You are previewing PCI Compliance.
O'Reilly logo
PCI Compliance

Book Description

Although organizations that store, process, or transmit cardholder information are required to comply with payment card industry standards, most find it extremely challenging to comply with and meet the requirements of these technically rigorous standards. PCI Compliance: The Definitive Guide explains the ins and outs of the payment card industry (PCI) security standards in a manner that is easy to understand.

This step-by-step guidebook delves into PCI standards from an implementation standpoint. It begins with a basic introduction to PCI compliance, including its history and evolution. It then thoroughly and methodically examines the specific requirements of PCI compliance. PCI requirements are presented along with notes and assessment techniques for auditors and assessors.

The text outlines application development and implementation strategies for Payment Application Data Security Standard (PA-DSS) implementation and validation. Explaining the PCI standards from an implementation standpoint, it clarifies the intent of the standards on key issues and challenges that entities must overcome in their quest to meet compliance requirements.

The book goes beyond detailing the requirements of the PCI standards to delve into the multiple implementation strategies available for achieving PCI compliance. The book includes a special appendix on the recently released PCI-DSS v 3.0. It also contains case studies from a variety of industries undergoing compliance, including banking, retail, outsourcing, software development, and processors. Outlining solutions extracted from successful real-world PCI implementations, the book ends with a discussion of PA-DSS standards and validation requirements.

