PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance, 5th Edition
The Payment Card Industry Data Security Standard (PCI DSS) is now in its 18th year, and it is continuing to dominate corporate security budgets and resources. If you accept, process, transmit, or store payment card data branded by Visa, MasterCard, American Express, Discover, or JCB (or their affiliates and partners), you must comply with this lengthy standard.
Personal data theft is at the top of the list of likely cybercrimes that modern-day corporations must defend against. In particular, credit or debit card data is preferred by cybercriminals as they can find ways to monetize it quickly from anywhere in the world. Is your payment processing secure and compliant? The new Fifth Edition of PCI Compliance has been revised to follow the new PCI DSS version 4.0, which is a complete overhaul to the standard. Also new to the Fifth Edition are: additional case studies and clear guidelines and instructions for maintaining PCI compliance globally, including coverage of technologies such as Kubernetes, cloud, near-field communication, point-to-point encryption, Mobile, Europay, MasterCard, and Visa. This is the first book to address the recent updates to PCI DSS and the only book you will need during your PCI DSS journey. The real-world scenarios and hands-on guidance will be extremely valuable, as well as the community of professionals you will join after buying this book.
Each chapter has how-to guidance to walk you through implementing concepts and real-world scenarios to help you grasp how PCI DSS will affect your daily operations. This book provides the information that you need in order to understand the current PCI Data Security Standards and the ecosystem that surrounds them, how to effectively implement security on network infrastructure in order to be compliant with the credit card industry guidelines, and help you protect sensitive and personally identifiable information. Our book puts security first as a way to enable compliance.
- Completely updated to follow the current PCI DSS version 4.0
- Packed with tips to develop and implement an effective PCI DSS and cybersecurity strategy
- Includes coverage of new and emerging technologies such as Kubernetes, mobility, and 3D Secure 2.0
- Both authors have broad information security backgrounds, including extensive PCI DSS experience
Cover Half Title Title Page Copyright Page Contents Foreword Acknowledgments Authors Chapter 1: About PCI DSS and This Book Who Should Read This Book? How to Use the Book in Your Daily Job What This Book Is Not Organization of the Book Summary Notes Chapter 2: Introduction to Fraud, Identity Theft, and Related Regulatory Mandates Summary Notes Chapter 3: Why Is PCI Here? What Is PCI DSS and Who Must Comply? Electronic Card Payment Ecosystem Goal of PCI DSS Applicability of PCI DSS A Quick Note about Appendix A3 PCI DSS in Depth Compliance Deadlines Compliance and Validation Something New, the Customized Approach History of PCI DSS PCI Council QSAs Additional PCI SSC Qualifications PFIs PCIPs QIRs ASVs Quick Overview of PCI Requirements How Changes to PCI DSS Happen What’s New in PCI DSS 4.0 Customized Approach Extra Guidance New Countermeasures Skimmers and Web Content Authenticated Vulnerability Scanning Inventory All the Things Scope Reviews In Place With Remediation PCI DSS and Risk Benefits of Compliance Case Study The Case of the Developing Security Program The Case of the Confusing Validation Requirements Summary Notes Chapter 4: Determining and Reducing Your PCI Scope The Basics of PCI DSS Scoping Connected-To Systems The “Gotchas” of PCI Scope Scope Reduction Tips Planning Your PCI Project Case Study The Case of the Leaky Data The Case of the Entrenched Enterprise Summary Notes Chapter 5: Building and Maintaining a Secure Network Which PCI DSS Requirements Are in This Domain? Establish NSC Configuration Standards Denying Traffic from Untrusted Networks and Hosts Restricting Connections Host or Network-Based Security Controls Micro-Segmentation Other Considerations for Requirement The Oddball Requirement 11.5 Requirement 2: Defaults and Other Security Parameters Develop Configuration Standards Default Passwords Simple Network Management Protocol Defaults Delete Unnecessary Accounts Implement Single Purpose Servers Configure System Security Parameters Encrypt Non-Console Administrative Access What Else Can You Do to Be Secure? Tools and Best Practices Common Mistakes and Pitfalls Egress Filtering Documentation System Defaults Case Study The Case of the Small, Flat Store Network The Case of the Large, Flat Corporate Network The Case of the Do Over Summary Chapter 6: Strong Access Controls