PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance
352
PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance
352eBook
Available on Compatible NOOK devices, the free NOOK App and in My Digital Library.
Related collections and offers
Overview
Product Details
| ISBN-13: | 9780080556383 |
|---|---|
| Publisher: | Syngress Publishing |
| Publication date: | 04/18/2011 |
| Sold by: | Barnes & Noble |
| Format: | eBook |
| Pages: | 352 |
| File size: | 4 MB |
About the Author
Tony Bradley (CISSP-ISSAP) is the Guide for the Internet/Network Security site on About.com, a part of The New York Times Company. He has written for a variety of other Web sites and publications, including BizTech Magazine, PC World, SearchSecurity.com, WindowsNetworking.com, Smart Computing magazine, and Information Security magazine. Tony is a CISSP (Certified Information Systems Security Professional) and ISSAP (Information Systems Security Architecture Professional). He is Microsoft Certified as an MCSE (Microsoft Certified Systems Engineer) and MCSA (Microsoft Certified Systems Administrator) in Windows 2000 and an MCP (Microsoft Certified Professional) in Windows NT. Tony is recognized by Microsoft as an MVP (Most Valuable Professional) in Windows security.On his About.com site, Tony has on average over 600,000 page views per month and over 30,000 subscribers to his weekly newsletter. Tony was also author of Essential Computer Security: Everyone’s Guide to E-mail, Internet, and Wireless Security (ISBN: 1597491144).
Anatoly Elberg, QSA, CISSP, has over 10 years of experience and is an accomplished security professional. His focus includes IT governance, regulatory compliance, and risk management. Anatoly has implemented strategic information security management programs for large technology, financial, retail, and telecommunications companies. Currently he is a Principal Consultant and a regional security practice lead at BT INS. Anatoly has been working with Visa's Cardholder Information Security Program (CISP) requirements since 2004, and is certified by the PCI Security Standards Council as a Qualified Security Assessor (QSA). In addition, Anatoly holds the CISSP, MCSE, CHSP, NSA IAM, and NSA IEM certifications. He has a bachelors degree from the University of Texas at Austin, and is a member of the Information Systems Auditing and Controls Association (ISACA).
James D. Burton Jr., CISSP, CISA, CISM, GSNA, is a Sr. I.T. Security Professional with over 12 years in the field. He is a well-known subject matter expert in the areas of IT security, information assurance and IT audit, and has worked as a consultant, trainer, and an adjunct professor. He has worked on projects or trained for major companies and organizations including Citibank, Global Healthcare Exchange, Idea Integration, Agilent Technologies, Northrop Grumman, SRS Technologies, Secure Banking Services, IP3, Inc. and the U.S. Marine Corps. He was an adjunct professor for Colorado Technical University, where he taught courses on foundations of security and security management at the bachelor and master level. James has an M.S. in Computer Science from Colorado Technical University (2002). He was also a contributing author to Cisco Security Professional's Guide to Secure Intrusion Detection Systems (Syngress, 2003). James is currently working with Secure Banking Services performing IT audit services to the financial industry and is a trainer for IP3, Inc.
Brian Freedman (CISSP, MCSE, CCNA) is a Sr. Systems Engineer for WareOnEarth Communications, Inc. WareOnEarth is a leading information technology company providing expertise in Information Assurance, System Integration, Network Engineering, and Enterprise Architecture & Infrastructure. Brian currently serves as the Technical Services Team Lead for the United States Navy Medicine Enterprise Services Operation Center. With over 15 years of experience, his specialties include Active Directory, Microsoft Exchange, Microsoft Windows Servers, Microsoft Office SharePoint Server, Virtualization, Cisco networking, voice over IP, Data Center Design and Maintenance, and HIPAA and PCI DSS compliance efforts.Brian holds a bachelor’s degree from the University of Miami, is pursuing his Masters of Science in Information Systems degree from Strayer University, and currently resides in Charleston, South Carolina.
