PCI Compliance: The Definitive Guide, 1st Edition (Hardback) book cover

PCI Compliance

The Definitive Guide, 1st Edition

By Abhay Bhargav

Auerbach Publications

351 pages | 68 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781439887400
pub: 2014-05-05
SAVE ~$16.19
eBook (VitalSource) : 9780429086304
pub: 2014-05-05
from $40.48

FREE Standard Shipping!


Although organizations that store, process, or transmit cardholder information are required to comply with payment card industry standards, most find it extremely challenging to comply with and meet the requirements of these technically rigorous standards. PCI Compliance: The Definitive Guide explains the ins and outs of the payment card industry (PCI) security standards in a manner that is easy to understand.

This step-by-step guidebook delves into PCI standards from an implementation standpoint. It begins with a basic introduction to PCI compliance, including its history and evolution. It then thoroughly and methodically examines the specific requirements of PCI compliance. PCI requirements are presented along with notes and assessment techniques for auditors and assessors.

The text outlines application development and implementation strategies for Payment Application Data Security Standard (PA-DSS) implementation and validation. Explaining the PCI standards from an implementation standpoint, it clarifies the intent of the standards on key issues and challenges that entities must overcome in their quest to meet compliance requirements.

The book goes beyond detailing the requirements of the PCI standards to delve into the multiple implementation strategies available for achieving PCI compliance. The book includes a special appendix on the recently released PCI-DSS v 3.0. It also contains case studies from a variety of industries undergoing compliance, including banking, retail, outsourcing, software development, and processors. Outlining solutions extracted from successful real-world PCI implementations, the book ends with a discussion of PA-DSS standards and validation requirements.

Table of Contents

Payment-Card Industry: An Evolution

The Development of a System: The Coming of the Credit Card

The Need for Credit: A Historical Perspective

Credit in the Mesopotamian Civilization

Credit in the Era of Coins and Metal Bullion (800 BC to AD 600)

The Rise of Virtual Money Transactions (AD 600 to AD 1500)

The Reemergence of Coins and Precious Metal Currency (1500–1971)

The Rise of Debt (1971 Onwards)

The Need for Credit

The Credit Card: A Means to Address the Need for Credit

The History of the Credit Card

The First Credit Cards

The Development of a Credit Card Industry

Debit Cards and Automated Teller Machines

The Coming of the Debit Card

The Automated Teller Machine

E-Commerce and Online Payments

The Future of Payments

Trends for the Future of Payments

Mobile Payments

Contactless Payments

Chip and PIN Cards


Card Anatomy: The Essentials

Payment Cards: Types of Cards

Payment Card with Magnetic Stripe

Magnetic Stripe Cards: A Brief History

Magnetic Stripe Coercivity

Magnetic Stripe: A Primer on Data Sets

Chip and PIN Cards

Payment Cards: An Anatomy

Payment Card: External Visage (Front)

The Card Issuer’s Logo

The Payment Brand Logo and Hologram

The Card Number (PAN)

The Expiration Date

The Cardholder’s Name

Payment Card: External Visage (Back)

The Magnetic Stripe

Signature Strip


Service Disclaimer

Bank Address and Contact Details

Customer Service Information

Data Sets: Payment Card

Track 1 Data

Track 2 Data

Track 3 Data

Payment Card: Terminology

The Payment Card Processing Cycle



Payment Networks



Other Service Providers

Independent Sales Organizations

Payment Card Transactions

Card-Present Transaction

Card-Not-Present Transactions

Open-Loop Payment Systems

Closed-Loop Payment Systems


Security and the Payment-Card Industry

A Brief History of Credit Card Fraud

A Brief History of Significant Card Data Breaches

The CardSystems Breach

The TJ-Maxx Card Breach

The Heartland Payment Systems Breach

The Sony Playstation Network Breach

Cardholder Security Programs

Card Brand Cardholder Security Programs

The Formation of the PCI-DSS and PCI-SSC

Structure of the PCI Standards

The PCI Assessment Environment


The PCI ASV (Approved Scanning Vendor)

The PCI Internal Security Assessor

The PCI Special-Interest Groups

Payment Application Compliance




Payment Card Industry Data Security Standard (PCI-DSS)

Brief History of the PCI-DSS

PCI Compliance Levels: Payment Brands

Payment Brand Compliance Programs and PCI-DSS

Compliance Levels and Compliance Requirements

Visa Merchant and Service Provider Validation Levels

MasterCard Merchant and Service Provider Validation Levels

American Express Merchant and Service Provider Compliance Validation Levels

Compliance Validation Levels: Identification and Implementation

PCI-DSS: Applicability

Applicability of PCI Compliance and Interplay with Compliance Validation Requirements

