The Payment Card Industry Data Security Standard (PCI DSS) is now in its 18th year, and it is continuing to dominate corporate security budgets and resources. If you accept, process, transmit, or store payment card data branded by Visa, MasterCard, American Express, Discover, or JCB (or their affiliates and partners), you must comply with this lengthy standard.
Personal data theft is at the top of the list of likely cybercrimes that modern-day corporations must defend against. In particular, credit or debit card data is preferred by cybercriminals as they can find ways to monetize it quickly from anywhere in the world. Is your payment processing secure and compliant? The new Fifth Edition of PCI Compliance has been revised to follow the new PCI DSS version 4.0, which is a complete overhaul to the standard. Also new to the Fifth Edition are: additional case studies and clear guidelines and instructions for maintaining PCI compliance globally, including coverage of technologies such as Kubernetes, cloud, near-field communication, point-to-point encryption, Mobile, Europay, MasterCard, and Visa. This is the first book to address the recent updates to PCI DSS and the only book you will need during your PCI DSS journey. The real-world scenarios and hands-on guidance will be extremely valuable, as well as the community of professionals you will join after buying this book.
Each chapter has how-to guidance to walk you through implementing concepts and real-world scenarios to help you grasp how PCI DSS will affect your daily operations. This book provides the information that you need in order to understand the current PCI Data Security Standards and the ecosystem that surrounds them, how to effectively implement security on network infrastructure in order to be compliant with the credit card industry guidelines, and help you protect sensitive and personally identifiable information. Our book puts security first as a way to enable compliance.
- Completely updated to follow the current PCI DSS version 4.0
- Packed with tips to develop and implement an effective PCI DSS and cybersecurity strategy
- Includes coverage of new and emerging technologies such as Kubernetes, mobility, and 3D Secure 2.0
- Both authors have broad information security backgrounds, including extensive PCI DSS experience
Author(s): Branden Williams, James Adamson
Edition: 5
Publisher: CRC Press
Year: 2022
Language: English
Pages: 334
City: Boca Raton
Cover
Half Title
Title Page
Copyright Page
Contents
Foreword
Acknowledgments
Authors
Chapter 1: About PCI DSS and This Book
Who Should Read This Book?
How to Use the Book in Your Daily Job
What This Book Is Not
Organization of the Book
Summary
Notes
Chapter 2: Introduction to Fraud, Identity Theft, and Related Regulatory Mandates
Summary
Notes
Chapter 3: Why Is PCI Here?
What Is PCI DSS and Who Must Comply?
Electronic Card Payment Ecosystem
Goal of PCI DSS
Applicability of PCI DSS
A Quick Note about Appendix A3
PCI DSS in Depth
Compliance Deadlines
Compliance and Validation
Something New, the Customized Approach
History of PCI DSS
PCI Council
QSAs
Additional PCI SSC Qualifications
PFIs
PCIPs
QIRs
ASVs
Quick Overview of PCI Requirements
How Changes to PCI DSS Happen
What’s New in PCI DSS 4.0
Customized Approach
Extra Guidance
New Countermeasures
Skimmers and Web Content
Authenticated Vulnerability Scanning
Inventory All the Things
Scope Reviews
In Place With Remediation
PCI DSS and Risk
Benefits of Compliance
Case Study
The Case of the Developing Security Program
The Case of the Confusing Validation Requirements
Summary
Notes
Chapter 4: Determining and Reducing Your PCI Scope
The Basics of PCI DSS Scoping
Connected-To Systems
The “Gotchas” of PCI Scope
Scope Reduction Tips
Planning Your PCI Project
Case Study
The Case of the Leaky Data
The Case of the Entrenched Enterprise
Summary
Notes
Chapter 5: Building and Maintaining a Secure Network
Which PCI DSS Requirements Are in This Domain?
Establish NSC Configuration Standards
Denying Traffic from Untrusted Networks and Hosts
Restricting Connections
Host or Network-Based Security Controls
Micro-Segmentation
Other Considerations for Requirement 1
The Oddball Requirement 11.5
Requirement 2: Defaults and Other Security Parameters
Develop Configuration Standards
Default Passwords
Simple Network Management Protocol Defaults
Delete Unnecessary Accounts
Implement Single Purpose Servers
Configure System Security Parameters
Encrypt Non-Console Administrative Access
What Else Can You Do to Be Secure?
Tools and Best Practices
Common Mistakes and Pitfalls
Egress Filtering
Documentation
System Defaults
Case Study
The Case of the Small, Flat Store Network
The Case of the Large, Flat Corporate Network
The Case of the Do Over
Summary
Chapter 6: Strong Access Controls
Which PCI DSS Requirements Are in This Domain?
Principles of Access Control
Confidentiality
Integrity
Availability
Requirement 7: How Much Access Should a User Have?