David King (CISSP) is the CEO of Remote Checkup, Inc. He has worked with credit card industry security standards since 2004. As the IT directory of an e-commerce company he helped them comply with these standards. Since then he built a company from the ground up that has become a PCI approved scanning vendor. He currently consults with companies to help them meet PCI requirements using open source solutions whenever possible. Leveraging his background in system administration and coding, he also helps companies develop custom solutions that help them bridge gaps in compliance. David has taught courses in system administration, networking, and security at a local college. He holds a bachelor’s degree in computer science from Brigham Young University.
Scott Paladino (CISSP) is a security architect with EDS (www.eds.com), a leading global technology services company. He is the Engineering Organization Leader at EDS supporting identity, access, and other security solutions across a variety of industries.
Paul Schooping (CISSP) is a Security Engineer for a leading global technology services company. He currently participates in the design, implementation and support of global security and privacy solutions. Paul’s background includes experience as the Global Antivirus and Vulnerability Manager for a Fortune 500 Company and the development of an enterprise Emergency Security Response Team. His specialties include Antivirus, vulnerability assessment, reverse engineering of malware, and encryption technologies. Paul holds a bachelors degree in psychology and formerly served in multiple youth ministry positions.
Read an Excerpt
PCI Compliance
Implementing Effective PCI Data Security StandardsSyngress
Copyright © 2007 Elsevier, Inc.All right reserved.
ISBN: 978-0-08-055638-3
Chapter One
About PCI and This Book
Introduction
There are plenty of standards and regulations out there. If you are a publicly traded company in the United States, you must adhere to the (SOX) mandates. If you are in the health care industry your network must comply with the Health Insurance Portability and Accountability Act (HIPAA) standards. The list goes on.
The bottom line is that organizations need to secure and protect their networks. In some cases, weak network security may only affect the company. However, when the data on the corporate network contains personal information about patients, customers, or employees, a breach of security can have implications far beyond the company.
The credit card industry banded together to develop the Payment Card Industry (PCI) Data Security Standards (DSS) to ensure that credit card customer information is adequately protected and to protect the industry. Breaches of customer information lead to lost money and damaged reputations, and the credit card industry wants to protect itself from financial loss or eroded consumer confidence in credit cards as a means of transacting money.
This book will explain the PCI DSS guidelines to you. However, it will do so in a broader, more holistic approach. The goal of this book is to not only teach you the PCI DSS requirements, but to help you understand how the PCI DSS requirements fit into an organization's network security framework, and how to effectively implement network security controls so that you can be both compliant and secure.
Who Should Read This Book?
Every company that accepts credit card payments, processes credit card transactions, stores credit card data, or in any other way touches personal or sensitive data associated with credit card payment processing, is affected by the PCI DSS. Virtually all businesses, no matter how big or how small, need to understand the scope of the PCI DSS and how to implement network security that is compliant with the PCI guidelines, or face penalties or the possibility of having their merchant status revoked and potentially being banned from accepting or processing credit cards.
Even with such a broad audience compelled to comply with the PCI DSS, this book had to be written for a Specific technical level. The book could have been written in very simple terms in order to educate the general population about PCI DSS. We could have written an in-depth technical tome providing every bit of detail a network engineer or security administrator might need to configure and implement compliance. This book is more of a strategic business guide to help executive management understand the implications of PCI DSS and what it takes to be compliant
This book is for the Information Technology (IT) managers and company executives who need to understand how the PCI DSS apply to them. This book is for the small- and medium-size business that doesn't have an IT department to delegate to. For organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is compliant. This book is intended as an introduction to PCI, but with a deeper and more technical understanding of how to put it into action.
Organization of the Book
Each chapter of the book is designed to provide you the information you need to know in a way that you can easily understand and apply. To aid in that goal, the chapters have a consistent look and feel and are each made up of the same basic sections, listed here.
