Book description
Although organizations that store, process, or transmit cardholder information are required to comply with payment card industry standards, most find it extremely challenging to comply with and meet the requirements of these technically rigorous standards. PCI Compliance: The Definitive Guide explains the ins and outs of the payment card industry (
Table of contents
- Preface
- About the Author
-
Chapter 1 - Payment-Card Industry: An Evolution
-
1.1 The Development of a System: The Coming of the Credit Card
-
1.1.1 The Need for Credit: A Historical Perspective
- 1.1.1.1 Credit in the Mesopotamian Civilization
- 1.1.1.2 Credit in the Era of Coins and Metal Bullion (800 BC to AD 600)
- 1.1.1.3 The Rise of Virtual Money Transactions (AD 600 to AD 1500)
- 1.1.1.4 The Reemergence of Coins and Precious Metal Currency (1500–1971)
- 1.1.1.5 The Rise of Debt (1971 Onwards)
- 1.1.1.6 The Need for Credit
- 1.1.2 The Credit Card: A Means to Address the Need for Credit
-
1.1.1 The Need for Credit: A Historical Perspective
- 1.2 Debit Cards and Automated Teller Machines
- 1.3 The Future of Payments
- 1.4 Summary
-
1.1 The Development of a System: The Coming of the Credit Card
- 2
- Card Anatomy: The Essentials
- 3
-
Security and the Payment-Card Industry
- 3.1 A Brief History of Credit Card Fraud
- 3.2 A Brief History of Significant Card Data Breaches
- 3.3 Cardholder Security Programs
- 3.4 Summary
- 4
- Payment Card Industry Data Security Standard (PCI-DSS)
- 5
- The Payment Application Data Security Standard (PA-DSS)
- 6
- Enterprise Approach to PCI Compliance
- 7
-
Scoping for PCI Compliance
- 7.1 Scoping for PCI Compliance: A Primer
- 7.2 The Cardholder-Data Environment (CDE)
- 7.3 Tips for Scope Reduction
- 7.4 System Components in the PCI Scope
- 7.5 Summary
- 8
- Requirement 1: Build and Maintain a Secure Network
- 9
-
Requirement 2: Vendor-Supplied Defaults, System Passwords, and Security Parameters
-
9.1 Vendor-Supplied Default Passwords
-
9.1.1 Configuration Standards and Vendor-Supplied Default Passwords and Security Parameters
- 9.1.1.1 Requirement 2.1: Change Vendor-Supplied Default Passwords
- 9.1.1.2 Requirement 2.2: Configuration Standards for System Components
- 9.1.1.3 Requirement 2.2.1: One Primary Function per Server
- 9.1.1.4 Insecure Protocols and Services
- 9.1.1.5 Requirements 2.2.3 and 2.2.4 Security Parameters: To Prevent Misuse
- 9.1.2 Nonconsole Administrative Access
- 9.1.3 Wireless Security Consideration: Vendor-Supplied Defaults
-
9.1.1 Configuration Standards and Vendor-Supplied Default Passwords and Security Parameters
- 9.2 PA-DSS: Application Requirements for Vendor-Supplied Defaults and Security Parameters
- 9.3 Summary
-
9.1 Vendor-Supplied Default Passwords
- 10
-
Requirement 3: Protect Stored Cardholder Data
- 10.1 Storage, Retention, and Destruction of Stored Cardholder Data
- 10.2 Requirement 3.2: Sensitive Authentication Data at Rest
- 10.3 Display of the Card PAN
- 10.4 Requirement 3.4: Rendering the PAN Unreadable wherever Stored
- 10.5 Cryptography: Terminology and Concept Review
- 10.6 Requirements 3.5 and 3.6: Key Security and Key Management
- 10.7 Summary
- 11
- Requirement 4: Securing Cardholder Information in Transit
- 12
- Requirement 5: Use and Regularly Update Antivirus Software
- 13
-
Requirement 6: Develop and Maintain Secure Systems
- 13.1 Requirement 6.1: Patch-Management Practices for PCI Compliance
- 13.2 Requirement 6.2: Vulnerability-Management Practices for PCI Compliance
-
13.3 Secure Application Development Practices for PCI-DSS and PA-DSS
- 13.3.1 Requirement 6.3: Secure SDLC for Application Development
-
13.3.2 Requirement 6.4: Application Change Management and Change Control
- 13.3.2.1 Requirement 6.4.5: Change-Management Document and the Essentials of Change Control and Change Management
- 13.3.2.2 Requirements 6.4.2 and 6.4.3: Separation of Production, Development, and Test Environments
- 13.3.2.3 Requirement 6.4.3: Use of Live PANs for Testing
- 13.3.2.4 Requirement 6.4.4: Removal of Test Data in Production
-
13.4 Requirement 6.5: Secure Coding Guidelines for Applications
- 13.4.1 Secure Coding Guidelines: References and Best Practices
- 13.4.2 Requirement 6.5.1: Secure Coding to Address Injection Flaws
- 13.4.3 Requirement 6.5.2: Secure Coding to Address Buffer Overflows
- 13.4.4 Requirement 6.5.3: Secure Coding to Address Cryptographic Flaws
- 13.4.5 Requirement 6.5.4: Secure Coding to Address Insecure Transmissions
- 13.4.6 Requirement 6.5.5: Secure Coding to Address Improper Error Handling
