Chapter 1. About PCI and This Book
If you are like most information technology (IT) and information security professionals, the idea of becoming compliant with Payment Card Industry Data Security Standard (PCI DSS) or countless other regulations does not sound like much fun. It is much more common to associate compliance efforts with the other extreme, and that is PAIN. Whether it is the pain of not knowing what to do, pain of failing the assessment, or pain of “doing compliance” on a $0 budget, there are plenty of challenges that earned compliance – PCI DSS compliance in particular – have in common with pain.
Thus, we face the seemingly impossible challenge to write a fun and insightful book about PCI DSS. We realize all the difficulties of achieving this, and we are committed to the challenge. We'd like to invite you, our reader, to travel with us in the hopes that when you turn the last page, you would come to realize that PCI DSS compliance can indeed be (YES) fun!
There are many standards and regulations out there. If your company's stock is publicly traded in the United States, you must adhere to the Sarbanes–Oxley (SOX) mandates. Financial companies fall under the Gramm–Leach–Bliley Act (GLBA). Those in the energy sector work toward North American Electric Reliability Corporation (NERC), Federal Energy Regulatory Commission (FERC), or Critical Infrastructure Protection (CIP) standards. If you are in the health care industry, your network must comply with the Health Insurance Portability and Accountability Act (HIPAA) standards. Other countries have their own “alphabet soup” of standards such as British BSI, Russian GOST (Russian for “gosudarstvennyy standart” or “state standard”), worldwide International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), and so on. However, the PCI DSS occupies a special place among the standards due to two reasons: broad, worldwide applicability and the presence of enforcement mechanism that is seen as imminent and unavoidable, unlike for some other mentioned regulations.
The overarching theme of all these standards, laws, and regulations is that organizations need to secure their data and protect their networks to keep citizens' data safe. In some cases, weak information security may only affect the company. However, when the data on the corporate network contains personal information about patients, customers, or employees, a breach of security can have implications far beyond the company. A breach of a company dealing with hundreds of millions of customers, such as a card payment processor, will have implications touching nearly the entire society and, thus, decreasing such occurrences is in the public interest.
Visa, MasterCard, American Express, Discover, and JCB banded together to develop PCI DSS to ensure that credit-card customer information is adequately protected and to protect the card industry. Breaches of customer information lead to money loss and damaged reputations, and the credit-card industry wants to protect itself from financial loss or eroded consumer confidence in credit cards as a means of transacting money.
We will use its experience with PCI DSS, both from the PCI Qualified Security Assessor (QSA) side and from information security side, to explain the most up-to-date PCI DSS guidelines to you. However, we will do so in a broader, more holistic approach. The objective of this book is not only to teach you about the PCI DSS requirements but to help you understand how the PCI DSS requirements fit into an organization's information security framework, and how to effectively implement information security controls so that you can be both compliant and secure. In addition, we will focus on how to do this in the easiest and most painless way, but without compromising security in the process.
This book will make constant reference to the PCI DSS. PCI DSS, and its related standards, is owned by the PCI Security Standards Council (PCI SSC), sometimes known in the industry as PCI Co. Before you start reading this book, you should go to the Council's Web site at www.pcisecuritystandards.org and download PCI DSS version 1.2.1 under the Security Standards/PCI DSS heading.
As of this publication, PCI DSS is at version 1.2.1. The changes between versions 1.2 and 1.2.1 are not enough to differentiate in this book, so when we refer to PCI DSS version 1.2, assume that includes version 1.2.1.

Who Should Read This Book?

Every company that accepts card payments, processes credit- or debit-card transactions, stores payment card data, or in any other way touches personal or sensitive data associated with payment card processing is affected by the PCI DSS. Nowadays, it means that virtually all businesses, no matter how big or small, need to understand their scope of PCI DSS and how to implement PCI controls to work toward reducing their risk, or face penalties or even the possibility of having their merchant status revoked.
Even with such a broad audience compelled to comply with the PCI DSS, this book had to be written for a specific technical level. This book could have been written in very simple terms to educate the general population about PCI DSS. We could have written an in-depth technical tome providing every bit of detail a network engineer or security administrator might need to configure and implement all controls mandated by PCI DSS. This book aims in the middle and is more of a strategic guide to help executive management understand the implications of PCI DSS and what it takes to be compliant. Overall, the book would be useful for everybody in IT and in management of the organization that deal with credit cards. This would include executive management, IT and IT security management, network, server, application developers, database managers, as well as everyone interested in payment security.
As a result, this book is for the IT managers and company managers who need to understand how PCI DSS applies to their organizations. This book is for the small- and medium-size businesses that don't have an IT department to delegate to. The book is also for large organizations whose PCI DSS project scope is immense. It is for all organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is also compliant. This book is intended as an introduction to PCI DSS, but with a deeper and more technical understanding of how to put it into action. Finally, even PCI “literati” will benefit from the stories and case studies presented by us!