Solutions In This Chapter
At the beginning of each chapter is a bulleted list called Solutions In This Chapter. This list shows you a high-level overview of the concepts that are covered in this chapter and what you can expect to learn.
Summary
Every chapter has a summary. As the name implies, the summary summarizes the information covered in the chapter and provides a brief recap of the concepts discussed to reinforce what you read, or to help you identify areas that you may need to re-read if you don't feel you understand them yet.
Solutions Fast Track
The Solutions Fast Track provides a bulleted outline of the pertinent points and key information covered in the chapter. This section can be used as a sort of study guide or reminder system to help trigger your brain to recall the information or to review in one short list the key points from the chapter
Frequently Asked Questions
Frequently asked questions contain questions designed to clarify areas of potential confusion from the chapter or reinforce the information that was covered. This section can also serve as a sort of mini-quiz to demonstrate that you grasp the concepts and information discussed in the chapter.
Chapter Descriptions
This section provides a brief description of the information covered in each chapter:
* Chapter 1: Foreword A discussion of the state of credit card data security and how this book came about
* Chapter 2: Introduction A brief look at the target audience of the book, as well as an overview of the chapter formats and content.
* Chapter 3: Why PCI Is Important An overview of PCI DSS and why the credit card industry was compelled to create it. This chapter also includes some discussion about the benefits of PCI DSS compliance and the risks and consequences of non-compliance.
* Chapter 4: Building and Maintaining a Secure Network The first step in protecting any kind of data, and for PCI DSS compliance, is to have a secure network in the first place. This chapter discusses the basic components of a secure network and lays the foundation for building the rest of your PCI DSS compliance.
* Chapter 5: Protect Cardholder Data This chapter explains how to protect data that is stored on your network, as well as how to protect data while it is in transit. It also covers access controls and logging so that you can determine who accessed a given file and whether or not they were authorized to do so.
* Chapter 6: Logging Access and Events A discussion about how to configure logging and event auditing to capture the information you need to be able to demonstrate and maintain PCI compliance.
* Chapter 7: Strong Access Control This chapter covers one of the most important aspects of PCI DSS compliance- access controls. The information in this chapter includes the need to restrict access to only those individuals that need it, as well as restricting physical access to computer systems.
* Chapter 8: Vulnerability Management Performing vulnerability assessments to identify weaknesses in systems and applications, and how to mitigate or remediate the vulnerabilities to protect and secure your data.
* Chapter 9: Monitoring and Testing How to monitor your network and test your security controls to ensure your network is protected and compliant.
* Chapter 10: How To Plan a Project To Meet Compliance An overview of the steps involved and tasks necessary to implement a successful PCI compliance project. This chapter includes a discussion of the basic elements that should be included in any future projects as well to proactively ensure they are PC I compliant.
* Chapter 11: Responsibilities An effective incident response process requires that the groups and individuals responsible for responding understand their roles. This chapter discusses the different components of incident response and how to respond effectively to breaches of PCI DSS.
* Chapter 12: Planning to Fail Your First Audit Understand that an auditor is there to work with you to achieve compliance. They are not the enemy. This chapter explains how to use the findings from a failed audit to ensure compliance.
* Chapter 13: You're Compliant! Now What? This chapter covers the details you need to keep in mind once you have achieved compliance. Security is not as simple as just getting it implemented. You have to monitor and maintain it. This chapter contains information about ongoing training and periodic reviews, as well as how to conduct a self-audit to ensure continued compliance.
Chapter Two
Introduction to Fraud, ID Theft, and Regulatory Mandates
By Tony Bradley, CISSP-ISSAP, Microsoft MVP-Windows Security BT INS Security Consultant
Credit card fraud and identity theft are both epic problems that continue to grow each year. Certainly, credit card fraud and identity theft pre-date the age of the Internet. It is an ironic fact that the things that make your life easier, improve efficiency, and make things more convenient, also make crime easier, efficient, and more convenient.
