1st Edition

PCI Compliance
The Definitive Guide




ISBN 9781439887400
Published May 5, 2014 by Auerbach Publications
351 Pages 68 B/W Illustrations

USD $84.95

Prices & shipping based on shipping country


Preview

Book Description

Although organizations that store, process, or transmit cardholder information are required to comply with payment card industry standards, most find it extremely challenging to comply with and meet the requirements of these technically rigorous standards. PCI Compliance: The Definitive Guide explains the ins and outs of the payment card industry (PCI) security standards in a manner that is easy to understand.

This step-by-step guidebook delves into PCI standards from an implementation standpoint. It begins with a basic introduction to PCI compliance, including its history and evolution. It then thoroughly and methodically examines the specific requirements of PCI compliance. PCI requirements are presented along with notes and assessment techniques for auditors and assessors.

The text outlines application development and implementation strategies for Payment Application Data Security Standard (PA-DSS) implementation and validation. Explaining the PCI standards from an implementation standpoint, it clarifies the intent of the standards on key issues and challenges that entities must overcome in their quest to meet compliance requirements.

The book goes beyond detailing the requirements of the PCI standards to delve into the multiple implementation strategies available for achieving PCI compliance. The book includes a special appendix on the recently released PCI-DSS v 3.0. It also contains case studies from a variety of industries undergoing compliance, including banking, retail, outsourcing, software development, and processors. Outlining solutions extracted from successful real-world PCI implementations, the book ends with a discussion of PA-DSS standards and validation requirements.

Table of Contents

Payment-Card Industry: An Evolution
The Development of a System: The Coming of the Credit Card
     The Need for Credit: A Historical Perspective
          Credit in the Mesopotamian Civilization
          Credit in the Era of Coins and Metal Bullion (800 BC to AD 600)
          The Rise of Virtual Money Transactions (AD 600 to AD 1500)
          The Reemergence of Coins and Precious Metal Currency (1500–1971)
          The Rise of Debt (1971 Onwards)
          The Need for Credit
     The Credit Card: A Means to Address the Need for Credit
          The History of the Credit Card
          The First Credit Cards
          The Development of a Credit Card Industry
Debit Cards and Automated Teller Machines
     The Coming of the Debit Card
     The Automated Teller Machine
     E-Commerce and Online Payments
The Future of Payments
     Trends for the Future of Payments
          Mobile Payments
          Contactless Payments
          Chip and PIN Cards
Summary

Card Anatomy: The Essentials
Payment Cards: Types of Cards
     Payment Card with Magnetic Stripe
          Magnetic Stripe Cards: A Brief History
          Magnetic Stripe Coercivity
          Magnetic Stripe: A Primer on Data Sets
     Chip and PIN Cards
Payment Cards: An Anatomy
     Payment Card: External Visage (Front)
          The Card Issuer’s Logo
          The Payment Brand Logo and Hologram
          The Card Number (PAN)
          The Expiration Date
          The Cardholder’s Name
     Payment Card: External Visage (Back) 
          The Magnetic Stripe
          Signature Strip
          The CVV
          Service Disclaimer
          Bank Address and Contact Details
          Customer Service Information
Data Sets: Payment Card
     Track 1 Data
     Track 2 Data
     Track 3 Data
Payment Card: Terminology
     The Payment Card Processing Cycle 
     Merchants
     Acquirers
     Payment Networks
     Issuers
     Processors
     Other Service Providers
     Independent Sales Organizations
Payment Card Transactions
     Card-Present Transaction
     Card-Not-Present Transactions
     Open-Loop Payment Systems
     Closed-Loop Payment Systems
Summary

Security and the Payment-Card Industry
A Brief History of Credit Card Fraud
A Brief History of Significant Card Data Breaches
     The CardSystems Breach
     The TJ-Maxx Card Breach
     The Heartland Payment Systems Breach
     The Sony Playstation Network Breach
Cardholder Security Programs
      Card Brand Cardholder Security Programs
     The Formation of the PCI-DSS and PCI-SSC
     Structure of the PCI Standards
     The PCI Assessment Environment
          PCI-QSAs and PCI-QSACs
          The PCI ASV (Approved Scanning Vendor)
          The PCI Internal Security Assessor
          The PCI Special-Interest Groups
     Payment Application Compliance
          PCI’s PA-DSS
          PA-QSA and PA-QSAC
Summary

