. If you want to accept credit cards as payment or take part in any step of the processing of the credit card transaction, you must comply with the PCI DSS or face stiff consequences.

Unlike SOX or HIPAA, the PCI DSS are not a law; however, in many ways, they are more effective. Non-compliance won't land you in jail, but it can mean having your merchant status revoked. For some organizations, losing the ability to process credit card payments would drastically affect their ability to do business and possibly even bring about the death of the company.

There is nothing extraordinary or magical about the PCI DSS requirements, though. The guidelines spelled out are all essentially common sense that any organization should follow without being told. Even so, some of the requirements leave room for interpretation and complying with PCI DSS can be tricky.

(Continues...)



Excerpted from PCI Compliance Copyright © 2007 by Elsevier, Inc. . Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

CHAPTER 1. About PCI and This Book

CHAPTER 2. Introduction to Fraud, Data Theft, and Related Regulatory Mandates

CHAPTER 3. Why Is PCI Here?

CHAPTER 4. Determining and Reducing the PCI Scope

CHAPTER 5. Building and Maintaining a Secure Network

CHAPTER 6. Strong Access Controls

CHAPTER 7. Protecting Cardholder Data

CHAPTER 8. Using Wireless Networking

CHAPTER 9. Vulnerability Management

CHAPTER 10. Logging Events and Monitoring the Cardholder Data Environment

CHAPTER 11. PCI for the Small Business

CHAPTER 12. Managing a PCI DSS Project to Achieve Compliance

CHAPTER 13. Don’t Fear the Assessor

CHAPTER 14. The Art of Compensating Control

CHAPTER 15. You’re Compliant, Now What?

CHAPTER 16. Emerging Technology and Alternative Payment Schemes

CHAPTER 17. Myths and Misconceptions of PCI DSS

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)