PCI Compliance

Understand and Implement Effective PCI Data Security Standard Compliance

Tony Bradley, James D. Burton, Jr., Anton Chuvakin, Anatoly Elberg, Brian Freedman, David King, Scott Paladino, Paul Schooping

Publisher: Syngress, 2007, 329 pages

ISBN: 978-1-59749-165-5

Keywords: Information Security

Last modified: Nov. 15, 2008, 12:16 a.m.

Synopsis

Identity theft has been steadily rising in recent years, and credit card data is one of the primary targets for identity theft. With a few pieces of key information, organized crime has made malware development and computer networking attacks more professional and better defenses are necessary to protect against attack. The credit card industry established the PCI Data Security standards to provide a baseline expectancy for how vendors, or any entity that handles credit card transactions or data, should protect data to ensure it is not stolen or compromised. This book will provide the information that you need to understand the PCI Data Security standards and how to effectively implement security on the network infrastructure in order to be compliant with the credit card industry guidelines and protect sensitive and personally identifiable information.

Table of Contents

  • Chapter 1 About PCI and This Book
    • Introduction
      • Who Should Read This Book?
      • Organization of the Book
        • Solutions In This Chapter
        • Summary
        • Solutions Fast Track
        • Frequently Asked Questions
      • Chapter Descriptions
  • Chapter 2 Introduction to Fraud, ID Theft, and Regulatory Mandates
  • Chapter 3 Why PCI Is Important
    • Introduction
    • What is PCI?
      • Who Must Comply With the PCI?
      • Dates to Remember
      • Compliance Process
      • Roots of PCI
      • More about PCI Co
      • Approved Assessor and Scanner Companies
      • Qualified Security Assessors
    • Overview of PCI Requirements
    • Risks and Consequences
    • Benefits of Compliance
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 4 Building & Maintaining a Secure Network
    • Introduction
    • Installing and Maintaining a Firewall Configuration
      • Firewall Overview
        • Packet-filtering Firewalls
        • Proxy Firewalls
        • Stateful Inspection Firewalls
      • Firewall Architectures
        • Dual-Homed Host
        • Screened Host
        • Screened Subnet
        • Dual Firewall Configuration
      • PCI DSS Requirements
        • Establish Firewall Configuration Standards
        • Build Secure Firewall Configurations
    • Choosing an Intrusion Detection or Intrusion Prevention System
      • Intrusion Detection Systems
      • Intrusion Prevention Systems
    • Antivirus Solutions
      • Gateway Protection
      • Desktop and Server Protection
    • System Defaults and Other Security Parameters
      • Default Passwords
      • SNMP Defaults
      • Delete Unnecessary Accounts
      • Wireless Considerations
      • Develop Configuration Standards
        • Implement Single Purpose Servers
        • Configure System Security Parameters
        • Disable and Remove Unnecessary Services, Protocols and Functionality
        • Encrypt Non-console Administrative Access
        • Hosting Providers Must Protect Hosted Environment
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 5 Protect Cardholder Data
    • Protecting Cardholder Data
      • The CIA Triad
    • PCI Requirement 3: Protect Stored Cardholder Data
      • Encryption Methods for Data at Rest
        • File- or Folder-level Encryption
        • Full Disk Encryption
        • Implications
        • Database (Column-level) Encryption
        • Overview
        • Other Encryption Method Considerations
    • PCI Requirement 4 — Encrypt Transmission  of Cardholder Data Across Open, Public Networks
      • Requirement 4.1 — Cryptography and Protocols
        • SSL/TLS
        • Securing Wireless Networks Transmitting Cardholder Data
        • Defining WiFi
    • Using Compensating Controls
      • Compensating Controls for Requirement 3.4
        • Provide Additional Segmentation/Abstraction (e.g., at the Network Layer)
        • Provide Ability to Restrict Access to Cardholder Data or Databases
        • Restrict Logical Access to the Database
        • Prevent/Detect Common Application or Database Attacks
        • Overview
    • Mapping Out a Strategy
      • Step 1 — Identify and Classify Information
      • Step 2 — Identify Where the Sensitive Data is Located
      • Step 3 — Determine Who and What Needs Access
      • Step 4 — Develop Policies Based On What You Have Identified
    • The Absolute Essentials
      • Keep Cardholder Storage to a Minimum
      • Do Not Store Sensitive Authentication Data Subsequent to Authorization
      • Mask the PAN When Displayed
      • Render PAN (at Minimum) Unreadable Anywhere it is Stored
      • Protect Encryption Keys Used for Encryption of Cardholder Data Against Both Disclosure and Misuse
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 6 Logging Access & Events Chapter