Databases and Requirement 7.2.6
Requirement 8: Authentication Basics
Identification, Authentication, and Requirements 8.2.4–8.2.8 and 8.3.1–8.3.9
Locking Users Out: Requirements 8.2.8 and 8.3.4
Things Paired With Usernames
Rendering Passwords Unreadable in Transit and Storage
Password Design for PCI DSS: Requirements 8.3.5–8.3.9 and 8.3.11
MFA and Requirements 8.4–8.5
A Brief Word on System Accounts and Requirement 8.6
OAuth, OIDC, SSH Keys, and SSH Certs, OH MY!
Educating Users
Windows and PCI Compliance
Windows File Access Control
Finding Inactive Accounts in Active Directory
Enforcing Password Requirements in Windows on Standalone Computers
Enabling Password Protected Screen Savers on Standalone Windows Computers
Setting File Permissions on Standalone Windows Computers
POSIX (UNIX/Linux Systems) Access Control
Linux Enforce Password Complexity Requirements
Cisco and PCI Requirements
Cisco Enforce Session Timeout
Encrypt Cisco Passwords
Setting Up SSH in a Cisco Environment
Requirement 9: Physical Security
Handling Visitors: Requirement 9.3
Media and Physical Data Entry Points: Requirements 9.4
Protecting the Point of Interaction: Requirement 9.5
What Else Can You Do to Be Secure?
Tools and Best Practices
Random Password for Users
Common Mistakes and Pitfalls
Poor Documentation
Legacy Systems
Cloud and PaaS
Physical Access Monitoring
Case Study
The Case of the Stolen Database
The Case of the Loose Permissions
Summary
Note
Chapter 7: Protecting Cardholder Data
What Is Data Protection and Why Is It Needed?
The Confidentiality, Integrity, and Availability Triad
Requirements Addressed in This Chapter
Requirement 3: Protect Stored Account Data
Requirement 3 Walk-Through
Encryption Methods for Data at Rest
File- or Folder-Level Encryption
Full-Disk Encryption
Database (Table-, Column-, or Field-Level) Encryption
PCI and Key Management
What Else Can You Do to Be Secure?
Requirement 4 Walk-Through
Transport Layer Security
IPsec Virtual Private Networks
Miscellaneous Card Transmission Rules
Requirement 12 Walk-Through
How to Become Compliant and Secure
Step 1: Identify Business Processes With Card Data
Step 2: Shrink the Scope
Step 3: Identify Where Data Is Stored
Step 4: Determine What to Do About Your Data
Step 5: Determine Who Needs Access
Step 6: Develop and Document Policies
Common Mistakes and Pitfalls
Case Study
The Case of the Leaky Data
The Case of the Satellite Location
Summary
Note
Chapter 8: Using Wireless Networking
What Is Wireless Network Security?
Where Is Wireless Network Security in PCI DSS?
Requirements 1, 11, and 12: Documentation
Actual Security of Wireless Devices: Requirements 2, 4, and 9
Logging and Wireless Networks: Requirement 10.3.3
Testing for Unauthorized Wireless: Requirement 11.2
Quarterly Sweeps or Wireless IDS/IPS: How to Choose
Why Do We Need Wireless Network Security?
Other Wireless Technologies
Tools and Best Practices
Common Mistakes and Pitfalls
Case Study
The Case of the Untethered Laptop
The Case of the Expansion Plan
The Case of the Double Secret Wireless Network
The Case of the Detached POS
Summary
Note
Chapter 9: Vulnerability Management
PCI DSS Requirements Covered
Vulnerability Management in PCI
Stages of Vulnerability Management Process
Policy Definition
Data Acquisition
Prioritization
Mitigation
Requirement 5 Walk-Through
What to Do to Be Secure and Compliant?
Requirement 6 Walk-Through
Public-Facing Web Application Protection
Web Application Scanning (WAS)
Web Application Firewalls (WAFs)
Payment Pages
Change Management
Software Supply Chain Attacks
Requirement 11 Walk-Through
External Vulnerability Scanning With ASV
What Is an ASV?
Considerations When Picking an ASV
How ASV Scanning Works
Operationalizing ASV Scanning
What Should You Expect From an ASV?
Internal Vulnerability Scanning
Penetration Testing
Common PCI Vulnerability Management Mistakes
Case Study
PCI at a Retail Chain
PCI at an E-Commerce Site
Summary
Chapter 10: Logging Events and Monitoring the Cardholder Data Environment
PCI Requirements Covered
Why Logging and Monitoring in PCI DSS?
Logging and Monitoring in Depth
PCI Relevance of Logs
Logging in PCI Requirement 10
Monitoring Data and Log for Security Issues
Logging and Monitoring in PCI—All Other Requirements
PCI Dss Logging Policies and Procedures
Building an Initial Baseline Manually
Guidance for Identifying “Known Bad” Messages
Main Workflow: Daily Log Review
Exception Investigation and Analysis
Validation of Log Review
PCI Compliance Evidence Package
Periodic Operational Task Summary
Daily Tasks
Tools for Logging in PCI
Other Monitoring Tools
Intrusion Detection and Prevention
Integrity Monitoring
Common Mistakes and Pitfalls
Case Study
The Case of the Risky Risk-Based Approach
The Case of Tweaking to Comply
Summary
Chapter 11: Cloud and Virtualization
Cloud Basics
What Is the Cloud?
