PCI Compliance: Implementing Effective PCI Data Security Standards

Cover......Page 1
Copyright page......Page 2
Foreword......Page 3
Acknowledgments......Page 5
Authors......Page 7
Foreword Contributor......Page 8
1 About PCI and This Book......Page 9
Who Should Read This Book?......Page 11
Organization of the Book......Page 12
Summary......Page 13
2 Introduction to Fraud, ID Theft, and Regulatory Mandates......Page 16
Summary......Page 21
3 Why Is PCI Here?......Page 22
What Is PCI and Who Must Comply?......Page 23
Electronic Card Payment Ecosystem......Page 24
Goal of PCI DSS......Page 25
Compliance Deadlines......Page 28
Compliance and Validation......Page 30
History of PCI DSS......Page 33
PCI Council......Page 35
QSAs......Page 36
Quick Overview of PCI Requirements......Page 38
Changes to PCI DSS......Page 41
PCI DSS and Risk......Page 42
The Case of the Developing Security Program......Page 44
Summary......Page 46
References......Page 47
4 Building and Maintaining a Secure Network......Page 48
Which PCI DSS Requirements Are in This Domain?......Page 49
Establish Firewall Configuration Standards......Page 50
Denying Traffic from Untrusted Networks and Hosts......Page 51
Restricting Connections......Page 52
The Oddball Requirement 11.4......Page 54
Requirement 2: Defaults and Other Security Parameters......Page 56
Develop Configuration Standards......Page 58
Implement Single Purpose Servers......Page 59
Configure System Security Parameters......Page 60
Encrypt Nonconsole Administrative Access......Page 61
What Else Can You Do to Be Secure?......Page 62
Tools and Best Practices......Page 63
System Defaults......Page 64
The Case of the Small, Flat Store Network......Page 65
The Case of the Large, Flat Corporate Network......Page 66
Summary......Page 68
5 Strong Access Controls......Page 69
Principles of Access Control......Page 70
Requirement 7: How Much Access Should a User Have?......Page 72
Requirement 8: Authentication Basics......Page 73
Windows and PCI Compliance......Page 82
POSIX (UNIX/Linux-like Systems) Access Control......Page 95
Cisco and PCI Requirements......Page 97
Requirement 9: Physical Security......Page 99
What Else Can You Do To Be Secure?......Page 103
Random Password for Users......Page 105
Common Mistakes and Pitfalls......Page 106
The Case of the Stolen Database......Page 107
The Case of the Loose Permissions......Page 108
Summary......Page 110
6 Protecting Cardholder Data......Page 111
What Is Data Protection and Why Is It Needed?......Page 112
The Confidentiality, Integrity, Availability Triad......Page 113
PCI Requirement 3: Protect Stored Cardholder Data......Page 114
Requirement 3 Walk-through......Page 116
Encryption Methods for Data at Rest......Page 119
PCI and Key Management......Page 125
PCI Requirement 4 Walk-through......Page 127
Transport Layer Security and Secure Sockets Layer......Page 128
Wireless Transmission......Page 129
Misc Card Transmission Rules......Page 130
Requirement 12 Walk-through......Page 131
How to Become Compliant and Secure......Page 134
Step 3: Identify Where the Data Is Stored......Page 135
Step 6: Develop and Document Policies......Page 136
Common Mistakes and Pitfalls......Page 137
The Case of the Data Killers......Page 139
References......Page 141
7 Using Wireless Networking......Page 142
What Is Wireless Network Security?......Page 143
Where Is Wireless Network Security in PCI DSS?......Page 145
Requirements 1 and 12: Documentation......Page 146
Actual Security of Wireless Devices: Requirements 2, 4, and 9......Page 147
Testing for Unauthorized Wireless: Requirement 11.1......Page 149
Why Do We Need Wireless Network Security?......Page 152
Tools and Best Practices......Page 153
Common Mistakes and Pitfalls......Page 154
The Case of the Untethered Laptop......Page 155
The Case of the Expansion Plan......Page 157
The Case of the Double Secret Wireless Network......Page 158
Summary......Page 159
8 Vulnerability Management......Page 160
Vulnerability Management in PCI......Page 162
Stages of Vulnerability Management Process......Page 164
Requirement 5 Walk-through......Page 169
Requirement 6 Walk-through......Page 170