How to Use the Book in Your Daily Job

You can use the book during the entire lifecycle from complete PCI unawareness to ultimate security and compliance enlightenment. Specifically, you can use it as provided in the following:
■ Learn what PCI DSS is and why it is here to stay
■ Figure out how it applies to you and your organization
■ Learn what to do about each of the 12 main requirements
■ Gain knowledge about dealing with PCI assessors
■ Learn how to plan and manage PCI DSS project
■ Understand all the technologies referenced by PCI DSS
■ Get the best experience out of what can be seen as a painful assessment process

What this Book is NOT

While reading the book, it is useful to remember that this is not the book that will unambiguously answer every PCI DSS esoteric question. Also, there is simply no way to create a book that will answer PCI DSS questions as the regulation applies to your own environment. Indeed, there are a lot of similarity in how networks and systems are deployed, but given broad applicability of PCI DSS – from small e-commerce sites to huge worldwide retailers – there is no way to have a book “customized” for your networks, systems, and applications. It is not meant to be the final authority for all issues related to PCI DSS, and it is not the unabridged guide to all things of PCI DSS. Finally, even though the book is written using one of the authors' QSA1 experience, your QSA is the ultimate judge of most PCI “puzzles” you will face on your journey to compliance.
1The term QSA and the role of QSAs in PCI DSS assessments will be explained in Chapter 3, “Why Is PCI Here?”

Organization of the Book

Each chapter of the book is designed to provide you the information you need to know in a way that you can easily understand and apply. To aid in that goal, the chapters follow a common structure which, wherever possible, includes the description of the PCI DSS requirement, the value of the requirement for PCI DSS and security, common tips and select tools useful for satisfying the requirement, as well as common mistakes and pitfalls.
Specifically, we are trying to first explain what is the control or a concept we are talking about, whether it is log management or compensating controls. Then, we explain where in PCI DSS this concept sits and why it is needed for information security – how it reduces risk. Next, we explain what you should do with this concept to be secure and compliant using examples, common practices, etc. Most chapters have a detailed and entertaining case study. When we said that we will make PCI fun, we really mean it! Most chapters have a summary that provides a brief recap of the concepts discussed to reinforce what you read or to help you identify areas that you may need to re-read if you feel you don't understand them yet. Where possible, we also try to highlight common mistakes and pitfalls with these requirements or PCI concepts.

Summary

This section provides a brief description of the information covered in each chapter:
■ Chapter 1: About PCI and This Book – This chapter explains why PCI DSS is special and what this book is about.
Chapter 2: Introduction to Fraud, ID Theft, and Regulatory Mandates – This chapter explains cybercrime and regulations and is a brief look at payment card fraud, cybercrime, ID theft, and other things around PCI DSS.
Chapter 3: Why Is PCI Here? – This chapter gives an overview of PCI DSS and why the card industry was compelled to create it. This chapter also includes some discussion about the benefits of PCI DSS compliance and the risks of noncompliance.
Chapter 4: Building and Maintaining a Secure Network – This chapter explains the necessary steps in protecting data for PCI DSS compliance and other reasons: to have a secure network in the first place. This chapter discusses the basic components of a secure network and lays the foundation for building the rest of your PCI DSS compliance.
Chapter 5: Strong Access Controls – This chapter covers one of the most important aspects of PCI DSS compliance access control. The information in this chapter includes the need to restrict access to only those individuals that need it, as well as restricting physical access to computer systems.
Chapter 6: Protecting Cardholder Data – This chapter explains how to protect card data that is stored on your systems, as well as how to protect data while it is in transit on your network.
Chapter 7: Using Wireless Networking – This chapter covers wireless security issues and wireless security controls and safeguards managed by PCI DSS.
Chapter 8: Vulnerability Management – This chapter explains performing vulnerability assessments to identify weaknesses in systems and applications, and how to mitigate or remediate the vulnerabilities to protect and secure your data.
Chapter 9: Logging Events and Monitoring the Cardholder Data Environment – This chapter discusses how to configure logging and event assessment to capture the information you need to be able to show and maintain PCI compliance, as well as how to perform other security monitoring tasks.
Chapter 10: Managing a PCI DSS Project to Achieve Compliance – This chapter gives an overview of the steps involved and tasks necessary to implement a successful PCI compliance project. This chapter includes a discussion of the basic elements that should be included in future projects and to proactively ensure they are PCI compliant.
Chapter 11: Don't Fear the Assessor – This chapter makes you understand that an assessor is there to work with you to validate your compliance and help you with security. They are not the enemy. This chapter explains how to use the findings from a failed assessment to build ongoing compliance and security.
Chapter 12: The Art of Compensating Control – This chapter explains how compensating controls are often talked about and misunderstood. This chapter will help build understanding and confidence in the reader when dealing with this tricky and often ambiguous component of PCI DSS.
Chapter 13: You're Compliant, Now What? – This chapter covers the details you need to keep in mind once you have achieved compliance. Security is not as simple as just getting it implemented. You have to monitor and maintain it. This chapter contains information about ongoing training and periodic reviews, as well as how to conduct a self-assessment to ensure continued compliance.
Chapter 14: PCI and Other Laws, Mandates, and Frameworks – This chapter covers how PCI DSS relates to other regulatory “beasts”: laws, frameworks, and regulations.
Chapter 15: Myths and Misconceptions of PCI DSS – This final chapter explains common but damaging PCI myths and misconceptions, as well as explains the reality behind them.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset