You are previewing PCI Compliance, 4th Edition.
O'Reilly logo
PCI Compliance, 4th Edition

Book Description

Identity theft and other confidential information theft have now topped the charts as the leading cybercrime. In particular, credit card data is preferred by cybercriminals. Is your payment processing secure and compliant? The new Fourth Edition of PCI Compliance has been revised to follow the new PCI DSS standard version 3.0, which is the official version beginning in January 2014. Also new to the Fourth Edition: additional case studies and clear guidelines and instructions for maintaining PCI compliance globally, including coverage of technologies such as NFC, P2PE, CNP/Mobile, and EMV. This is the first book to address the recent updates to PCI DSS. The real-world scenarios and hands-on guidance are also new approaches to this topic. All-new case studies and fraud studies have been added to the Fourth Edition.

Each chapter has how-to guidance to walk you through implementing concepts, and real-world scenarios to help you relate to the information and better grasp how it impacts your data. This book provides the information that you need in order to understand the current PCI Data Security standards and how to effectively implement security on network infrastructure in order to be compliant with the credit card industry guidelines, and help you protect sensitive and personally-identifiable information.



  • Completely updated to follow the most current PCI DSS standard, version 3.0
  • Packed with help to develop and implement an effective strategy to keep infrastructure compliant and secure
  • Includes coverage of new and emerging technologies such as NFC, P2PE, CNP/Mobile, and EMV
  • Both authors have broad information security backgrounds, including extensive PCI DSS experience

Table of Contents

  1. Cover
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Foreword
  6. Acknowledgments
  7. Chapter 1: About PCI DSS and this book
    1. Abstract
    2. Who should read this book?
    3. How to use the book in your daily job
    4. What this book is not
    5. Organization of the book
    6. Summary
  8. Chapter 2: Introduction to fraud, data theft, and related regulatory mandates
    1. Abstract
    2. Summary
  9. Chapter 3: Why is PCI here?
    1. Abstract
    2. What is PCI DSS and who must comply?
    3. PCI DSS in depth
    4. Quick overview of PCI requirements
    5. PCI DSS and risk
    6. Benefits of compliance
    7. Case study
    8. Summary
  10. Chapter 4: Determining and reducing the PCI scope
    1. Abstract
    2. The basics of PCI DSS scoping
    3. The “gotchas” of PCI scope
    4. Scope reduction tips
    5. Planning your PCI project
    6. Case study
    7. Summary
  11. Chapter 5: Building and maintaining a secure network
    1. Abstract
    2. Which PCI DSS requirements are in this domain?
    3. What else can you do to be secure?
    4. Tools and best practices
    5. Common mistakes and pitfalls
    6. Case study
    7. Summary
  12. Chapter 6: Strong access controls
    1. Abstract
    2. Which PCI DSS requirements are in this domain?
    3. What else can you do to be secure?
    4. Tools and best practices
    5. Common mistakes and pitfalls
    6. Case study
    7. Summary
  13. Chapter 7: Protecting cardholder data
    1. Abstract
    2. What is data protection and why is it needed?
    3. Requirements addressed in this chapter
    4. PCI requirement 3: Protect stored cardholder data
    5. Requirement 3 walk-through
    6. What else can you do to be secure?
    7. PCI requirement 4 walk-through
    8. Requirement 12 walk-through
    9. Appendix A of PCI DSS
    10. How to become compliant and secure
    11. Common mistakes and pitfalls
    12. Case study
    13. Summary
  14. Chapter 8: Using wireless networking
    1. Abstract
    2. What is wireless network security?
    3. Where is wireless network security in PCI DSS?
    4. Why do we need wireless network security?
    5. Tools and best practices
    6. Common mistakes and pitfalls
    7. Case study
    8. Summary
  15. Chapter 9: Vulnerability management
    1. Abstract
    2. PCI DSS requirements covered
    3. Vulnerability management in PCI
    4. Requirement 5 walk-through
    5. Requirement 6 walk-through
    6. Requirement 11 walk-through
    7. Internal vulnerability scanning
    8. Common PCI vulnerability management mistakes
    9. Case study
    10. Summary
  16. Chapter 10: Logging events and monitoring the cardholder data environment
    1. Abstract
    2. PCI requirements covered
    3. Why logging and monitoring in PCI DSS?
    4. Logging and monitoring in depth
    5. PCI relevance of logs
    6. Logging in PCI requirement 10
    7. Monitoring data and log for security issues
    8. Logging and monitoring in PCI—all other requirements
    9. PCI DSS logging policies and procedures
    10. Tools for logging in PCI
    11. Other monitoring tools
    12. Intrusion detection and prevention
    13. Integrity monitoring
    14. Common mistakes and pitfalls
    15. Case study
    16. Summary
  17. Chapter 11: PCI DSS and cloud computing
    1. Abstract
    2. Cloud basics
    3. PCI cloud examples
    4. So, can I use cloud resources in PCI DSS environments?
    5. More cloud for better security and compliance?
    6. Maintaining and assessing PCI DSS in the cloud
    7. Cloud and PCI DSS in depth
    8. Summary
  18. Chapter 12: Mobile
    1. Abstract
    2. Where is mobility addressed in PCI DSS 3.0?
    3. What guidance is available?
    4. How does PA-DSS 3.0 fit?
    5. Deploying the technology safely
    6. Case study
    7. Summary
  19. Chapter 13: PCI for the small business
    1. Abstract
    2. The risks of credit card acceptance
    3. New business considerations
    4. Your POS is like my POS!
    5. A basic scheme for SMB hardening
    6. Case study
    7. Summary
  20. Chapter 14: Managing a PCI DSS project to achieve compliance
    1. Abstract
    2. Justifying a business case for compliance
    3. Bringing the key players to the table
    4. Budgeting time and resources
    5. Educating staff
    6. Project quickstart guide
    7. The PCI DSS prioritized approach
    8. The visa TIP
    9. Summary
  21. Chapter 15: Don’t fear the assessor
    1. Abstract
    2. Remember, assessors are there to help
    3. Dealing with assessors’ mistakes
    4. Planning for remediation
    5. Planning for reassessing
    6. Summary
  22. Chapter 16: The art of compensating control
    1. Abstract
    2. What is a compensating control?
    3. Where are compensating controls in PCI DSS?
    4. What a compensating control is not
    5. Funny controls you didn’t design
    6. How to create a good compensating control
    7. Case studies
    8. Summary
  23. Chapter 17: You’re compliant, now what?
    1. Abstract
    2. Security is a process, not an event
    3. Plan for periodic review and training
    4. PCI requirements with periodic maintenance
    5. PCI self-assessment
    6. Case study
    7. Summary
  24. Chapter 18: Emerging technology and alternative payment schemes
    1. Abstract
    2. New payment schemes
    3. Predictions
    4. Taxonomy and tidbits
    5. Case study
    6. Summary
  25. Chapter 19: Myths and misconceptions of PCI DSS
    1. Abstract
    2. Myth #1 PCI doesn’t apply to me
    3. MYTH #2 PCI is confusing and ambiguous
    4. Myth #3 PCI DSS is too onerous
    5. Myth #4 breaches prove PCI DSS irrelevant
    6. Myth #5 PCI is all we need for security
    7. Myth #6 PCI DSS is really easy
    8. Myth #7 my tool is PCI compliant thus I am compliant
    9. Myth #8 PCI is toothless
    10. Case study
    11. Summary
  26. Index