Table of Contents

  1. Preface
  2. About the Author
  3. Chapter 1 - Payment-Card Industry: An Evolution
    1. 1.1 The Development of a System: The Coming of the Credit Card
      1. 1.1.1 The Need for Credit: A Historical Perspective
        1. 1.1.1.1 Credit in the Mesopotamian Civilization
        2. 1.1.1.2 Credit in the Era of Coins and Metal Bullion (800 BC to AD 600)
        3. 1.1.1.3 The Rise of Virtual Money Transactions (AD 600 to AD 1500)
        4. 1.1.1.4 The Reemergence of Coins and Precious Metal Currency (1500–1971)
        5. 1.1.1.5 The Rise of Debt (1971 Onwards)
        6. 1.1.1.6 The Need for Credit
      2. 1.1.2 The Credit Card: A Means to Address the Need for Credit
        1. 1.1.2.1 The History of the Credit Card
        2. 1.1.2.2 The First Credit Cards
        3. 1.1.2.3 The Development of a Credit Card Industry
    2. 1.2 Debit Cards and Automated Teller Machines
      1. 1.2.1 The Coming of the Debit Card
      2. 1.2.2 The Automated Teller Machine
      3. 1.2.3 E-Commerce and Online Payments
    3. 1.3 The Future of Payments
      1. 1.3.1 Trends for the Future of Payments
        1. 1.3.1.1 Mobile Payments
        2. 1.3.1.2 Contactless Payments
        3. 1.3.1.3 Chip and PIN Cards
    4. 1.4 Summary
  4. 2
  5. Card Anatomy: The Essentials
    1. 2.1 Payment Cards: Types of Cards
      1. 2.1.1 Payment Card with Magnetic Stripe
        1. 2.1.1.1 Magnetic Stripe Cards: A Brief History
        2. 2.1.1.2 Magnetic-Stripe Coercivity
        3. 2.1.1.3 Magnetic Stripe: A Primer on Data Sets
      2. 2.1.2 Chip and PIN Cards
    2. 2.2 Payment Cards: An Anatomy
      1. 2.2.1 Payment Card: External Visage (Front)
        1. 2.2.1.1 The Card Issuer’s Logo
        2. 2.2.1.2 The Payment Brand Logo and Hologram
        3. 2.2.1.3 The Card Number (PAN)
        4. 2.2.1.4 The Expiration Date
        5. 2.2.1.5 The Cardholder’s Name
      2. 2.2.2 Payment Card: External Visage (Back)
        1. 2.2.2.1 The Magnetic Stripe
        2. 2.2.2.2 Signature Strip
        3. 2.2.2.3 The CVV
        4. 2.2.2.4 Service Disclaimer
        5. 2.2.2.5 Bank Address and Contact Details
        6. 2.2.2.6 Customer Service Information
    3. 2.3 Data Sets: Payment Card
      1. 2.3.1 Track 1 Data
      2. 2.3.2 Track 2 Data
      3. 2.3.3 Track 3 Data
    4. 2.4 Payment Card: Terminology
      1. 2.4.1 The Payment Card Processing Cycle
      2. 2.4.2 Merchants
      3. 2.4.3 Acquirers
      4. 2.4.4 Payment Networks
      5. 2.4.5 Issuers
      6. 2.4.6 Processors
      7. 2.4.7 Other Service Providers
      8. 2.4.8 Independent Sales Organizations
    5. 2.5 Payment Card Transactions
      1. 2.5.1 Card-Present Transaction
      2. 2.5.2 Card-Not-Present Transaction
      3. 2.5.3 Open-Loop Payment Systems
      4. 2.5.4 Closed-Loop Payment Systems
    6. 2.6 Summary
  6. 3
  7. Security and the Payment-Card Industry
    1. 3.1 A Brief History of Credit Card Fraud
    2. 3.2 A Brief History of Significant Card Data Breaches
      1. 3.2.1 The CardSystems Breach
      2. 3.2.2 The T.J. Maxx Card Breach
      3. 3.2.3 The Heartland Payment Systems Breach
      4. 3.2.4 The Sony Playstation Network Breach
    3. 3.3 Cardholder Security Programs
      1. 3.3.1 Card Brand Cardholder Security Programs
      2. 3.3.2 The Formation of the PCI-DSS and PCI-SSC
      3. 3.3.3 Structure of the PCI Standards
      4. 3.3.4 The PCI Assessment Environment
        1. 3.3.4.1 PCI-QSAs and PCI-QSACs
        2. 3.3.4.2 The PCI ASV (Approved Scanning Vendor)
        3. 3.3.4.3 The PCI Internal Security Assessor
        4. 3.3.4.4 The PCI Special-Interest Groups
      5. 3.3.5 Payment Application Compliance
        1. 3.3.5.1 PCI’s PA-DSS
        2. 3.3.5.2 PA-QSA and PA-QSAC
    4. 3.4 Summary
  8. 4