Which PCI DSS Requirements Are in This Domain? Principles of Access Control Confidentiality Integrity Availability Requirement 7: How Much Access Should a User Have? Databases and Requirement 7.2.6 Requirement 8: Authentication Basics Identification, Authentication, and Requirements 8.2.4–8.2.8 and 8.3.1–8.3.9 Locking Users Out: Requirements 8.2.8 and 8.3.4 Things Paired With Usernames Rendering Passwords Unreadable in Transit and Storage Password Design for PCI DSS: Requirements 8.3.5–8.3.9 and 8.3.11 MFA and Requirements 8.4–8.5 A Brief Word on System Accounts and Requirement 8.6 OAuth, OIDC, SSH Keys, and SSH Certs, OH MY! Educating Users Windows and PCI Compliance Windows File Access Control Finding Inactive Accounts in Active Directory Enforcing Password Requirements in Windows on Standalone Computers Enabling Password Protected Screen Savers on Standalone Windows Computers Setting File Permissions on Standalone Windows Computers POSIX (UNIX/Linux Systems) Access Control Linux Enforce Password Complexity Requirements Cisco and PCI Requirements Cisco Enforce Session Timeout Encrypt Cisco Passwords Setting Up SSH in a Cisco Environment Requirement 9: Physical Security Handling Visitors: Requirement 9.3 Media and Physical Data Entry Points: Requirements 9.4 Protecting the Point of Interaction: Requirement 9.5 What Else Can You Do to Be Secure? Tools and Best Practices Random Password for Users Common Mistakes and Pitfalls Poor Documentation Legacy Systems Cloud and PaaS Physical Access Monitoring Case Study The Case of the Stolen Database The Case of the Loose Permissions Summary Note Chapter 7: Protecting Cardholder Data What Is Data Protection and Why Is It Needed? The Confidentiality, Integrity, and Availability Triad Requirements Addressed in This Chapter Requirement 3: Protect Stored Account Data Requirement 3 Walk-Through Encryption Methods for Data at Rest File- or Folder-Level Encryption Full-Disk Encryption Database (Table-, Column-, or Field-Level) Encryption PCI and Key Management What Else Can You Do to Be Secure? Requirement 4 Walk-Through Transport Layer Security IPsec Virtual Private Networks Miscellaneous Card Transmission Rules Requirement 12 Walk-Through How to Become Compliant and Secure Step 1: Identify Business Processes With Card Data Step 2: Shrink the Scope Step 3: Identify Where Data Is Stored Step 4: Determine What to Do About Your Data Step 5: Determine Who Needs Access Step 6: Develop and Document Policies Common Mistakes and Pitfalls Case Study The Case of the Leaky Data The Case of the Satellite Location Summary Note Chapter 8: Using Wireless Networking What Is Wireless Network Security? Where Is Wireless Network Security in PCI DSS? Requirements 1, 11, and 12: Documentation Actual Security of Wireless Devices: Requirements 2, 4, and Logging and Wireless Networks: Requirement 10.3.3 Testing for Unauthorized Wireless: Requirement 11.2 Quarterly Sweeps or Wireless IDS/IPS: How to Choose Why Do We Need Wireless Network Security? Other Wireless Technologies Tools and Best Practices Common Mistakes and Pitfalls Case Study The Case of the Untethered Laptop The Case of the Expansion Plan The Case of the Double Secret Wireless Network The Case of the Detached POS Summary Note Chapter 9: Vulnerability Management PCI DSS Requirements Covered Vulnerability Management in PCI Stages of Vulnerability Management Process Policy Definition Data Acquisition Prioritization Mitigation Requirement 5 Walk-Through What to Do to Be Secure and Compliant? Requirement 6 Walk-Through Public-Facing Web Application Protection Web Application Scanning (WAS) Web Application Firewalls (WAFs) Payment Pages Change Management Software Supply Chain Attacks Requirement 11 Walk-Through External Vulnerability Scanning With ASV What Is an ASV? Considerations When Picking an ASV How ASV Scanning Works Operationalizing ASV Scanning What Should You Expect From an ASV? Internal Vulnerability Scanning Penetration Testing Common PCI Vulnerability Management Mistakes Case Study PCI at a Retail Chain PCI at an E-Commerce Site Summary Chapter 10: Logging Events and Monitoring the Cardholder Data Environment PCI Requirements Covered Why Logging and Monitoring in PCI DSS? Logging and Monitoring in Depth PCI Relevance of Logs Logging in PCI Requirement Monitoring Data and Log for Security Issues Logging and Monitoring in PCI—All Other Requirements PCI Dss Logging Policies and Procedures Building an Initial Baseline Manually Guidance for Identifying “Known Bad” Messages Main Workflow: Daily Log Review Exception Investigation and Analysis Validation of Log Review PCI Compliance Evidence Package Periodic Operational Task Summary Daily Tasks Tools for Logging