Cloud Badness
Cloud Changes Everything! But Does It?
Cloud Challenges and You
PCI Cloud Examples
So, Can I Use Cloud Resources in PCI DSS Environments?
Containers and Kubernetes
More Cloud for Better Security and Compliance?
Maintaining and Assessing PCI DSS in the Cloud
Enter the Matrix
Tools and Best Practices
Summary
Notes
Chapter 12: Mobile
Where Is Mobility Addressed in PCI DSS 4.0?
What Guidance Is Available?
Deploying the Technology Safely
Case Study
The Case of the Summer Festival
Summary
Chapter 13: PCI for the Small Business
The Risks of Credit Card Acceptance
New Business Considerations
Your POS Is Like My POS!
A Basic Scheme for SMB Hardening
Case Study
The Case of the Outsourcing Decision
Summary
Chapter 14: PCI DSS for the Service Provider
The Definition of a Service Provider
Why Do Service Providers Have More Requirements?
Variation on a Theme, or What Service Providers Should Care About?
Service-Provider-Specific Requirements
Protect Account Data
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Additional PCI DSS Requirements for Multi-Tenant Service Providers
Outdated SSL/TLS for Card-Present Terminals
Case Study
Summary
Chapter 15: Managing a PCI DSS Project to Achieve Compliance
Justifying a Business Case for Compliance
Figuring Out If You Need to Comply
Compliance Overlap
Level of Validation
What Is the Cost for Non-Compliance?
Penalties for Non-Compliance
Bringing the Key Players to the Table
Obtaining Corporate Sponsorship
Forming Your Compliance Team
Roles and Responsibilities of Your Team
Getting Results Fast
Notes From the Front Line
Budgeting Time and Resources
Setting Expectations
Management’s Expectations
Establishing Goals and Milestones
Status Meetings
Educating Staff
Training Your Compliance Team
Training the Company on Compliance
Setting Up the Corporate Compliance Training Program
Project Quickstart Guide
The Steps
Step 1: Obtain Corporate Sponsorship
Step 2: Identify and Establish Your Team
Step 3: Determine Your PCI Level and Scope
Step 4: Complete a PCI DSS SAQ or Hire a QSA
Step 5: Set Up Quarterly External Network Scans From an Approved Scanning Vendor
Step 6: Get Validated by a QSA (or an ISA)
Step 7: Perform a Gap Analysis
Step 8: Create PCI DSS Compliance Plan
Step 9: Prepare for Annual Assessment of Compliance Validation
The PCI DSS Prioritized Approach
The Visa TIP
Summary
Note
Chapter 16: Don’t Fear the Assessor
Remember, Assessors Are Generally There to Help
Balancing Remediation Needs
How FAIL == WIN
Dealing With Assessors’ Mistakes
Planning for Remediation
Fun Ways to Use CVSS
Planning for Re-Assessing
Summary
Notes
Chapter 17: The Art of Compensating Control
What Is a Compensating Control?
Where Are Compensating Controls in PCI DSS?
What a Compensating Control Is Not
Funny Controls You Didn’t Design
How to Create a Good Compensating Control
Case Studies
The Case of the Newborn Concierge
The Case of the Concierge Travel Agency
Summary
Chapter 18: You’re Compliant, Now What?
Security Is a Process, Not an Event
Plan for Periodic Review and Training
PCI Requirements With Periodic Maintenance
Build and Maintain a Secure Network and Systems
Protect Account Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
PCI Self-Assessment
Case Study
The Case of the Compliant Company
Summary
Chapter 19: Emerging Technology and Alternative Payment Schemes
Emerging Payment Schemes
EMV
Mobile
Near-Field Communication (A.K.A., Tap & Go)
The Payment Account Reference
Square, Paypal, and Intuit
Google Checkout, Paypal, and Stripe
3-D Secure
Bitcoin, Ethereum, and Crypto
Predictions
Taxonomy and Tidbits
EMV
Europe versus the US versus the Rest of the World
One-Time Use Cards
Customer Experience
Case Study
The Case of the Cashless Cover Charge
Summary
Note
Chapter 20: PCI DSS Myths and Misconceptions
Myth #1 PCI Doesn’t Apply to Me
A Perfect Example of Myth #1 at Work!
Myth #2 PCI Is Confusing and Ambiguous
Myth #3 PCI DSS Is Too Onerous
Myth #4 Breaches Prove PCI DSS to Be Irrelevant
Myth #5 PCI Is All We Need for Security
Myth #6 PCI DSS Is Really Easy
Myth #7 My Tool Is PCI Compliant, Thus I Am Compliant
Myth #8 PCI Is Toothless
Case Study
The Case of the Cardless Merchant
Summary
Notes
Chapter 21: Final Thoughts
A Quick Summary
Timelines
Compensating Controls and the Customized Approach
We Play Catch-Up
The Challenging Ones
On Time Travel
Interact With Us!
Index by Requirement
Alphabetical Index