  9. Payment Card Industry Data Security Standard (PCI-DSS)
    1. 4.1 Brief History of the PCI-DSS
    2. 4.2 PCI Compliance Levels: Payment Brands
      1. 4.2.1 Payment Brand Compliance Programs and PCI-DSS
      2. 4.2.2 Compliance Levels and Compliance Requirements
        1. 4.2.2.1 Visa Merchant and Service Provider Validation Levels
        2. 4.2.2.2 MasterCard Merchant and Service Provider Validation Levels
        3. 4.2.2.3 American Express Merchant and Service Provider Compliance Validation Levels
        4. 4.2.2.4 Compliance Validation Levels: Identification and Implementation
    3. 4.3 PCI-DSS: Applicability
      1. 4.3.1 Applicability of PCI Compliance and Interplay with Compliance Validation Requirements
      2. 4.3.2 Merchant Organizations
      3. 4.3.3 Service Providers: Processors
      4. 4.3.4 Service Providers: Everybody Else
      5. 4.3.5 Cloud Service Providers
    4. 4.4 PCI: Attestation, Assessment, and Certification
      1. 4.4.1 The Role of a PCI-QSA
      2. 4.4.2 The PCI-DSS Requirements
      3. 4.4.3 Compensatory Controls
      4. 4.4.4 Documentation: The Report on Compliance
      5. 4.4.5 Documentation: The Attestation of Compliance
    5. 4.5 Summary
  10. 5
  11. The Payment Application Data Security Standard (PA-DSS)
    1. 5.1 History and Overview of the PA-DSS
      1. 5.1.1 The Need for Payment Application Validation for PCI
      2. 5.1.2 A Brief History of the PA-DSS
      3. 5.1.3 Primer on the PA-DSS Standard
        1. 5.1.3.1 The PA-DSS Requirements
    2. 5.2 PA-DSS Validation
      1. 5.2.1 The PA-DSS Validation Process
      2. 5.2.2 The Differences in PCI-DSS and PA-DSS Validation
      3. 5.2.3 Technical Testing and Validation for the PA-DSS
      4. 5.2.4 The Role of a PA-QSA
    3. 5.3 PA-DSS Documentation
      1. 5.3.1 The PA-DSS Report on Validation
      2. 5.3.2 The PA-DSS Implementation Guide
      3. 5.3.3 The PA-DSS Attestation of Validation
      4. 5.3.4 The PA-DSS Vendor Release Agreement
    4. 5.4 PA-DSS Application Revalidation
      1. 5.4.1 Annual Revalidation
      2. 5.4.2 Changes to Payment Applications
        1. 5.4.2.1 No-Impact Change
        2. 5.4.2.2 Low-Impact Change
        3. 5.4.2.3 High-Impact Change
      3. 5.4.3 Change-Impact Documentation
        1. 5.4.3.1 No-Impact Change-Impact Documentation
        2. 5.4.3.2 Low-Impact Change-Impact Documentation
        3. 5.4.3.3 High-Impact Change-Impact Documentation
    5. 5.5 Summary
  12. 6
  13. Enterprise Approach to PCI Compliance
    1. 6.1 Industry Verticals and PCI Compliance
      1. 6.1.1 PCI Approaches for Different Industry Verticals
        1. 6.1.1.1 Basic Business Function
        2. 6.1.1.2 Cardholder Information Touch Points
        3. 6.1.1.3 The Organization Itself
      2. 6.1.2 Merchants
      3. 6.1.3 Service Providers
        1. 6.1.3.1 Issuing TPPs
        2. 6.1.3.2 Acquiring TPPs
      4. 6.1.4 Banks
      5. 6.1.5 Other Service Providers
    2. 6.2 Enterprise Challenges: PCI Compliance
      1. 6.2.1 Information Overload: A Perspective
      2. 6.2.2 Knowledge of the Team
      3. 6.2.3 Management Impetus
      4. 6.2.4 Budgetary Constraints
      5. 6.2.5 Technical Constraints
    3. 6.3 Good Practices: To Get PCI-Compliant
      1. 6.3.1 PCI Taskforce
      2. 6.3.2 Create a Defined Scope
      3. 6.3.3 Don’t Focus on PCI Compliance
      4. 6.3.4 Understand Risk—Always
      5. 6.3.5 Pick the Right QSA
    4. 6.4 Good Practices for Application Vendors: PA-DSS
      1. 6.4.1 Security from Incipiency
      2. 6.4.2 Document, Document, Document
      3. 6.4.3 Scope Out
    5. 6.5 Summary
  14. 7
  15. Scoping for PCI Compliance
    1. 7.1 Scoping for PCI Compliance: A Primer
    2. 7.2 The Cardholder-Data Environment (CDE)
      1. 7.2.1 Defining the Cardholder-Data Environment