in PCI Other Monitoring Tools Intrusion Detection and Prevention Integrity Monitoring Common Mistakes and Pitfalls Case Study The Case of the Risky Risk-Based Approach The Case of Tweaking to Comply Summary Chapter 11: Cloud and Virtualization Cloud Basics What Is the Cloud? Cloud Badness Cloud Changes Everything! But Does It? Cloud Challenges and You PCI Cloud Examples So, Can I Use Cloud Resources in PCI DSS Environments? Containers and Kubernetes More Cloud for Better Security and Compliance? Maintaining and Assessing PCI DSS in the Cloud Enter the Matrix Tools and Best Practices Summary Notes Chapter 12: Mobile Where Is Mobility Addressed in PCI DSS 4.0? What Guidance Is Available? Deploying the Technology Safely Case Study The Case of the Summer Festival Summary Chapter 13: PCI for the Small Business The Risks of Credit Card Acceptance New Business Considerations Your POS Is Like My POS! A Basic Scheme for SMB Hardening Case Study The Case of the Outsourcing Decision Summary Chapter 14: PCI DSS for the Service Provider The Definition of a Service Provider Why Do Service Providers Have More Requirements? Variation on a Theme, or What Service Providers Should Care About? Service-Provider-Specific Requirements Protect Account Data Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Additional PCI DSS Requirements for Multi-Tenant Service Providers Outdated SSL/TLS for Card-Present Terminals Case Study Summary Chapter 15: Managing a PCI DSS Project to Achieve Compliance Justifying a Business Case for Compliance Figuring Out If You Need to Comply Compliance Overlap Level of Validation What Is the Cost for Non-Compliance? Penalties for Non-Compliance Bringing the Key Players to the Table Obtaining Corporate Sponsorship Forming Your Compliance Team Roles and Responsibilities of Your Team Getting Results Fast Notes From the Front Line Budgeting Time and Resources Setting Expectations Management’s Expectations Establishing Goals and Milestones Status Meetings Educating Staff Training Your Compliance Team Training the Company on Compliance Setting Up the Corporate Compliance Training Program Project Quickstart Guide The Steps Step 1: Obtain Corporate Sponsorship Step 2: Identify and Establish Your Team Step 3: Determine Your PCI Level and Scope Step 4: Complete a PCI DSS SAQ or Hire a QSA Step 5: Set Up Quarterly External Network Scans From an Approved Scanning Vendor Step 6: Get Validated by a QSA (or an ISA) Step 7: Perform a Gap Analysis Step 8: Create PCI DSS Compliance Plan Step 9: Prepare for Annual Assessment of Compliance Validation The PCI DSS Prioritized Approach The Visa TIP Summary Note Chapter 16: Don’t Fear the Assessor Remember, Assessors Are Generally There to Help Balancing Remediation Needs How FAIL == WIN Dealing With Assessors’ Mistakes Planning for Remediation Fun Ways to Use CVSS Planning for Re-Assessing Summary Notes Chapter 17: The Art of Compensating Control What Is a Compensating Control? Where Are Compensating Controls in PCI DSS? What a Compensating Control Is Not Funny Controls You Didn’t Design How to Create a Good Compensating Control Case Studies The Case of the Newborn Concierge The Case of the Concierge Travel Agency Summary Chapter 18: You’re Compliant, Now What? Security Is a Process, Not an Event Plan for Periodic Review and Training PCI Requirements With Periodic Maintenance Build and Maintain a Secure Network and Systems Protect Account Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy PCI Self-Assessment Case Study The Case of the Compliant Company Summary Chapter 19: Emerging Technology and Alternative Payment Schemes Emerging Payment Schemes EMV Mobile Near-Field Communication (A.K.A., Tap & Go) The Payment Account Reference Square, Paypal, and Intuit Google Checkout, Paypal, and Stripe 3-D Secure Bitcoin, Ethereum, and Crypto Predictions Taxonomy and Tidbits EMV Europe versus the US versus the Rest of the World One-Time Use Cards Customer Experience Case Study The Case of the Cashless Cover Charge Summary Note Chapter 20: PCI DSS Myths and Misconceptions Myth 1 PCI Doesn’t Apply to Me A Perfect Example of Myth 1 at Work! Myth 2 PCI Is Confusing and Ambiguous Myth 3 PCI DSS Is Too Onerous Myth 4 Breaches Prove PCI DSS to Be Irrelevant Myth 5 PCI Is All We Need for Security Myth 6 PCI DSS Is Really Easy Myth 7 My Tool Is PCI Compliant, Thus I Am Compliant Myth 8 PCI Is Toothless Case Study The Case of the Cardless Merchant Summary Notes Chapter 21: Final Thoughts A Quick Summary Timelines Compensating Controls and the Customized Approach We Play Catch-Up The Challenging Ones On Time Travel Interact With Us! Index by Requirement Alphabetical Index
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.