Criminals have gone high-tech and they have discovered that there is a significant amount of money to be acquired with very little risk. Hacking a company database or orchestrating a phishing attack while sitting in your pajamas eating chocolate ice cream in the living room of your house has much more appeal than robbing banks or convenience stores, and the risk of getting shot or killed is much lower. Depending on the company being targeted, the sophistication of the attack, and sometimes sheer luck, the high-tech crime may also be significantly more lucrative than traditional armed robbery.
Malicious software (malware) and cyber-criminals are not the only threat. Sadly, the very companies and organizations that are entrusted with sensitive information are often to blame. Consumers and businesses are faced with a wide variety of threats to their data and personal information on any given day. Spyware, phishing attacks, and robot networks (botnets) are all computer attacks that are on the rise and pose a significant threat to users as they connect to the Web and use their computers. However, those threats pale in comparison with the amount of personally identifiable information and sensitive data that has been compromised through carelessness or negligence by corporations.
According to some sources, more than 50 million individual records were exposed in 2005, through the loss of mobile devices or portable storage media, or by attackers gaining access to the corporate network and extracting the data themselves. A security breach at CardSystems in June 2005, was responsible for 40 million of the 50 million total. Early in 2007, a security breach at TJX Companies, the parent of retail establishments such as T.J. Maxx, Bob's, Marshall's, HomeGoods, and AJ. Wright, may potentially have exposed more credit information and individual account data than even the 40 million records compromised by CardSystems data. Some estimates place the TJX breach at over 50 million compromised accounts by itself.
In an era when more consumers are using computers and the Internet to conduct business and make purchases, and more companies are storing more data, it is more important than ever that the proper steps are taken to secure and protect personally identifiable information and other sensitive data. It is bad for companies, individuals, and the economy at large if consumer confidence is eroded by having their personal information exposed or compromised.
The information security field has a number of laws and regulations to adhere to. Depending on what industry a company does business in, they may fall under Sarbanes-Oxley (SOX), the Gramm-Leach Bliley Act of 1999 (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and other regulatory mandates, or some combination thereof. However, as evidenced by the volume and continuing occurrence of data compromise and exposure, many organizations still fail to enforce adequate security measures.
These breaches are often targeted at consumer credit card information, and threatened to tarnish the reputation of the credit card industry, so the major credit card vendors banded together to develop the Payment Card Industry (PCI) Data Security Standards (DSS). In essence, the credit card industry has taken proactive steps "co assure the integrity and security of credit card data and transactions and maintain the public trust in credit cards as a primary means of transacting money. If you want to accept credit cards as payment or take part in any step of the processing of the credit card transaction, you must comply with the PCI DSS or face stiff consequences.
Unlike SOX or HIPAA, the PCI DSS are not a law; however, in many ways, they are more effective. Non-compliance won't land you in jail, but it can mean having your merchant status revoked. For some organizations, losing the ability to process credit card payments would drastically affect their ability to do business and possibly even bring about the death of the company.
There is nothing extraordinary or magical about the PCI DSS requirements, though. The guidelines spelled out are all essentially common sense that any organization should follow without being told. Even so, some of the requirements leave room for interpretation and complying with PCI DSS can be tricky.
(Continues...)
Excerpted from PCI Compliance Copyright © 2007 by Elsevier, Inc. . Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Table of Contents
1: Foreword2: Introduction3: Why PCI Is Important4: Build & Maintain a Secure Network5: Protect Cardholder Data6: Vulnerability Management7: Strong Access Control8: Logging Access & Events9: Monitor & Test10: Monitoring Information Security Policy 11: How to Plan a Project to Meet Compliance12: Leveraging PCI Compliance efforts with other Compliance Requirements13: Responsibilities14: Preparing to Fail Your First Test15: You're Compliant, Now WhatWhat People are Saying About This
Practical PCI compliance explained: PCI lessons, guidance, tips and tricks for those in the trenches dealing with PCI challenges