Front
Cover
PCI Compliance
Copyright
page
Acknowledgments
About the Authors
Contents
Foreword
1 About PCI and This Book
Who Should Read This Book?
How to Use The Book in Your Daily Job
What This Book is Not
Organization of the Book
Summary
2 Introduction to Fraud, Data Theft, and Related Regulatory Mandates
Summary
3 Why is PCI Here?
What is PCI and Who Must Comply?
Electronic Card Payment Ecosystem
Goal of PCI DSS
Applicability of PCI DSS
PCI DSS in Depth
Compliance Deadlines
Compliance and Validation
History of PCI DSS
PCI Council
QSAs
PA-QSAs
Principal-Associate QSAs
PFIs
ASVs
Quick Overview of PCI Requirements
Changes to PCI DSS
PCI DSS and Risk
Benefits of Compliance
Case Study
The Case of the Developing Security Program
The Case of the Confusing Validation Requirements
Summary
References
4 Determining and Reducing the PCI Scope
The Basics of PCI DSS Scoping
The βGotchasβ of PCI Scope
Scope Reduction Tips
Planning Your PCI Project
Case Study
The Case of the Leaky Data
The Case of the Entrenched Enterprise
Summary
5 Building and Maintaining aΒ Secure Network
Which PCI DSS Requirements Are in This Domain?
Establish Firewall Configuration Standards
Denying Traffic from Untrusted Networks and Hosts
Restricting Connections
Personal Firewalls
Other Considerations for Requirement 1
Requirement 2: Defaults and Other Security Parameters
Default Passwords
Simple Network Management Protocol Defaults
Delete Unnecessary Accounts
Develop Configuration Standards
Implement Single Purpose Servers
Configure System Security Parameters
Encrypt Non-console Administrative Access
Hosting Providers Must Protect Shared Hosted Environment
What Else Can You Do to Be Secure?
Tools and Best Practices
Common Mistakes and Pitfalls
Egress Filtering
Documentation
System Defaults
Case Study
The Case of the Small, Flat Store Network
The Case of the Large, Flat Corporate Network
The Case of the Do Over
Summary
6 Strong Access Controls
Which PCI DSS Requirements are in this Domain?
Principles of Access Control
Confidentiality
Integrity
Availability
Requirement 7: How Much Access Should a User Have?
Requirement 8: Authentication Basics
Two-Factor Authentication and Requirement 8.3
Rendering Passwords Unreadable in Transit and Storage
Authentication and Requirements 8.5.1β8.5.7
Educating Users
Password Design for PCI DSS: Requirements 8.5.8β8.5.12
Locking Users Out: Requirements 8.5.13β8.5.15
Databases and Requirement 8.5.16
Windows and PCI Compliance
Windows File Access Control
Finding Inactive Accounts in Active Directory
Enforcing Password Requirements in Windows on Standalone Computers
Enabling Password Protected Screen Savers on Standalone Windows Computers
Setting File Permissions on Standalone Windows Computers
POSIX (UNIX/Linux Systems) Access Control
Linux Enforce Password Complexity Requirements
Cisco and PCI Requirements
Cisco Enforce Session Timeout
Setting Up SSH in a Cisco Environment
Requirement 9: Physical Security
Handling Visitors: Requirements 9.2β9.4
Handling Media: Requirements 9.5β9.10.2
What Else Can You Do to Be Secure?
Tools and Best Practices
Random Password for Users
Common Mistakes and Pitfalls
Poor Documentation
Legacy Systems
Physical Access Monitoring
Case Study
The Case of the Stolen Database
The Case of the Loose Permissions
Summary
7 Protecting Cardholder Data
What is Data Protection and Why is it Needed?
The Confidentiality/Integrity/Availability Triad
Requirements Addressed in This Chapter
PCI Requirement 3: Protect Stored Cardholder Data
Requirement 3 Walk-Through
Encryption Methods for Data at Rest
File- or Folder-Level Encryption
Full-Disk Encryption
Database (Column-Level) Encryption
PCI and Key Management
What Else Can You Do to Be Secure?
PCI Requirement 4 Walk-Through
Transport Layer Security and Secure Sockets Layer
IPsec Virtual Private Networks
Wireless Transmission
Misc Card Transmission Rules
Requirement 12 Walk-Through
Appendix A of PCI DSS
How to Become Compliant and Secure
Step 1: Identify Business Processes with Card Data
Step 2: Focus on Shrinking the Scope
Step 3: Identify Where the Data is Stored
Step 4: Determine What to Do About Your Data
Step 5: Determine Who Needs Access
Step 6: Develop and Document Policies
Common Mistakes and Pitfalls
Case Study
The Case of the Leaky Data
The Case of the Satellite Location
Summary
References
8 Using Wireless Networking
What is Wireless Network Security?
Where is Wireless Network Security in PCI DSS?
Requirements 1 and 12: Documentation
Actual Security of Wireless Devices: Requirements 2,4, and 9
Logging and Wireless Networks: Requirement 10.5.4
Testing for Unauthorized Wireless: Requirement 11.1
Quarterly Sweeps or Wireless IDS/IPS: How to Choose
Why Do We Need Wireless Network Security?