Payment Card Industry Data Security Standard (PCI-DSS)
Brief History of the PCI-DSS
PCI Compliance Levels: Payment Brands
     Payment Brand Compliance Programs and PCI-DSS
     Compliance Levels and Compliance Requirements
          Visa Merchant and Service Provider Validation Levels
          MasterCard Merchant and Service Provider Validation Levels
          American Express Merchant and Service Provider Compliance Validation Levels
     Compliance Validation Levels: Identification and Implementation
PCI-DSS: Applicability
     Applicability of PCI Compliance and Interplay with Compliance Validation Requirements
     Merchant Organizations
     Service Providers: Processors
     Service Providers: Everybody Else
     Cloud Service Providers
PCI: Attestation, Assessment, and Certification
     The Role of a PCI-QSA
     The PCI-DSS Requirements
     Compensatory Controls
     Documentation: The Report on Compliance
     Documentation: The Attestation of Compliance
Summary

The Payment Application Data Security Standard (PA-DSS)
History and Overview of the PA-DSS
      The Need for Payment Application Validation for PCI
     A Brief History of the PA-DSS
     Primer on the PA-DSS Standard
          The PA-DSS Requirements
PA-DSS Validation
     The PA-DSS Validation Process
     The Differences in PCI-DSS and PA-DSS Validation
     Technical Testing and Validation for the PA-DSS
     Role of a PA-QSA
PA-DSS Documentation
     The PA-DSS Report on Validation
     The PA-DSS Implementation Guide
     The PA-DSS Attestation of Validation
     The PA-DSS Vendor Release Agreement
PA-DSS Application Revalidation
     Annual Revalidation
     Changes to Payment Applications
          No-Impact Change
          Low-Impact Change
          High-Impact Change
     Change-Impact Documentation
          No-Impact Change-Impact Documentation
          Low-Impact Change-Impact Documentation
          High-Impact Change-Impact Documentation
Summary

Enterprise Approach to PCI Compliance
Industry Verticals and PCI Compliance
     PCI Approaches for Different Industry Verticals
          Basic Business Function
          Cardholder Information Touch Points
          The Organization Itself
     Merchants
     Service Providers
          Issuing TPPs
          Acquiring TPPs
     Banks
     Other Service Providers
Enterprise Challenges: PCI Compliance
     Information Overload: A Perspective
     Knowledge of the Team
     Management Impetus
     Budgetary Constraints
     Technical Constraints
Good Practices: To Get PCI Compliant
     PCI Taskforce
     Create a Defined Scope
     Don’t Focus on PCI Compliance
     Understand Risk—Always
     Pick the Right QSA
Good Practices for Application Vendors: PA-DSS
     Security from Incipiency
     Document, Document, Document
     Scope Out
Summary

Scoping for PCI Compliance
Scoping for PCI Compliance: A Primer
The Cardholder-Data Environment (CDE)
     Defining the Cardholder-Data Environment
     Cardholder-Data Flow
     Cardholder-Data Matrix
          ATM Card Processing: Acquiring
          Card-Issuing Function
          POS Billing and Merchant Acquisition
          Fraud-Management Services
          Cardholder Customer Service Management
          Identifying Cardholder Data
     The Role of the PCI-QSA in the CDE
Tips for Scope Reduction
     Why Reduce Scope?
     Network Segmentation
     Scoping Out E-Commerce Applications
     Tokenization and Other Data-Protection Techniques
System Components in the PCI Scope
     Network and Network Components
     Servers and OS Components
     Applications
Summary