Merchant Organizations

Service Providers: Processors

Service Providers: Everybody Else

Cloud Service Providers

PCI: Attestation, Assessment, and Certification

The Role of a PCI-QSA

The PCI-DSS Requirements

Compensatory Controls

Documentation: The Report on Compliance

Documentation: The Attestation of Compliance


The Payment Application Data Security Standard (PA-DSS)

History and Overview of the PA-DSS

The Need for Payment Application Validation for PCI

A Brief History of the PA-DSS

Primer on the PA-DSS Standard

The PA-DSS Requirements

PA-DSS Validation

The PA-DSS Validation Process

The Differences in PCI-DSS and PA-DSS Validation

Technical Testing and Validation for the PA-DSS

Role of a PA-QSA

PA-DSS Documentation

The PA-DSS Report on Validation

The PA-DSS Implementation Guide

The PA-DSS Attestation of Validation

The PA-DSS Vendor Release Agreement

PA-DSS Application Revalidation

Annual Revalidation

Changes to Payment Applications

No-Impact Change

Low-Impact Change

High-Impact Change

Change-Impact Documentation

No-Impact Change-Impact Documentation

Low-Impact Change-Impact Documentation

High-Impact Change-Impact Documentation


Enterprise Approach to PCI Compliance

Industry Verticals and PCI Compliance

PCI Approaches for Different Industry Verticals

Basic Business Function

Cardholder Information Touch Points

The Organization Itself


Service Providers

Issuing TPPs

Acquiring TPPs


Other Service Providers

Enterprise Challenges: PCI Compliance

Information Overload: A Perspective

Knowledge of the Team

Management Impetus

Budgetary Constraints

Technical Constraints

Good Practices: To Get PCI Compliant

PCI Taskforce

Create a Defined Scope

Don’t Focus on PCI Compliance

Understand Risk—Always

Pick the Right QSA

Good Practices for Application Vendors: PA-DSS

Security from Incipiency

Document, Document, Document

Scope Out


Scoping for PCI Compliance

Scoping for PCI Compliance: A Primer

The Cardholder-Data Environment (CDE)

Defining the Cardholder-Data Environment

Cardholder-Data Flow

Cardholder-Data Matrix

ATM Card Processing: Acquiring

Card-Issuing Function

POS Billing and Merchant Acquisition

Fraud-Management Services

Cardholder Customer Service Management

Identifying Cardholder Data

The Role of the PCI-QSA in the CDE

Tips for Scope Reduction

Why Reduce Scope?

Network Segmentation

Scoping Out E-Commerce Applications

Tokenization and Other Data-Protection Techniques

System Components in the PCI Scope

Network and Network Components

Servers and OS Components



Requirement 1: Build and Maintain a Secure Network

Network Security: A Primer

Network Security Architecture: Enterprise

Network Architecture: Scoping Out

Benefits of Scoping Out with Network Segmentation

Common Resources

Technology: Network Segmentation

Network Security Requirements for PCI

The Network Security Documentation

Requirement 1.1: Firewall and Router Configuration Standards

PCI Assessor’s Notes: Requirement 1.1

Network Components: Firewalls, Routers, and Other Network Components

Firewall and Router Specifications and Configurations

The Demilitarized Zone (DMZ)

PCI Requirements Relating to the DMZ

The Role of Managed Services


Requirement 2: Vendor-Supplied Defaults, System Passwords, and Security Parameters

Vendor-Supplied Default Passwords

Configuration Standards and Vendor-Supplied Default Passwords and Security Parameters

Requirement 2.1: Change Vendor-Supplied Default Passwords

Requirement 2.2: Configuration Standards for System Components

Requirement 2.2.1: One Primary Function per Server

Insecure Protocols and Services

Requirements 2.2.3 and 2.2.4 Security Parameters: To Prevent Misuse

Nonconsole Administrative Access

Wireless Security Consideration: Vendor-Supplied Defaults

PA-DSS: Application Requirements for Vendor-Supplied Defaults and Security Parameters

Payment Application Vendor-Supplied Defaults

Requirement 3.1b of the PA-DSS

Requirement 5.1.3 of the PA-DSS

Secure Network Implementation: Payment Applications

Requirement 5.4 of the PA-DSS

Requirement 8.1 of the PA-DSS

Requirement 6 of the PA-DSS: Wireless Security Requirements


Requirement 3: Protect Stored Cardholder Data

Storage, Retention, and Destruction of Stored Cardholder Data

Do You Really Need to Store Cardholder Data?

Policies and Procedures around Storage of Cardholder Data

Requirement 3.2: Sensitive Authentication Data at Rest

Authentication Parameters: Concept Overview


PIN Verification Value (PVV) and PIN Offset


Authentication Parameters

Issuers and Storage of Sensitive Authentication Data

Requirement 3.2: Assessment Notes

Display of the Card PAN

Requirement 3.4: Rendering the PAN Unreadable wherever


An Overview of Techniques to Render the PAN Unreadable

Use of One-Way Hashing

One-Way Hashing Algorithms and Security Considerations

Use of Truncation

Use of Tokenization

Use of Strong Cryptography

Rendering the PAN Unreadable Everywhere It Is Stored

Cryptography: Terminology and Concept Review


Key and Keyspace

Initialization Vector

Symmetric and Asymmetric Cryptography

Block Ciphers and Stream Ciphers

Block Cipher Modes of Encryption

Electronic Code Book

Cipher Block Chaining

Cipher Feedback

Output Feedback


Requirements 3.5 and 3.6: Key Security and Key Management

Key-Management Considerations: Enterprises

Key-Management Practices for Banks and Acquiring and Issuing TPPs

Hardware Security Module (HSM)

Local Master Key

Zone-Control Master Keys

PIN Working Keys

PIN Verification Key

Message Authentication Keys

Card Verification Keys

Derived Unique Key per Transaction (DUKPT)

Principles of Encryption and Key Management for Protecting the Stored PAN

Secure Key Generation

Single-Purpose Cryptographic Keys

Secure Key Storage

Secure Key Distribution and Exchange

Cryptoperiod and Key Changes

Dual-Key Management for Manual Cryptography


Requirement 4: Securing Cardholder Information in Transit

Requirement 4.1: Secure Transmission of Cardholder Information Over Open, Public Networks

Open, Public Networks: A PCI Viewpoint

Secure Protocols


Secure Shell (SSH)


Requirement 4.1.1: WiFi Security Practices for Cardholder Data Transmissions

Requirement 4.2: Unprotected PANs over End-User Messaging Technologies


Requirement 5: Use and Regularly Update Antivirus Software

Requirement 5.1: Use of Antivirus Programs to Protect Commonly Affected Systems

Antivirus Deployment within the PCI Environment (CDE)

Requirement 5.2: Managing the Antivirus Application

Managing and Monitoring the Antivirus Application for PCI Compliance

Commercial Applications: Antivirus Requirements


Requirement 6: Develop and Maintain Secure Systems

Requirement 6.1: Patch-Management Practices for PCI Compliance

Patch Management for PCI Compliance

Approaches to Patching and Patch Management

Change-Management Process of System Patch Deployment

Risk-Based Approach to Patch Management

Assessor’s Notes for Verifying Patch-Management Practices

Requirement 6.2: Vulnerability-Management Practices for PCI Compliance

Secure Application Development Practices for PCI-DSS and PA-DSS

Requirement 6.3: Secure SDLC for Application Development

The Risk-Assessment Approach to Secure SDLC

Requirement 6.3.1: Removal of Default User Accounts, IDs, and Passwords

Requirement 6.3.2: Custom Code Review for Security

Requirement 6.4: Application Change Management and Change Control

Requirement 6.4.5: Change-Management Document and the Essentials of Change Control and Change Management

Requirements 6.4.2 and 6.4.3: Separation of Production, Development, and Test Environments

Requirement 6.4.3: Use of Live PANs for Testing

Requirement 6.4.4: Removal of Test Data in Production

Requirement 6.5: Secure Coding Guidelines for Applications

Secure Coding Guidelines: References and Best Practices

Requirement 6.5.1: Secure Coding to Address Injection Flaws

SQL Injection

XPath Injection

LDAP Injection

Command Injection

Requirement 6.5.2: Secure Coding to Address Buffer Overflows

Requirement 6.5.3: Secure Coding to Address Cryptographic Flaws

Cryptography Essentials

Requirement 6.5.4: Secure Coding to Address Insecure Transmissions

The SSL/TLS Handshake Process

Implementation Best Practices for Secure Transmission: Web Applications

Requirement 6.5.5: Secure Coding to Address Improper Error Handling

Requirement 6.5.6: Remediation Measures to Address High-Severity Vulnerabilities

Requirement 6.5.7: Secure Coding to Address Cross-Site Scripting

Reflected XSS

Persistent XSS

Requirement 6.5.8: Secure Coding to Address Flawed Access Control

Session Hijacking

Cross-Site Request Forgery

Session Fixation

Forceful Browsing

Requirement 6.5.9: Secure Coding to Address Cross-Site

Request Forgery

Ongoing Vulnerability-Management Practices for Web Applications

Web-Application Vulnerability Assessments

Usage of a Web-Application Firewall


Requirement 7: Restrict Access to Cardholder Data by Business

Need to Know

Requirement 7.1: Restrict Access to Systems with Cardholder Data

Access Restrictions across the PCI Environment

The Principle of Least Privilege

Documentation of Approval: Access Privileges

Automated Access-Control System


Requirement 8: Access-Control Requirements for PCI Environments

Unique IDs for Users: PCI Environment

Requirement 8.1: Assign Unique IDs to Users in PCI Environment

Factors of Authentication

The Three Factors of Authentication Supplementing User IDs

Something You Know: Knowledge Factors

Something You Are: Physical Factors

Something You Have: Physical Token Parameters

Two-Factor Authentication: Remote Access

Protection of Passwords: Transmission and Storage

Protection of Passwords in Transit

Protection of Passwords at Rest

Authentication Management for PCI Environments

Access-Control Procedure

Requirement 8.5.1: Control of Operations on Access Control

Requirement 8.5.2: Verification of User Identity (Password Resets)

Requirement 8.5.3: Unique Password Value and First-Use Change

Requirement 8.5.4 and 8.5.5: Revocation and Removal of User Access Rights

Requirement 8.5.4: Revocation of User Access Rights Immediately after User Separation

Requirement 8.5.5: Disabling User Accounts within 90 Days

Requirement 8.5.6: Vendor Account Access Management

Requirement 8.5.8: Prohibit Shared, Group, or Generic Accounts

Requirements 8.5.9–8.5.15: Password Management for PCI Environments

Database Access Requirements for PCI Environments

Requirement 8.5.16: Database Authentication Requirements

PA-DSS Requirements for Authentication

Requirement 8 of PCI and Requirement 3 of the PA-DSS


Requirement 9: Restrict Physical Access to Cardholder Data

Requirement 9.1: Physical Access Controls for the PCI Environment

Requirement 9.1.1: Use of Cameras and/or Access-Control Mechanisms

Requirement 9.1.2 and 9.1.3: Restrict Physical Access to Network Components

The Dangers of Visitor Network Access

Protection Strategies for Visitor Network Access

Requirement 9.1.3: Physical Protection for Network Devices

Requirements 9.2, 9.3, and 9.4: Employee and Visitor Access

Visitor-Management Procedure

Visitor Access and Employee Access Distinctions

Granting Visitor Access

Visitor Access Privileges and Restrictions

Revocation of Visitor and Employee Access

Access to Badge System/Physical Access-Control System

Visitor Distinction

Visitor Access Records

Requirements 9.5–9.10: Media Management and Security

Requirement 9.5: Physical Security—Off-Site Media Backup Location

The Need for Off-Site Backup

Security Controls: Off-Site Backup

Requirements 9.9 and 9.10: Media Destruction


Requirement 10: Logging and Monitoring for the PCI Standards

Audit Trails: PCI Requirements

The Need for Audit Trails and Logs

Challenges: Log Management

Distributed Event Logs

Volume of Log Entries

Nonstandard Logging Practices

Multiple Tools

People Intensive

Access-Control Link: Audit Trails

Details: Audit Trail Capture

Audit Logs: Details

Individual Access to Cardholder Data

Actions by Root or Administrative Users

Access to Audit Trails

Invalid Access Attempts

Use of Identification and Authentication Mechanisms

Initialization of Audit Logs

Creation of System-Level Objects

Audit-Trail Entries and Records

User Identification

Type of Event

Date and Time

Indication of Success or Failure

Origination of Event

Identification of Affected System, Resource, or Component

Application Logging Best Practices

The Importance of Time and Its Consistency

Time Sync across IT Components

Network Time Protocol for Time Synchronization

Securing Audit Trails and Logs

Business Need to Know: Logs and Audit Trails

Securing Log Information

Strong Access Control

System Hardening

Centralized Log Server

File-Integrity Monitoring

Log Monitoring, Review, and Retention

Requirement 10.6: Log Review and Monitoring

Requirement 10.7: Log Retention


Requirement 11: Security Testing for the PCI Environment

Wireless Access Point: Testing

Testing for Rogue/Unauthorized Wireless Access Points

Wireless Network Scanning

Physical Inspection

Network Access Control

Wireless IDS/IPS Deployment

Internal and External Network Vulnerability Scanning

Vulnerability Scanning: Concept Note

Vulnerability Categorization

Vulnerability Scanning: Methodology

Internal and External Network Vulnerability Scanning

Internal and External Vulnerability Scanning

Network Vulnerability Scanning

Scanning by PCI Approved Scanning Vendor (ASV)

Internal and External Penetration Testing

Fundamental Differences: Vulnerability Assessment and Penetration Testing

Why Perform a Penetration Test?

Network-Layer Penetration Tests

Application-Layer Penetration Testing

Deployment of Intrusion Detection/Prevention Devices or Applications

Intrusion Detection/Prevention Systems: An Overview

Signature Based

Statistical-Based Anomaly Detection

Stateful Protocol Analysis Detection

PCI Requirement: Intrusion Detection/Prevention System

File-Integrity Monitoring: Critical System Files and Configurations

Attacks: Key System Files

File-Integrity Monitoring: Critical System Files, Processes, and Content Files


Requirement 12: Information Security Policies and Practices for PCI Compliance

Information Security Policy: PCI Requirements

Security Policy Definition

Risk Assessment: PCI Compliance

A Question of Adequacy

Risk Assessment: Process and Overview

Annual Review: Policy and Risk-Management Framework

Operational Security Procedures

Security Focus Areas

Acceptable Usage Policies and Procedures

List of Acceptable Technologies, Applications, and Devices

Explicit Approval for Technology Usage

Inventory and Labeling

Authentication for the Use of Technology

Acceptable Usage

Security Roles and Responsibilities

Documentation: Roles and Responsibilities

The Chief Information Security Officer

Distribution of Policies and Procedures and Monitoring of Security Alerts

User Management: Roles and Responsibilities

People Security Practices

Security Awareness Training and Monitoring

Employee Background Verification

Vendor Management and PCI Compliance

Vendors: Data Sharing and Risk Management

Incident Management and Incident Response

Incident-Response Plans and Procedures

Elements of Incident-Response Plan

Incident-Response Success Factors


Beyond PCI Compliance

Maintaining PCI Compliance: The Challenge

The Challenge: The Dilemma Produced by Success

The Information Problem

The Technology Challenge

Management Attitude

Success Factors for Continuing PCI Compliance

A Change of Attitude

Deep Understanding of Risk and Its Application




About the Author

Abhay Bhargav is the founder and chief technical officer of the we45 Group, a Bangalore based information security solutions company. He has extensive experience with information security and compliance, having performed security assessments for many enterprises in various domains, such as banking, software development, retail, telecom, and legal. He is a qualified security assessor (QSA) for the payment-card industry and has led several security assessments for payment-card industry compliance. He is also the coauthor of Secure Java for Web Application Development, published by CRC Press.

Abhay is a specialist in Web-application security with broad experience in vulnerability assessment and penetration testing, and he has served as a consultant for a wide array of enterprises and governmental/quasi-governmental entities. He was recently awarded the prestigious SANS Certified GIAC Web Application Penetration Tester certification. He has been interviewed by leading media outlets for his expertise on information security, particularly application security. Links to the interviews are available here and here.

Abhay is a regular speaker at industry events. He was a featured speaker at the JavaOne Conference in September 2010 at the Moscone Center in San Francisco. He also regularly speaks at OWASP (Open Web Application Security Project) conferences around the world, notably in New York at the world’s largest application security conference, the OWASP AppSec Conference, in September 2008. He has also spoken at various other conferences and seminars, such as the PCI summit in Mumbai in December 2008. He is a regular speaker at industry events such as the Business Technology Summit and events organized by the Confederation of Indian Industry (CII). He has also delivered several talks to government entities and their stakeholders on information security and application security. He is also a trainer in information security and has led several public workshops on PCI, PA-DSS, and risk assessment.

Abhay is well versed in risk assessment and risk management, with rich consulting experience in the OCTAVE® Risk Assessment and NIST SP 800-30 methodologies. His expertise also extends to providing solutions on information security based on the ISO-27001, HIPAA, SOX, GLBA, and other security-compliance standards.

Previously, Abhay was the leader of application security and PCI compliance at SISA Information Security Pvt Ltd. Prior to that, he was involved in implementing enterprise IT solutions for various verticals, including manufacturing and retail. He has developed various business applications in Java and proprietary object-oriented program languages such as TDL. He has also written various articles on application security and security compliance.

Apart from his professional interests, Abhay is also a trained Carnatic classical flutist and has delivered several concerts. He is also a theater enthusiast and playwright with an English comedy play to his writing credits. He blogs actively and maintains a security blog and a personal blog. He also writes a weekly article on computer education in a leading Kannada daily newspaper for the rural youth.

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Software Development & Engineering / General
COMPUTERS / Security / General
COMPUTERS / Certification Guides / General