PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance

Cover
Half Title
Title Page
Copyright Page
Contents
Foreword
Acknowledgments
Authors
Chapter 1: About PCI DSS and This Book
	Who Should Read This Book?
	How to Use the Book in Your Daily Job
	What This Book Is Not
	Organization of the Book
	Summary
	Notes
Chapter 2: Introduction to Fraud, Identity Theft, and Related Regulatory Mandates
	Summary
	Notes
Chapter 3: Why Is PCI Here?
	What Is PCI DSS and Who Must Comply?
	Electronic Card Payment Ecosystem
	Goal of PCI DSS
	Applicability of PCI DSS
		A Quick Note about Appendix A3
	PCI DSS in Depth
		Compliance Deadlines
		Compliance and Validation
		Something New, the Customized Approach
		History of PCI DSS
		PCI Council
		QSAs
		Additional PCI SSC Qualifications
		PFIs
		PCIPs
		QIRs
		ASVs
	Quick Overview of PCI Requirements
		How Changes to PCI DSS Happen
	What’s New in PCI DSS 4.0
		Customized Approach
		Extra Guidance
		New Countermeasures
		Skimmers and Web Content
		Authenticated Vulnerability Scanning
		Inventory All the Things
		Scope Reviews
		In Place With Remediation
	PCI DSS and Risk
	Benefits of Compliance
	Case Study
		The Case of the Developing Security Program
		The Case of the Confusing Validation Requirements
	Summary
	Notes
Chapter 4: Determining and Reducing Your PCI Scope
	The Basics of PCI DSS Scoping
		Connected-To Systems
	The “Gotchas” of PCI Scope
	Scope Reduction Tips
	Planning Your PCI Project
	Case Study
		The Case of the Leaky Data
		The Case of the Entrenched Enterprise
	Summary
	Notes
Chapter 5: Building and Maintaining a Secure Network
	Which PCI DSS Requirements Are in This Domain?
		Establish NSC Configuration Standards
			Denying Traffic from Untrusted Networks and Hosts
			Restricting Connections
			Host or Network-Based Security Controls
			Micro-Segmentation
			Other Considerations for Requirement 1
			The Oddball Requirement 11.5
			Requirement 2: Defaults and Other Security Parameters
			Develop Configuration Standards
			Default Passwords
			Simple Network Management Protocol Defaults
			Delete Unnecessary Accounts
			Implement Single Purpose Servers
			Configure System Security Parameters
			Encrypt Non-Console Administrative Access
	What Else Can You Do to Be Secure?
	Tools and Best Practices
	Common Mistakes and Pitfalls
		Egress Filtering
		Documentation
		System Defaults
	Case Study
		The Case of the Small, Flat Store Network
		The Case of the Large, Flat Corporate Network
		The Case of the Do Over
	Summary
Chapter 6: Strong Access Controls
	Which PCI DSS Requirements Are in This Domain?
		Principles of Access Control
			Confidentiality
			Integrity
			Availability
		Requirement 7: How Much Access Should a User Have?
			Databases and Requirement 7.2.6
		Requirement 8: Authentication Basics
			Identification, Authentication, and Requirements 8.2.4–8.2.8 and 8.3.1–8.3.9
			Locking Users Out: Requirements 8.2.8 and 8.3.4
			Things Paired With Usernames
			Rendering Passwords Unreadable in Transit and Storage
			Password Design for PCI DSS: Requirements 8.3.5–8.3.9 and 8.3.11
			MFA and Requirements 8.4–8.5
			A Brief Word on System Accounts and Requirement 8.6
			OAuth, OIDC, SSH Keys, and SSH Certs, OH MY!
			Educating Users
		Windows and PCI Compliance
			Windows File Access Control
			Finding Inactive Accounts in Active Directory
			Enforcing Password Requirements in Windows on Standalone Computers
			Enabling Password Protected Screen Savers on Standalone Windows Computers
			Setting File Permissions on Standalone Windows Computers
		POSIX (UNIX/Linux Systems) Access Control
			Linux Enforce Password Complexity Requirements
		Cisco and PCI Requirements
		Cisco Enforce Session Timeout
			Encrypt Cisco Passwords
			Setting Up SSH in a Cisco Environment
		Requirement 9: Physical Security
			Handling Visitors: Requirement 9.3
			Media and Physical Data Entry Points: Requirements 9.4
			Protecting the Point of Interaction: Requirement 9.5
	What Else Can You Do to Be Secure?
	Tools and Best Practices
		Random Password for Users
	Common Mistakes and Pitfalls
		Poor Documentation
		Legacy Systems
		Cloud and PaaS
		Physical Access Monitoring
	Case Study
		The Case of the Stolen Database
		The Case of the Loose Permissions
	Summary
	Note
Chapter 7: Protecting Cardholder Data
	What Is Data Protection and Why Is It Needed?
