5th Edition
PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is now in its 18th year, and it is continuing to dominate corporate security budgets and resources. If you accept, process, transmit, or store payment card data branded by Visa, MasterCard, American Express, Discover, or JCB (or their affiliates and partners), you must comply with this lengthy standard.
Personal data theft is at the top of the list of likely cybercrimes that modern-day corporations must defend against. In particular, credit or debit card data is preferred by cybercriminals as they can find ways to monetize it quickly from anywhere in the world. Is your payment processing secure and compliant? The new Fifth Edition of PCI Compliance has been revised to follow the new PCI DSS version 4.0, which is a complete overhaul to the standard. Also new to the Fifth Edition are: additional case studies and clear guidelines and instructions for maintaining PCI compliance globally, including coverage of technologies such as Kubernetes, cloud, near-field communication, point-to-point encryption, Mobile, Europay, MasterCard, and Visa. This is the first book to address the recent updates to PCI DSS and the only book you will need during your PCI DSS journey. The real-world scenarios and hands-on guidance will be extremely valuable, as well as the community of professionals you will join after buying this book.
Each chapter has how-to guidance to walk you through implementing concepts and real-world scenarios to help you grasp how PCI DSS will affect your daily operations. This book provides the information that you need in order to understand the current PCI Data Security Standards and the ecosystem that surrounds them, how to effectively implement security on network infrastructure in order to be compliant with the credit card industry guidelines, and help you protect sensitive and personally identifiable information. Our book puts security first as a way to enable compliance.
- Completely updated to follow the current PCI DSS version 4.0
- Packed with tips to develop and implement an effective PCI DSS and cybersecurity strategy
- Includes coverage of new and emerging technologies such as Kubernetes, mobility, and 3D Secure 2.0
- Both authors have broad information security backgrounds, including extensive PCI DSS experience
1. About PCI and This Book
Who should read the book? How to Use the Book in Your Daily Job. What This Book is Not. How to use this book? Organization of the Book. Summary.
2. Introduction to Fraud, ID Theft, and Regulatory Mandates
Summary
3. Why is PCI Here?
What is PCI DSS and Who Must Comply? Electronic Card Payment Ecosystem. Goal of PCI DSS. Applicability of PCI DSS. PCI DSS in Depth. Quick Overview of PCI Requirements. What’s New in PCI DSS 4.0. PCI DSS and Risk. Benefits of Compliance. Case Study. Summary.
4. Determining AND Reducing Your PCI Scope
The Basics of PCI DSS Scoping. The "Gotchas" of PCI Scope. Scope Reduction Tips. Planning your PCI Project. Case Study. Summary.
5. Building and Maintaining a Secure Network
Which PCI DSS Requirements Are in This Domain? What Else Can You Do to Be Secure? Tools & Best Practices. Common Mistakes & Pitfalls. Case Study. Summary.
6. Strong Access Controls
Which PCI DSS Requirements Are in This Domain? What Else Can You Do to Be Secure? Tools & Best Practices. Common Mistakes & Pitfalls. Case Study. Summary.
7. Protect Cardholder Data
What is Data Protection and Why is it Needed? Requirements Addressed in This Chapter. Requirement 3: Protect Stored Account Data. Requirement 3 Walk-Through. What Else Can You Do to Be Secure? Requirement 4 Walk-Through. Requirement 12 Walk-Through. How to Become Compliant and Secure. Common Mistakes and Pitfalls. Case Study. Summary.
8. Using Wireless Networking
What is Wireless Network Security? Where is Wireless Network Security in PCI DSS? Why Do We Need Wireless Network Security? Tools and Best Practices. Common Mistakes and Pitfalls. Case Study. Summary.
9. Vulnerability Management and Testing
PCI DSS Requirements Covered. Vulnerability Management in PCI DSS. PCI DSS Requirement 5 Walk-Through. PCI DSS Requirement 6 Walk-Through. PCI DSS Requirement 11 Walk-Through. Internal Vulnerability Scanning. Common PCI Vulnerability Management Mistakes. Case Study. Summary.