    • Introduction to Logging
      • Tools and Traps
      • PCI Relevance of Logs
    • Logging in PCI Requirement 10
      • Are You Owned
    • Logging in PCI — All Other Requirements
    • Tools for Logging in PCI
      • Alerts - Used For Real-time Monitoring of In-scope Servers
      • Reports — Used for Daily Review of Pre-analyzed Data
    • Case Studies
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 7 Strong Access Control
    • Introduction
    • Principles of Access Control
      • Integrity
      • Confidentiality
      • Availability
      • How Much Access Should a User Should Have
    • Authentication and Authorization
      • Authentication
        • Multi-factor Authentication
        • Passwords
        • PCI Compliant Passwords
        • Educating Users
      • Authorization
    • PCI and Access Control
      • Processes for PCI Compliance
    • Configuring Systems to Enforce PCI Compliance
      • Windows and PCI Compliance
        • Windows File Access Control
        • Creating a New Group Policy Object
        • Enforcing a PCI Compliant Password
        • Policy in Windows Active Directory
        • Configuring Account Lockout in Active Directory
        • Setting Session Timeout and Password-protected Screen Savers in Active Directory
        • Setting File Permissions Using GPOs
        • Finding Inactive Accounts in Active Directory
        • Enforcing Password Requirements in Window on Standalone Computers
        • Enabling Password Protected Screen Savers on Standalone Windows Computers
        • Setting File Permissions on Standalone Windows Computers
      • Posix (Unix/Linux-like Systems) Access Control
      • Linux Enforce Password Complexity Requirements
      • Cisco and PCI Requirements
        • CISCO Enforce Session Timeout
        • Encrypt Cisco Passwords
      • Database Access and PCI Requirements
    • Physical Security
      • Visitors
      • Physical Security and Media
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 8 Vulnerability Management
    • Introduction
    • Vulnerability Management in PCI
    • Requirement 5 Walkthrough
    • Requirement 6 Walkthrough
    • Requirement 11 Walkthrough
    • Common PCI Vulnerability Management Mistakes
    • Case Studies
      • PCI at a Retail Chain
      • PCI at an E-commerce Site
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 9 Monitoring and Testing
    • Introduction
    • Monitoring Your PCI DSS Environment
      • Establishing Your Monitoring Infrastructure
        • Time
        • Identity Management
        • Event Management Storage
      • Determining What You Need to Monitor
        • Applications Services
        • Infrastructure Components
      • Determining How You Need to Monitor
      • Deciding Which Tools Will Help You Best
    • Auditing Network and Data Access
      • Searching Your Logs
    • Testing Your Monitoring Systems and Processes
      • Network Access Testing
      • Penetration Testing
      • Intrusion Detection and Prevention
        • Intrusion Detection
        • Intrusion Prevention
      • Integrity Monitoring
        • What are You Monitoring?
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 10 How to Plan a Project to Meet Compliance
    • Introduction
    • Justifying a Business Case for Compliance
      • Figuring Out If You Need to Comply
        • Compliance Overlap
      • The Level of Compliance
      • What is the Cost for Non-compliance?
        • Penalties for Non-compliance
    • Bringing All the Players to the Table
      • Obtaining Corporate Sponsorship
      • Forming Your Compliance Team
        • Roles and Responsibilities of Your Team
      • Getting Results Fast
    • Helping to Budget Time and Resources
        • Setting Expectations
          • Management's Expectations
        • Establishing Goals and Milestones
        • Having Status Meetings
      • How to Inform/Train Staff on Issues
        • Training Your Compliance Team
        • Training the Company on Compliance
          • Setting Up the Corporate Compliance Training Program
    • Where to Start: The First Steps
      • The Steps
        • Step 1: Obtain Corporate Sponsorship
        • Step 2: Identify and Establish Your Team
        • Step 3: Determine your PCI Merchant Level
        • Step 4: Complete the PCI DSS Self-assessment Questionnaire
        • Step 5: Get an External Network Scan from an Approved Scanning Vendor
        • Step 6: Get Validation from a Qualified Security Assessor
        • Step 7: Perform a Gap Analysis
        • Step 8: Create PCI DSS Compliance Plan
        • Step 9: Prepare for Annual Audit of Compliance Validation
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 11 Responsibilities
    • Introduction
    • Whose Responsibility Is It?
      • CEO
      • CISO
      • CIO
      • Security and System Administrators
      • Additional Resources
    • Incident Response
      • Incident Response Team
      • Incident Response Plan
      • Forensics
      • Notification
      • Liabilities
    • Business Continuity
    • Summary
    • Frequently Asked Questions
  • Chapter 12 Planning to Fail Your First Audit
    • Introduction
    • Remember, Auditors Are There to Help You
    • Dealing With Auditor's Mistakes
    • Planning for Remediation
    • Planning For Your Retest
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  • Chapter 13 You're Compliant, Now What
    • Introduction
    • Security is a Process, Not an Event
    • Plan for Periodic Review and Training, Don't Stop Now!
    • PCI Self-Audit
      • Requirement 1
        1. Policy Checks
        2. Policy Checks
        3. Hands-on Assessments
        4. Policy Checks
        5. Hands-on Assessments
        6. Policy Check
        7. Hands-on Assessment
        8. Policy Check
        9. Hands-on Assessment
      • Requirement 2
        1. Policy Checks
        2. Hands-on Assessment
        3. Policy Checks
        4. Hands-on Assessments
        5. Policy Checks
        6. Hands-on Assessments
        7. Policy Checks
        8. Hands-on Assessments
      • Requirement 3
        1. Policy Checks
        2. Hands-on Assessments
        3. Policy Checks
        4. Hands-on Assessments
        5. Policy Checks
        6. Hands-on Assessments
        7. Policy Checks
        8. Hands-on Assessments
        9. Policy Checks
        10. Hands-on Assessments
        11. Policy Checks
        12. Hands-on Assessments
      • Requirement 4
        1. Policy Checks
        2. Hands-on Assessments
        3. Policy Checks
        4. Hands-on Assessments
      • Requirement 5
        1. Policy Checks
        2. Hands-on Assessments
        3. Policy Checks
        4. Hands-on Assessments
      • Requirement 6
        1. Policy Checks
        2. Hands-on Assessment
        3. Policy Checks
        4. Hands-on Assessment
        5. Policy Checks
        6. Hands-on Assessment
        7. Policy Checks
        8. Hands-on Assessment
        9. Policy Checks
        10. Hands-on Assessment
        11. Policy Checks
        12. Hands-on Assessment
      • Requirement 7
        1. Policy Checks
        2. Hands-on Assessment
        3. Policy Checks
        4. Hands-on Assessment
      • Requirement 8
        1. Policy Checks
        2. Hands-on Assessment
        3. Policy Checks
        4. Hands-on Assessment
        5. Policy Checks
        6. Hands-on Assessment
        7. Policy Checks
        8. Hands-on Assessment
        9. Policy Checks
        10. Hands-on Assessment
      • Requirement 9
        1. Policy Checks
        2. Hands-on Assessment
        3. Policy Checks
        4. Hands-on Assessment
        5. Policy Checks
        6. Hands-on Assessment
        7. Policy Checks
        8. Hands-on Assessment
        9. Policy Checks
        10. Hands-on Assessment
        11. Policy Checks
        12. Hands-on Assessment
        13. Policy Checks
        14. Hands-on Assessment
        15. Policy Checks
        16. Hands-on Assessment
        17. Policy Checks
        18. Hands-on Assessment
        19. Policy Checks
        20. Hands-on Assessment
      • Requirement 10
        1. Policy Checks
        2. Hands-on Assessment
        3. Policy Checks
        4. Hands-on Assessment
        5. Policy Checks
        6. Hands-on Assessment
        7. Policy Checks
        8. Hands-on Assessment
        9. Policy Checks
        10. Hands-on Assessment
        11. Policy Checks
        12. Hands-on Assessment
        13. Policy Checks
        14. Hands-on Assessment
      • Requirement 11
        1. Policy Checks
        2. Hands-on Assessment
        3. Policy Checks
        4. Hands-on Assessment
        5. Policy Checks
        6. Hands-on Assessment
        7. Policy Checks
        8. Hands-on Assessment
        9. Policy Checks
        10. Hands-on Assessment
      • Requirement 12
        1. Policy Checks
        2. Hands-on Assessment
        3. Policy Checks
        4. Hands-on Assessment
        5. Policy Checks
        6. Hands-on Assessment
        7. Policy Checks
        8. Hands-on Assessment
        9. Policy Checks
        10. Hands-on Assessment
        11. Policy Checks
        12. Hands-on Assessment
        13. Policy Checks
        14. Hands-on Assessment
        15. Policy Checks
        16. Hands-on Assessment
        17. Policy Checks
        18. Hands-on Assessment
        19. Policy Checks
        20. Hands-on Assessment
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions

Reviews

PCI Compliance

Reviewed by Roland Buresund

Mediocre **** (4 out of 10)

Last modified: June 8, 2008, 5:40 p.m.

Opinion

Well, a boring book about a subject that could be made interesting.

After 20+ years in security, I know that the subject doesn't have to be boring. Unfortunately, the authors of this book doesn't understand this simple fact. The book covers the subject, but a bit haphazard, and is only saved by the fact that very little literature exists on the subject at hand. It's not bad, but definitely not something to read voluntary.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required