Requirement 1: Build and Maintain a Secure Network
Network Security: A Primer
     Network Security Architecture: Enterprise
     Network Architecture: Scoping Out
          Benefits of Scoping Out with Network Segmentation
          Common Resources
          Technology: Network Segmentation
Network Security Requirements for PCI
     The Network Security Documentation
          Requirement 1.1: Firewall and Router Configuration Standards
          PCI Assessor’s Notes: Requirement 1.1
     Network Components: Firewalls, Routers, and Other Network Components
          Firewall and Router Specifications and Configurations
     The Demilitarized Zone (DMZ)
          PCI Requirements Relating to the DMZ
     The Role of Managed Services
Summary

Requirement 2: Vendor-Supplied Defaults, System Passwords, and Security Parameters
Vendor-Supplied Default Passwords 
     Configuration Standards and Vendor-Supplied Default Passwords and Security Parameters
          Requirement 2.1: Change Vendor-Supplied Default Passwords
          Requirement 2.2: Configuration Standards for System Components
          Requirement 2.2.1: One Primary Function per Server
          Insecure Protocols and Services
          Requirements 2.2.3 and 2.2.4 Security Parameters: To Prevent Misuse
     Nonconsole Administrative Access
     Wireless Security Consideration: Vendor-Supplied Defaults
PA-DSS: Application Requirements for Vendor-Supplied Defaults and Security Parameters
     Payment Application Vendor-Supplied Defaults 
          Requirement 3.1b of the PA-DSS
          Requirement 5.1.3 of the PA-DSS
     Secure Network Implementation: Payment Applications
          Requirement 5.4 of the PA-DSS
          Requirement 8.1 of the PA-DSS
          Requirement 6 of the PA-DSS: Wireless Security Requirements
Summary

Requirement 3: Protect Stored Cardholder Data
Storage, Retention, and Destruction of Stored Cardholder Data
     Do You Really Need to Store Cardholder Data? 
     Policies and Procedures around Storage of Cardholder Data
Requirement 3.2: Sensitive Authentication Data at Rest
     Authentication Parameters: Concept Overview
          CVV/CVC/CAV1&2
          PIN Verification Value (PVV) and PIN Offset
          PIN/PIN Block
     Authentication Parameters
     Issuers and Storage of Sensitive Authentication Data
     Requirement 3.2: Assessment Notes
Display of the Card PAN
Requirement 3.4: Rendering the PAN Unreadable wherever
Stored
     An Overview of Techniques to Render the PAN Unreadable
          Use of One-Way Hashing
          One-Way Hashing Algorithms and Security Considerations
          Use of Truncation
          Use of Tokenization
          Use of Strong Cryptography
     Rendering the PAN Unreadable Everywhere It Is Stored
Cryptography: Terminology and Concept Review
     Cryptosystem
     Key and Keyspace
     Initialization Vector
     Symmetric and Asymmetric Cryptography
     Block Ciphers and Stream Ciphers
     Block Cipher Modes of Encryption
          Electronic Code Book
          Cipher Block Chaining
          Cipher Feedback
          Output Feedback
          Counter
Requirements 3.5 and 3.6: Key Security and Key Management
     Key-Management Considerations: Enterprises
     Key-Management Practices for Banks and Acquiring and Issuing TPPs
          Hardware Security Module (HSM)
          Local Master Key
          Zone-Control Master Keys
          PIN Working Keys
          PIN Verification Key
          Message Authentication Keys
          Card Verification Keys
          Derived Unique Key per Transaction (DUKPT)
     Principles of Encryption and Key Management for Protecting the Stored PAN
          Secure Key Generation
          Single-Purpose Cryptographic Keys
          Secure Key Storage
          Secure Key Distribution and Exchange
          Cryptoperiod and Key Changes
          Dual-Key Management for Manual Cryptography
Summary

Requirement 4: Securing Cardholder Information in Transit
Requirement 4.1: Secure Transmission of Cardholder Information Over Open, Public Networks
     Open, Public Networks: A PCI Viewpoint
     Secure Protocols
          HTTPS with SSL/TLS
          Secure Shell (SSH)
          IPSec VPN
     Requirement 4.1.1: WiFi Security Practices for Cardholder Data Transmissions
Requirement 4.2: Unprotected PANs over End-User Messaging Technologies
Summary

Requirement 5: Use and Regularly Update Antivirus Software
Requirement 5.1: Use of Antivirus Programs to Protect Commonly Affected Systems
     Antivirus Deployment within the PCI Environment (CDE)
Requirement 5.2: Managing the Antivirus Application
     Managing and Monitoring the Antivirus Application for PCI Compliance
Commercial Applications: Antivirus Requirements
Summary

Requirement 6: Develop and Maintain Secure Systems
Requirement 6.1: Patch-Management Practices for PCI Compliance
     Patch Management for PCI Compliance
     Approaches to Patching and Patch Management
          Change-Management Process of System Patch Deployment
     Risk-Based Approach to Patch Management
     Assessor’s Notes for Verifying Patch-Management Practices
Requirement 6.2: Vulnerability-Management Practices for PCI Compliance
Secure Application Development Practices for PCI-DSS and PA-DSS
     Requirement 6.3: Secure SDLC for Application Development
          The Risk-Assessment Approach to Secure SDLC
          Requirement 6.3.1: Removal of Default User Accounts, IDs, and Passwords
          Requirement 6.3.2: Custom Code Review for Security
     Requirement 6.4: Application Change Management and Change Control
          Requirement 6.4.5: Change-Management Document and the Essentials of Change Control and Change Management
          Requirements 6.4.2 and 6.4.3: Separation of Production, Development, and Test Environments
          Requirement 6.4.3: Use of Live PANs for Testing
          Requirement 6.4.4: Removal of Test Data in Production
Requirement 6.5: Secure Coding Guidelines for Applications
     Secure Coding Guidelines: References and Best Practices
     Requirement 6.5.1: Secure Coding to Address Injection Flaws
          SQL Injection
          XPath Injection
          LDAP Injection
          Command Injection
     Requirement 6.5.2: Secure Coding to Address Buffer Overflows
     Requirement 6.5.3: Secure Coding to Address Cryptographic Flaws
          Cryptography Essentials
     Requirement 6.5.4: Secure Coding to Address Insecure Transmissions
          The SSL/TLS Handshake Process
          Implementation Best Practices for Secure Transmission: Web Applications
     Requirement 6.5.5: Secure Coding to Address Improper Error Handling
     Requirement 6.5.6: Remediation Measures to Address High-Severity Vulnerabilities
     Requirement 6.5.7: Secure Coding to Address Cross-Site Scripting
          Reflected XSS
          Persistent XSS
     Requirement 6.5.8: Secure Coding to Address Flawed Access Control
          Session Hijacking
          Cross-Site Request Forgery
          Session Fixation
          Forceful Browsing
          Requirement 6.5.9: Secure Coding to Address Cross-Site
Request Forgery
Ongoing Vulnerability-Management Practices for Web Applications
     Web-Application Vulnerability Assessments
     Usage of a Web-Application Firewall
Summary

Requirement 7: Restrict Access to Cardholder Data by Business
Need to Know
Requirement 7.1: Restrict Access to Systems with Cardholder Data
     Access Restrictions across the PCI Environment
     The Principle of Least Privilege
     Documentation of Approval: Access Privileges
     Automated Access-Control System
Summary

Requirement 8: Access-Control Requirements for PCI Environments
Unique IDs for Users: PCI Environment
     Requirement 8.1: Assign Unique IDs to Users in PCI Environment
Factors of Authentication
     The Three Factors of Authentication Supplementing User IDs
          Something You Know: Knowledge Factors
          Something You Are: Physical Factors
          Something You Have: Physical Token Parameters
     Two-Factor Authentication: Remote Access
Protection of Passwords: Transmission and Storage
     Protection of Passwords in Transit
     Protection of Passwords at Rest
Authentication Management for PCI Environments
     Access-Control Procedure
     Requirement 8.5.1: Control of Operations on Access Control
     Requirement 8.5.2: Verification of User Identity (Password Resets)
     Requirement 8.5.3: Unique Password Value and First-Use Change
     Requirement 8.5.4 and 8.5.5: Revocation and Removal of User Access Rights
          Requirement 8.5.4: Revocation of User Access Rights Immediately after User Separation
          Requirement 8.5.5: Disabling User Accounts within 90 Days
     Requirement 8.5.6: Vendor Account Access Management
     Requirement 8.5.8: Prohibit Shared, Group, or Generic Accounts
     Requirements 8.5.9–8.5.15: Password Management for PCI Environments
Database Access Requirements for PCI Environments
     Requirement 8.5.16: Database Authentication Requirements
PA-DSS Requirements for Authentication
     Requirement 8 of PCI and Requirement 3 of the PA-DSS
Summary