- 13.4.7 Requirement 6.5.6: Remediation Measures to Address High-Severity Vulnerabilities
- 13.4.8 Requirement 6.5.7: Secure Coding to Address Cross-Site Scripting
- 13.4.9 Requirement 6.5.8: Secure Coding to Address Flawed Access Control
- 13.4.10 Requirement 6.5.9: Secure Coding to Address Cross-Site Request Forgery
- 13.5 Ongoing Vulnerability-Management Practices for Web Applications
- 13.6 Summary
- 14
- Requirement 7: Restrict Access to Cardholder Data by Business Need to Know
- 15
-
Requirement 8: Access-Control Requirements for PCI Environments
- 15.1 Unique IDs for Users: PCI Environment
- 15.2 Factors of Authentication
- 15.3 Protection of Passwords: Transmission and Storage
-
15.4 Authentication Management for PCI Environments
- 15.4.1 Access-Control Procedure
- 15.4.2 Requirement 8.5.1: Control of Operations on Access Control
- 15.4.3 Requirement 8.5.2: Verification of User Identity (Password Resets)
- 15.4.4 Requirement 8.5.3: Unique Password Value and First-Use Change
- 15.4.5 Requirements 8.5.4 and 8.5.5: Revocation and Removal of User Access Rights
- 15.4.6 Requirement 8.5.6: Vendor Account Access Management
- 15.4.7 Requirement 8.5.8: Prohibit Shared, Group, or Generic Accounts
- 15.4.8 Requirements 8.5.9–8.5.15: Password Management for PCI Environments
- 15.5 Database Access Requirements for PCI Environments
- 15.6 PA-DSS Requirements for Authentication
- 15.7 Summary
- 16
-
Requirement 9: Restrict Physical Access to Cardholder Data
- 16.1 Requirement 9.1: Physical Access Controls for the PCI Environment
-
16.2 Requirements 9.2, 9.3, and 9.4: Employee and Visitor Access
-
16.2.1 Visitor-Management Procedure
- 16.2.1.1 Visitor Access and Employee Access Distinctions
- 16.2.1.2 Granting Visitor Access
- 16.2.1.3 Visitor Access Privileges and Restrictions
- 16.2.1.4 Revocation of Visitor and Employee Access
- 16.2.1.5 Access to Badge System/Physical Access-Control System
- 16.2.1.6 Visitor Distinction
- 16.2.1.7 Visitor Access Records
-
16.2.1 Visitor-Management Procedure
- 16.3 Requirements 9.5–9.10: Media Management and Security
- 16.4 Summary
- 17
-
Requirement 10: Logging and Monitoring for the PCI Standards
- 17.1 Audit Trails: PCI Requirements
-
17.2 Details: Audit Trail Capture
-
17.2.1 Audit Logs: Details
- 17.2.1.1 Individual Access to Cardholder Data
- 17.2.1.2 Actions by Root or Administrative Users
- 17.2.1.3 Access to Audit Trails
- 17.2.1.4 Invalid Access Attempts
- 17.2.1.5 Use of Identification and Authentication Mechanisms
- 17.2.1.6 Initialization of Audit Logs
- 17.2.1.7 Creation of System-Level Objects
- 17.2.2 Audit-Trail Entries and Records
- 17.2.3 Application Logging Best Practices
-
17.2.1 Audit Logs: Details
- 17.3 The Importance of Time and Its Consistency
- 17.4 Securing Audit Trails and Logs
- 17.5 Log Monitoring, Review, and Retention
- 17.6 Summary
- 18
-
Requirement 11: Security Testing for the PCI Environment
- 18.1 Wireless Access Point: Testing
- 18.2 Internal and External Network Vulnerability Scanning
- 18.3 Internal and External Penetration Testing
- 18.4 Deployment of Intrusion Detection/Prevention Devices or Applications
- 18.5 File-Integrity Monitoring: Critical System Files and Configurations
- 18.6 Summary
- 19
- Requirement 12: Information Security Policies and Practices for PCI Compliance
- 20
- Beyond PCI Compliance
-
Addendum
-
What’s New in PCI-DSS v 3.0?
- A1 – Current Network Diagram with Cardholder Data Flows
- A2 – Inventory of System Components in the PCI Scoped Environment
- A3 – Malware Protection for Uncommon System Components
- A4 – Enhanced List of Secure Coding Guidelines
- A5 – Clarifications for Multiple Authentication Factors
- A6 – Protection of Physical POS Devices
- A7 – Penetration Testing for Segmentation and Scope Reduction
- A8 – Vendor PCI Compliance
-
What’s New in PCI-DSS v 3.0?
Product information
- Title: PCI Compliance
- Author(s):
- Release date: May 2014
- Publisher(s): Auerbach Publications
- ISBN: 9781498759991
You might also like
book
PCI Compliance
Identity theft has been steadily rising in recent years, and credit card data is one of …
book
PCI Compliance, 4th Edition
Identity theft and other confidential information theft have now topped the charts as the leading cybercrime. …
book
PCI Compliance, 5th Edition
The Payment Card Industry Data Security Standard (PCI DSS) is now in its 18th year, and …
book
PCI DSS 3.1
PCI DSS has recently updated its standard to 3.1. While the changes are fairly minor in …