10. Logging Events and Monitoring the Cardholder Data Environment
PCI DSS Requirements Covered. Why Logging and Monitoring in PCI DSS? Logging and Monitoring in Depth. PCI Relevance of Logs. Logging in PCI DSS Requirement 10. Monitoring Data and Logs for Security Issues. Logging and Monitoring in PCI—All Other Requirements. PCI DSS Logging Policies and Procedures. Tools for Logging in PCI. Other Monitoring Tools. Intrusion Detection and Prevention. Integrity Monitoring. Common Mistakes and Pitfalls. Case Study. Summary.
11. Cloud and Virtualization
Cloud Basics. PCI Cloud Examples. So, Can I Use Cloud Resources in PCI DSS Environments? Containers and Kubernetes. Maintaining and Assessing PCI DSS in the Cloud. Tools and Best Practices. Summary.
12. Mobile
Where is it Addressed in PCI DSS 4.0? What Guidance Is Available? Deploying the Technology Safely. Case Study. Summary.
13. PCI DSS for the Small Business
The Risks of Credit Card Acceptance. New Business Considerations. Your POS is Like My POS! A Basic Scheme for SMB Technology Hardening. Case Study. Summary
14. PCI DSS for the Service Provider
Why do Service Providers have More Requirements? Variation on a Theme, or What Service Providers Should Care About. Service Provider Specific Requirements. Case Study. Summary.
15. Managing a PCI DSS Project to Achieve Compliance
Justifying a Business Case for Compliance. Bringing the Key Players to the Table. Budgeting Time and Resources. Educate Staff. Project QuickStart Guide. The PCI SSC Prioritized Approach. The Visa TIP (maybe remove this as a subhead). Summary.
16. Don’t Fear the Assessor
Remember, Assessors are Generally There to Help. Dealing with Assessors’ Mistakes. Planning for Remediation. Planning for Re-assessing. Summary
17. The Art of Compensating Control
What is a Compensating Control? Where are Compensating Controls in PCI DSS? What a Compensating Control is Not. Funny Controls You Didn’t Design. How to Create a Good Compensating Control. Case Studies. Summary
18. You’re Compliant, Now What?
Security is a Process, Not an Event. Plan for Periodic Review and Training. PCI Requirements with Periodic Maintenance. PCI Self-Assessment. Case Study. Summary.
19. Emerging Technology and Alternative Payment Schemes
Emerging Payment Schemes. Predictions. Taxonomy and Tidbits. Case Study. Summary.
20. PCI DSS Myths and Misconceptions
Myth #1 PCI Doesn’t Apply to Me. Myth #2 PCI is Confusing and Ambiguous. Myth #3 PCI DSS is Too Onerous. Myth #4 Breaches Prove PCI DSS Irrelevant. Myth #5 PCI is All We Need for Security. Myth #6 PCI DSS is Really Easy. Myth #7 My Tool is PCI Compliant Thus I Am Compliant. Myth #8 PCI is Toothless. Case Study. Summary.
21. Final Thoughts
A Quick Summary. On Time Travel. Interact With Us!
Biography
Dr. Branden R. Williams has more than twenty-five years of experience as a technology executive where he has served virtually every industry as an information technology and cybersecurity consultant, as well as held high-level executive roles inside banks, other financial services firms, and top cybersecurity and technology vendors. He has been working with PCI DSS, CISP, and SDP since 2004.
Branden’s intuitive understanding of how information technology drives business, his use of business intelligence tools to drive revenue and innovation, and his energy and likeable personality have earned him increasing responsibility and respect in the business and academic worlds. Using his keen business insights and ability to communicate with technical and non-technical audiences, he collaborates with executives to analyze, develop, and implement enterprise-wide solutions that support key business initiatives.
Branden has global experience working on six continents as a consultant and practitioner and holds a Masters and Doctor of Business Administration degrees. He teaches graduate-level courses at the University of Dallas as an adjunct and is a sought after speaker and author.
James K. Adamson has assisted clients in the payment security space for over 15 years as a PCI QSA and trusted advisor.
His work has included consulting with hundreds of organizations, ranging from Fortune 100s to startups, across many verticals, including retail, financial, travel, technology, medical, and service providers. He has deep expertise in assessing payment environments, reviewing security architectures and programs, and developing holistic approaches to addressing security and compliance needs.
James approaches compliance with the Payment Card Industry Data Security Standard to ensure that it helps organizations focus on protecting their customers’ data, reducing risk, and improving business and security effectiveness.