		The Confidentiality, Integrity, and Availability Triad
	Requirements Addressed in This Chapter
	Requirement 3: Protect Stored Account Data
	Requirement 3 Walk-Through
		Encryption Methods for Data at Rest
			File- or Folder-Level Encryption
			Full-Disk Encryption
			Database (Table-, Column-, or Field-Level) Encryption
		PCI and Key Management
	What Else Can You Do to Be Secure?
	Requirement 4 Walk-Through
		Transport Layer Security
		IPsec Virtual Private Networks
		Miscellaneous Card Transmission Rules
	Requirement 12 Walk-Through
	How to Become Compliant and Secure
		Step 1: Identify Business Processes With Card Data
		Step 2: Shrink the Scope
		Step 3: Identify Where Data Is Stored
		Step 4: Determine What to Do About Your Data
		Step 5: Determine Who Needs Access
		Step 6: Develop and Document Policies
	Common Mistakes and Pitfalls
	Case Study
		The Case of the Leaky Data
		The Case of the Satellite Location
	Summary
	Note
Chapter 8: Using Wireless Networking
	What Is Wireless Network Security?
	Where Is Wireless Network Security in PCI DSS?
		Requirements 1, 11, and 12: Documentation
		Actual Security of Wireless Devices: Requirements 2, 4, and 9
		Logging and Wireless Networks: Requirement 10.3.3
		Testing for Unauthorized Wireless: Requirement 11.2
			Quarterly Sweeps or Wireless IDS/IPS: How to Choose
	Why Do We Need Wireless Network Security?
		Other Wireless Technologies
	Tools and Best Practices
	Common Mistakes and Pitfalls
	Case Study
		The Case of the Untethered Laptop
		The Case of the Expansion Plan
		The Case of the Double Secret Wireless Network
			The Case of the Detached POS
	Summary
	Note
Chapter 9: Vulnerability Management
	PCI DSS Requirements Covered
	Vulnerability Management in PCI
		Stages of Vulnerability Management Process
			Policy Definition
			Data Acquisition
			Prioritization
			Mitigation
	Requirement 5 Walk-Through
		What to Do to Be Secure and Compliant?
	Requirement 6 Walk-Through
		Public-Facing Web Application Protection
		Web Application Scanning (WAS)
		Web Application Firewalls (WAFs)
		Payment Pages
		Change Management
		Software Supply Chain Attacks
	Requirement 11 Walk-Through
	External Vulnerability Scanning With ASV
		What Is an ASV?
		Considerations When Picking an ASV
		How ASV Scanning Works
		Operationalizing ASV Scanning
		What Should You Expect From an ASV?
	Internal Vulnerability Scanning
		Penetration Testing
	Common PCI Vulnerability Management Mistakes
	Case Study
		PCI at a Retail Chain
		PCI at an E-Commerce Site
	Summary
Chapter 10: Logging Events and Monitoring the Cardholder Data Environment
	PCI Requirements Covered
	Why Logging and Monitoring in PCI DSS?
	Logging and Monitoring in Depth
	PCI Relevance of Logs
	Logging in PCI Requirement 10
	Monitoring Data and Log for Security Issues
	Logging and Monitoring in PCI—All Other Requirements
	PCI Dss Logging Policies and Procedures
		Building an Initial Baseline Manually
		Guidance for Identifying “Known Bad” Messages
			Main Workflow: Daily Log Review
		Exception Investigation and Analysis
		Validation of Log Review
		PCI Compliance Evidence Package
		Periodic Operational Task Summary
		Daily Tasks
	Tools for Logging in PCI
	Other Monitoring Tools
	Intrusion Detection and Prevention
	Integrity Monitoring
	Common Mistakes and Pitfalls
	Case Study
		The Case of the Risky Risk-Based Approach
		The Case of Tweaking to Comply
	Summary
Chapter 11: Cloud and Virtualization
	Cloud Basics
		What Is the Cloud?
			Cloud Badness
		Cloud Changes Everything! But Does It?
		Cloud Challenges and You
	PCI Cloud Examples
	So, Can I Use Cloud Resources in PCI DSS Environments?
	Containers and Kubernetes
		More Cloud for Better Security and Compliance?
	Maintaining and Assessing PCI DSS in the Cloud
		Enter the Matrix
	Tools and Best Practices
	Summary
	Notes
Chapter 12: Mobile
	Where Is Mobility Addressed in PCI DSS 4.0?
	What Guidance Is Available?
	Deploying the Technology Safely
	Case Study
		The Case of the Summer Festival
	Summary
Chapter 13: PCI for the Small Business
	The Risks of Credit Card Acceptance
	New Business Considerations
	Your POS Is Like My POS!