Requirement 9: Restrict Physical Access to Cardholder Data
Requirement 9.1: Physical Access Controls for the PCI Environment
     Requirement 9.1.1: Use of Cameras and/or Access-Control Mechanisms
     Requirement 9.1.2 and 9.1.3: Restrict Physical Access to Network Components
          The Dangers of Visitor Network Access
          Protection Strategies for Visitor Network Access
          Requirement 9.1.3: Physical Protection for Network Devices
Requirements 9.2, 9.3, and 9.4: Employee and Visitor Access
     Visitor-Management Procedure
          Visitor Access and Employee Access Distinctions
          Granting Visitor Access
          Visitor Access Privileges and Restrictions
          Revocation of Visitor and Employee Access
          Access to Badge System/Physical Access-Control System
          Visitor Distinction
          Visitor Access Records
Requirements 9.5–9.10: Media Management and Security
     Requirement 9.5: Physical Security—Off-Site Media Backup Location
          The Need for Off-Site Backup
          Security Controls: Off-Site Backup
     Requirements 9.9 and 9.10: Media Destruction
Summary

Requirement 10: Logging and Monitoring for the PCI Standards
Audit Trails: PCI Requirements
     The Need for Audit Trails and Logs
     Challenges: Log Management
          Distributed Event Logs
          Volume of Log Entries
          Nonstandard Logging Practices
          Multiple Tools
          People Intensive
     Access-Control Link: Audit Trails
Details: Audit Trail Capture
     Audit Logs: Details
          Individual Access to Cardholder Data
          Actions by Root or Administrative Users
          Access to Audit Trails
          Invalid Access Attempts
          Use of Identification and Authentication Mechanisms
          Initialization of Audit Logs
          Creation of System-Level Objects
     Audit-Trail Entries and Records
          User Identification
          Type of Event
          Date and Time
          Indication of Success or Failure
          Origination of Event
          Identification of Affected System, Resource, or Component
     Application Logging Best Practices
The Importance of Time and Its Consistency
     Time Sync across IT Components
     Network Time Protocol for Time Synchronization
Securing Audit Trails and Logs
     Business Need to Know: Logs and Audit Trails
     Securing Log Information
          Strong Access Control
          System Hardening
          Centralized Log Server
          File-Integrity Monitoring
Log Monitoring, Review, and Retention
     Requirement 10.6: Log Review and Monitoring
     Requirement 10.7: Log Retention
Summary

Requirement 11: Security Testing for the PCI Environment
Wireless Access Point: Testing
     Testing for Rogue/Unauthorized Wireless Access Points
          Wireless Network Scanning
          Physical Inspection
          Network Access Control
          Wireless IDS/IPS Deployment
Internal and External Network Vulnerability Scanning
     Vulnerability Scanning: Concept Note
          Vulnerability Categorization
          Vulnerability Scanning: Methodology
     Internal and External Network Vulnerability Scanning
          Internal and External Vulnerability Scanning
          Network Vulnerability Scanning
     Scanning by PCI Approved Scanning Vendor (ASV) 
Internal and External Penetration Testing
     Fundamental Differences: Vulnerability Assessment and Penetration Testing
          Why Perform a Penetration Test?
          Network-Layer Penetration Tests
          Application-Layer Penetration Testing
Deployment of Intrusion Detection/Prevention Devices or Applications
     Intrusion Detection/Prevention Systems: An Overview
          Signature Based
          Statistical-Based Anomaly Detection
          Stateful Protocol Analysis Detection
     PCI Requirement: Intrusion Detection/Prevention System
File-Integrity Monitoring: Critical System Files and Configurations
     Attacks: Key System Files
     File-Integrity Monitoring: Critical System Files, Processes, and Content Files
Summary

