Foreword
“Welcome! Welcome! Kids of all ages! Step right up! The show is about to begin!”
Those words of a circus barker come to mind when thinking of someone new being introduced to the Payment Card Industry Data Security Standard (PCI DSS). Much like a spectator at the circus they’re bewildered, unclear what exactly is going on or where to turn. Similar to a circus there is a great deal going on as well as a lot of noise when it comes to the PCI DSS, from the standard’s governing body the PCI SSC to all of the supporting organizations, vendors, conferences, bloggers, etc.
It’s been 11 years since the PCI DSS was created in 2004, and now, seven versions later, the most current version 3.1 was released in April 2015. While the standard was introduced as a compilation of best practices and policies to provide a baseline standard for the protection of cardholder data, the adaptation and evolution of the standard has been quite dynamic and has been included in state-level law in the United States including Washington in 20091 and Nevada in 2010.2
Luckily for all of us we have Dr Branden Williams and Dr Anton Chuvakin! As ‘circus masters’, they have come together to highlight the main ‘attractions’ and give insight into the standards, limitations, what scope is and can be, observations on different interpretations and implementations, and make the visits from a Payment Card Industry Qualified Security Assessor (PCI QSA) a bit less intimidating.
With over 15 years of experience in Information Security as a consultant to a C-Level executive, I have seen the challenges created by applying PCI DSS from all sides. For the past six years I have been a Managing Partner for the Enterprise Services segment of Urbane Security, a boutique consultancy of which my division specializes in complex implementations of the PCI DSS. From highly technical and large-scale organizations to mid-sized organizations with limited resources, the challenges of meeting the intents of some of the PCI DSS controls are felt by all. Whenever I have a challenge and need to brainstorm, my first calls are to Branden or Anton as I find their thoughts align with our organization’s pragmatic approach. This book is with me at all times (thank you iPad) and is a recommended reading for all of our clients who are tasked with PCI DSS compliance. This is the most approachable, accurate, and easy-to-digest guide to understanding the PCI DSS.
– Former CIO and CSO brings more than 15 years of consulting and c-level management experience to Urbane Security and manages the company’s compliance and strategic advisory delivery teams. She and her team work with all levels of an organization to identify business goals and IT challenges and then, through specially tailored services, aligns them with the best solutions to help them securely drive their business forward. Through her work, Erin has established several industry best practices and has presented these at numerous high-profile security conferences. She is also passionate about fostering collaboration between the CSOs and practitioners who oversee day-to-day security challenges with the security research community at large to help them learn from each other and ultimately improve our industry.