	A Basic Scheme for SMB Hardening
	Case Study
		The Case of the Outsourcing Decision
	Summary
Chapter 14: PCI DSS for the Service Provider
	The Definition of a Service Provider
	Why Do Service Providers Have More Requirements?
	Variation on a Theme, or What Service Providers Should Care About?
	Service-Provider-Specific Requirements
		Protect Account Data
		Implement Strong Access Control Measures
		Regularly Monitor and Test Networks
		Maintain an Information Security Policy
		Additional PCI DSS Requirements for Multi-Tenant Service Providers
		Outdated SSL/TLS for Card-Present Terminals
	Case Study
	Summary
Chapter 15: Managing a PCI DSS Project to Achieve Compliance
	Justifying a Business Case for Compliance
		Figuring Out If You Need to Comply
		Compliance Overlap
		Level of Validation
		What Is the Cost for Non-Compliance?
			Penalties for Non-Compliance
	Bringing the Key Players to the Table
		Obtaining Corporate Sponsorship
		Forming Your Compliance Team
		Roles and Responsibilities of Your Team
		Getting Results Fast
		Notes From the Front Line
	Budgeting Time and Resources
		Setting Expectations
		Management’s Expectations
		Establishing Goals and Milestones
		Status Meetings
	Educating Staff
		Training Your Compliance Team
		Training the Company on Compliance
		Setting Up the Corporate Compliance Training Program
	Project Quickstart Guide
		The Steps
			Step 1: Obtain Corporate Sponsorship
			Step 2: Identify and Establish Your Team
			Step 3: Determine Your PCI Level and Scope
			Step 4: Complete a PCI DSS SAQ or Hire a QSA
			Step 5: Set Up Quarterly External Network Scans From an Approved Scanning Vendor
			Step 6: Get Validated by a QSA (or an ISA)
			Step 7: Perform a Gap Analysis
			Step 8: Create PCI DSS Compliance Plan
			Step 9: Prepare for Annual Assessment of Compliance Validation
	The PCI DSS Prioritized Approach
	The Visa TIP
	Summary
	Note
Chapter 16: Don’t Fear the Assessor
	Remember, Assessors Are Generally There to Help
		Balancing Remediation Needs
		How FAIL == WIN
	Dealing With Assessors’ Mistakes
	Planning for Remediation
		Fun Ways to Use CVSS
	Planning for Re-Assessing
	Summary
	Notes
Chapter 17: The Art of Compensating Control
	What Is a Compensating Control?
	Where Are Compensating Controls in PCI DSS?
	What a Compensating Control Is Not
	Funny Controls You Didn’t Design
	How to Create a Good Compensating Control
	Case Studies
		The Case of the Newborn Concierge
		The Case of the Concierge Travel Agency
	Summary
Chapter 18: You’re Compliant, Now What?
	Security Is a Process, Not an Event
	Plan for Periodic Review and Training
	PCI Requirements With Periodic Maintenance
		Build and Maintain a Secure Network and Systems
		Protect Account Data
		Maintain a Vulnerability Management Program
		Implement Strong Access Control Measures
		Regularly Monitor and Test Networks
		Maintain an Information Security Policy
	PCI Self-Assessment
	Case Study
		The Case of the Compliant Company
	Summary
Chapter 19: Emerging Technology and Alternative Payment Schemes
	Emerging Payment Schemes
		EMV
		Mobile
		Near-Field Communication (A.K.A., Tap & Go)
		The Payment Account Reference
		Square, Paypal, and Intuit
		Google Checkout, Paypal, and Stripe
		3-D Secure
	Bitcoin, Ethereum, and Crypto
	Predictions
	Taxonomy and Tidbits
		EMV
		Europe versus the US versus the Rest of the World
		One-Time Use Cards
		Customer Experience
	Case Study
		The Case of the Cashless Cover Charge
	Summary
	Note
Chapter 20: PCI DSS Myths and Misconceptions
	Myth #1 PCI Doesn’t Apply to Me
		A Perfect Example of Myth #1 at Work!
	Myth #2 PCI Is Confusing and Ambiguous
	Myth #3 PCI DSS Is Too Onerous
	Myth #4 Breaches Prove PCI DSS to Be Irrelevant
	Myth #5 PCI Is All We Need for Security
	Myth #6 PCI DSS Is Really Easy
	Myth #7 My Tool Is PCI Compliant, Thus I Am Compliant
	Myth #8 PCI Is Toothless
	Case Study
		The Case of the Cardless Merchant
	Summary
	Notes
Chapter 21: Final Thoughts
	A Quick Summary
		Timelines
		Compensating Controls and the Customized Approach
		We Play Catch-Up
		The Challenging Ones
	On Time Travel
	Interact With Us!
Index by Requirement
Alphabetical Index