Requirement 12: Information Security Policies and Practices for PCI Compliance
Information Security Policy: PCI Requirements
     Security Policy Definition
     Risk Assessment: PCI Compliance
          A Question of Adequacy
          Risk Assessment: Process and Overview
     Annual Review: Policy and Risk-Management Framework
Operational Security Procedures
     Security Focus Areas         
     Acceptable Usage Policies and Procedures
          List of Acceptable Technologies, Applications, and Devices
          Explicit Approval for Technology Usage
          Inventory and Labeling
          Authentication for the Use of Technology
          Acceptable Usage
Security Roles and Responsibilities
     Documentation: Roles and Responsibilities
          The Chief Information Security Officer
          Distribution of Policies and Procedures and Monitoring of Security Alerts
          User Management: Roles and Responsibilities
People Security Practices
     Security Awareness Training and Monitoring
     Employee Background Verification
Vendor Management and PCI Compliance
     Vendors: Data Sharing and Risk Management
Incident Management and Incident Response
     Incident-Response Plans and Procedures
          Elements of Incident-Response Plan
          Incident-Response Success Factors
Summary

Beyond PCI Compliance
Maintaining PCI Compliance: The Challenge
     The Challenge: The Dilemma Produced by Success
          The Information Problem
          The Technology Challenge
          Management Attitude
Success Factors for Continuing PCI Compliance
     A Change of Attitude
          Deep Understanding of Risk and Its Application
          The CISO
Summary

Index

...
View More

Author(s)

Biography

Abhay Bhargav is the founder and chief technical officer of the we45 Group, a Bangalore based information security solutions company. He has extensive experience with information security and compliance, having performed security assessments for many enterprises in various domains, such as banking, software development, retail, telecom, and legal. He is a qualified security assessor (QSA) for the payment-card industry and has led several security assessments for payment-card industry compliance. He is also the coauthor of Secure Java for Web Application Development, published by CRC Press.

Abhay is a specialist in Web-application security with broad experience in vulnerability assessment and penetration testing, and he has served as a consultant for a wide array of enterprises and governmental/quasi-governmental entities. He was recently awarded the prestigious SANS Certified GIAC Web Application Penetration Tester certification. He has been interviewed by leading media outlets for his expertise on information security, particularly application security. Links to the interviews are available here and here.

Abhay is a regular speaker at industry events. He was a featured speaker at the JavaOne Conference in September 2010 at the Moscone Center in San Francisco. He also regularly speaks at OWASP (Open Web Application Security Project) conferences around the world, notably in New York at the world’s largest application security conference, the OWASP AppSec Conference, in September 2008. He has also spoken at various other conferences and seminars, such as the PCI summit in Mumbai in December 2008. He is a regular speaker at industry events such as the Business Technology Summit and events organized by the Confederation of Indian Industry (CII). He has also delivered several talks to government entities and their stakeholders on information security and application security. He is also a trainer in information security and has led several public workshops on PCI, PA-DSS, and risk assessment.

Abhay is well versed in risk assessment and risk management, with rich consulting experience in the OCTAVE® Risk Assessment and NIST SP 800-30 methodologies. His expertise also extends to providing solutions on information security based on the ISO-27001, HIPAA, SOX, GLBA, and other security-compliance standards.

Previously, Abhay was the leader of application security and PCI compliance at SISA Information Security Pvt Ltd. Prior to that, he was involved in implementing enterprise IT solutions for various verticals, including manufacturing and retail. He has developed various business applications in Java and proprietary object-oriented program languages such as TDL. He has also written various articles on application security and security compliance.

Apart from his professional interests, Abhay is also a trained Carnatic classical flutist and has delivered several concerts. He is also a theater enthusiast and playwright with an English comedy play to his writing credits. He blogs actively and maintains a security blog and a personal blog. He also writes a weekly article on computer education in a leading Kannada daily newspaper for the rural youth.