Web-Application Security and Web Vulnerabilities......Page 175
Requirement 11 Walk-through......Page 184
External Vulnerability Scanning with ASV......Page 186
Considerations when Picking an ASV......Page 187
How ASV Scanning Works......Page 191
PCI DSS Scan Validation Walk-through......Page 194
Operationalizing ASV Scanning......Page 196
What Do You Expect from an ASV?......Page 197
Internal Vulnerability Scanning......Page 199
Common PCI Vulnerability Management Mistakes......Page 201
PCI at a Retail Chain......Page 204
Summary......Page 206
References......Page 207
9 Logging Events and Monitoring the Cardholder Data Environment......Page 208
PCI Requirements Covered......Page 209
Why Logging and Monitoring in PCI DSS?......Page 210
Logging and Monitoring in Depth......Page 211
PCI Relevance of Logs......Page 215
Logging in PCI Requirement 10......Page 217
Monitoring Data and Log Security Issues......Page 221
Logging and Monitoring in PCI – All Other Requirements......Page 224
Tools for Logging in PCI......Page 228
Log Management Tools......Page 234
Intrusion Detection and Prevention......Page 236
Integrity Monitoring......Page 241
Case Study......Page 243
The Case of the Risky Risk-Based Approach......Page 244
The Case of Tweaking to Comply......Page 245
References......Page 246
10 Managing a PCI DSS Project to Achieve Compliance......Page 247
Figuring Out If You Need to Comply......Page 248
Compliance Overlap......Page 249
The Level of Validation......Page 250
What Is the Cost for Noncompliance?......Page 251
Bringing the Key Players to the Table......Page 253
Obtaining Corporate Sponsorship......Page 254
Getting Results Fast......Page 255
Budgeting Time and Resources......Page 256
Establishing Goals and Milestones......Page 257
Having Status Meetings......Page 258
Training Your Compliance Team......Page 259
Setting Up the Corporate Compliance Training Program......Page 260
The Steps......Page 262
PCI SSC New Prioritized Approach......Page 265
Summary......Page 266
Reference......Page 267
11 Don’t Fear the Assessor......Page 268
Remember, Assessors Are There to Help......Page 269
How FAIL == WIN......Page 271
Dealing With Assessors’ Mistakes......Page 272
Planning for Remediation......Page 274
Fun Ways to Use Common Vulnerability Scoring System......Page 276
Planning for Reassessing......Page 278
Summary......Page 279
12 The Art of Compensating Control......Page 280
What Is a Compensating Control?......Page 281
Where Are Compensating Controls in PCI DSS?......Page 282
What a Compensating Control Is Not......Page 283
Funny Controls You Didn’t Design......Page 284
How to Create a Good Compensating Control......Page 286
Summary......Page 290
Security Is a Process, Not an Event......Page 292
Plan for Periodic Review and Training......Page 294
Build and Maintain a Secure Network......Page 296
Protect Cardholder Data......Page 297
Maintain a Vulnerability Management Program......Page 298
Regularly Monitor and Test Networks......Page 300
Maintain an Information Security Policy......Page 302
PCI Self-Assessment......Page 303
The Case of the Compliant Company......Page 304
Summary......Page 305
14 PCI and Other Laws, Mandates, and Frameworks......Page 307
Origins of State Data Breach Notification Laws......Page 308
Commonalities Among State Data Breach Laws......Page 309
How Does It Compare to PCI?......Page 310
PCI and the ISO27000 Series......Page 311
PCI and Sarbanes–Oxley (SOX)......Page 313
Regulation Matrix......Page 315
Summary......Page 316
References......Page 317
15 Myths and Misconceptions of PCI DSS......Page 318
Myth #1 PCI Doesn’t Apply......Page 319
Myth #2 PCI Is Confusing......Page 323
Myth #3 PCI DSS Is Too Onerous......Page 325
Myth #4 Breaches Prove PCI DSS Irrelevant......Page 327
Myth #5 PCI Is All We Need for Security......Page 329
Myth #6 PCI DSS Is Really Easy......Page 332
Myth #7 My Tool Is PCI Compliant......Page 334
Myth #8 PCI Is Toothless......Page 337
The Case of the Cardless Merchant......Page 340
References......Page 341
C......Page 343
F......Page 344
M......Page 345
P......Page 346
T......Page 347
W......Page 348