Other Wireless Technologies
Tools and Best Practices
Common Mistakes and Pitfalls
Why is WEP So Bad?
Case Study
The Case of the Untethered Laptop
The Case of the Expansion Plan
The Case of the Double Secret Wireless Network
Summary
9 Vulnerability Management
PCI DSS Requirements Covered
Vulnerability Management in PCI
Stages of Vulnerability Management Process
Policy Definition
Data Acquisition
Prioritization
Mitigation
Requirement 5 Walk-Through
What to Do to Be Secure and Compliant?
Requirement 6 Walk-Through
Web-Application Security and Web Vulnerabilities
WAS
Web Application Firewalls
What to Do to Be Secure and Compliant?
Requirement 11 Walk-Through
External Vulnerability Scanning with ASV
What is an ASV?
Considerations When Picking an ASV
How ASV Scanning Works
Operationalizing ASV Scanning
What Do You Expect from an ASV?
Internal Vulnerability Scanning
Penetration Testing
Common PCI Vulnerability Management Mistakes
Case Study
PCI at a Retail Chain
PCI at an E-Commerce Site
Summary
References
10 Logging Events and Monitoring the Cardholder Data Environment
PCI Requirements Covered
Why Logging and Monitoring in PCI DSS?
Logging and Monitoring in Depth
PCI Relevance of Logs
Logging in PCI Requirement 10
Monitoring Data and Log for Security Issues
Logging and Monitoring in PCIβAll Other Requirements
PCI DSS Logging Policies and Procedures
Building an Initial Baseline Manually
Guidance for Identifying βKnown Badβ Messages
Main Workflow: Daily Log Review
Exception Investigation and Analysis
Validation of Log Review
PCI Compliance Evidence Package
Periodic Operational Task Summary
Daily Tasks
Tools For Logging in PCI
Other Monitoring Tools
Intrusion Detection and Prevention
Integrity Monitoring
Common Mistakes and Pitfalls
Case Study
The Case of the Risky Risk-Based Approach
The Case of Tweaking to Comply
Summary
Reference
11 PCI for the Small Business
The Risks of Credit Card Acceptance
New Business Considerations
Your POS is Like My POS!
A Basic Scheme for SMB Hardening
Case Study
The Case of the Cashless Cover Charge
Summary
12 Managing a PCI DSS Project to Achieve Compliance
Justifying a Business Case for Compliance
Figuring Out If You Need to Comply
Compliance Overlap
The Level of Validation
What is the Cost for Noncompliance?
Penalties for Noncompliance
Bringing the Key Players to the Table
Obtaining Corporate Sponsorship
Forming Your Compliance Team
Roles and Responsibilities of Your Team
Getting Results Fast
Notes from the Front Line
Budgeting Time and Resources
Setting Expectations
Managementβs Expectations
Establishing Goals and Milestones
Having Status Meetings
Educating Staff
Training Your Compliance Team
Training the Company on Compliance
Setting Up the Corporate Compliance Training Program
Project Quickstart Guide
The Steps
Step 1: Obtain Corporate Sponsorship
Step 2: Identify and Establish Your Team
Step 3: Determine Your PCI Level
Step 4: Complete a PCI DSS SAQ-D
Step 5: Set Up Quarterly External Network Scans from an Approved Scanning Vendor
Step 6: Get Validated by a QSA
Step 7: Perform a Gap Analysis
Step 8: Create PCI DSS Compliance Plan
Step 9: Prepare for Annual Assessment of Compliance Validation
The PCI DSS Prioritized Approach
The Visa TIP
Summary
Reference
13 Donβt Fear the Assessor
Remember, Assessors are there to Help
Balancing Remediation Needs
How FAIL == WIN
Dealing with Assessorsβ Mistakes
Planning for Remediation
Fun Ways to Use CVSS
Planning for Reassessing
Summary
14 The Art of Compensating Control
What is a Compensating Control?
Where are Compensating Controls in PCI DSS?
What a Compensating Control is Not
Funny Controls You Didnβt Design
How to Create a Good Compensating Control
Case Studies
The Case of the Newborn Concierge
The Case of the Newborn Concierge
Summary
15
Youβre Compliant, Now What?
Security is a Process, Not an Event
Plan for Periodic Review and Training
PCI Requirements With Periodic Maintenance
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
PCI Self-Assessment
Case Study
The Case of the Compliant Company
Summary
16 Emerging Technology and Alternative Payment Schemes
New Payment Schemes
Mobile
Near-Field Communication
Square
Google Checkout and Paypal
Predictions
Taxonomy and Tidbits
EMV
Europe vs the US vs the Rest of the World
Customer Experience
Case Study
The Case of the Cashless Cover Charge
Summary
17 Myths and Misconceptions of PCI DSS
Myth #1 PCI Doesnβt Apply to Me
A Perfect Example of Myth #1 at Work!
Myth #2 PCI is Confusing and Ambiguous
Myth #3 PCI DSS is Too Onerous
Myth #4 Breaches Prove PCI DSS Irrelevant
Myth #5 PCI is All We Need For Security
Myth #6 PCI DSS is Really Easy
Myth #7 My Tool is PCI Compliant Thus I Am Compliant
Myth #8 PCI is Toothless
Case Study
The Case of the Cardless Merchant
Summary
References
Index