      2. 7.2.2 Cardholder-Data Flow
      3. 7.2.3 Cardholder-Data Matrix
        1. 7.2.3.1 ATM Card Processing: Acquiring
        2. 7.2.3.2 Card-Issuing Function
        3. 7.2.3.3 POS Billing and Merchant Acquisition
        4. 7.2.3.4 Fraud-Management Services
        5. 7.2.3.5 Cardholder Customer Service Management
        6. 7.2.3.6 Identifying Cardholder Data
      4. 7.2.4 The Role of the PCI-QSA in the CDE
    3. 7.3 Tips for Scope Reduction
      1. 7.3.1 Why Reduce Scope?
      2. 7.3.2 Network Segmentation
      3. 7.3.3 Scoping Out E-Commerce Applications
      4. 7.3.4 Tokenization and Other Data-Protection Techniques
    4. 7.4 System Components in the PCI Scope
      1. 7.4.1 Network and Network Components
      2. 7.4.2 Servers and OS Components
      3. 7.4.3 Applications
    5. 7.5 Summary
  16. 8
  17. Requirement 1: Build and Maintain a Secure Network
    1. 8.1 Network Security: A Primer
      1. 8.1.1 Network Security Architecture: Enterprise
      2. 8.1.2 Network Architecture: Scoping Out
        1. 8.1.2.1 Benefits of Scoping Out with Network Segmentation
        2. 8.1.2.2 Common Resources
        3. 8.1.2.3 Technology: Network Segmentation
    2. 8.2 Network Security Requirements for PCI
      1. 8.2.1 The Network Security Documentation
        1. 8.2.1.1 Requirement 1.1: Firewall and Router Configuration Standards
        2. 8.2.1.2 PCI Assessor’s Notes: Requirement 1.1
      2. 8.2.2 Network Components: Firewalls, Routers, and Other Network Components
        1. 8.2.2.1 Firewall and Router Specifications and Configurations
      3. 8.2.3 The Demilitarized Zone (DMZ)
        1. 8.2.3.1 PCI Requirements Relating to the DMZ
      4. 8.2.4 The Role of Managed Services
    3. 8.3 Summary
  18. 9
  19. Requirement 2: Vendor-Supplied Defaults, System Passwords, and Security Parameters
    1. 9.1 Vendor-Supplied Default Passwords
      1. 9.1.1 Configuration Standards and Vendor-Supplied Default Passwords and Security Parameters
        1. 9.1.1.1 Requirement 2.1: Change Vendor-Supplied Default Passwords
        2. 9.1.1.2 Requirement 2.2: Configuration Standards for System Components
        3. 9.1.1.3 Requirement 2.2.1: One Primary Function per Server
        4. 9.1.1.4 Insecure Protocols and Services
        5. 9.1.1.5 Requirements 2.2.3 and 2.2.4 Security Parameters: To Prevent Misuse
      2. 9.1.2 Nonconsole Administrative Access
      3. 9.1.3 Wireless Security Consideration: Vendor-Supplied Defaults
    2. 9.2 PA-DSS: Application Requirements for Vendor-Supplied Defaults and Security Parameters
      1. 9.2.1 Payment Application Vendor-Supplied Defaults
        1. 9.2.1.1 Requirement 3.1b of the PA-DSS
        2. 9.2.1.2 Requirement 5.1.3 of the PA-DSS
      2. 9.2.2 Secure Network Implementation: Payment Applications
        1. 9.2.2.1 Requirement 5.4 of the PA-DSS
        2. 9.2.2.2 Requirement 8.1 of the PA-DSS
        3. 9.2.2.3 Requirement 6 of the PA-DSS: Wireless Security Requirements
    3. 9.3 Summary
  20. 10
  21. Requirement 3: Protect Stored Cardholder Data
    1. 10.1 Storage, Retention, and Destruction of Stored Cardholder Data
      1. 10.1.1 Do You Really Need to Store Cardholder Data?
      2. 10.1.2 Policies and Procedures around Storage of Cardholder Data
    2. 10.2 Requirement 3.2: Sensitive Authentication Data at Rest
      1. 10.2.1 Authentication Parameters: Concept Overview
        1. 10.2.1.1 CVV/CVC/CAV1&2
        2. 10.2.1.2 PIN Verification Value (PVV) and PIN Offset
        3. 10.2.1.3 PIN/PIN Block
      2. 10.2.2 Authentication Parameters
      3. 10.2.3 Issuers and Storage of Sensitive Authentication Data
      4. 10.2.4 Requirement 3.2: Assessment Notes
    3. 10.3 Display of the Card PAN
    4. 10.4 Requirement 3.4: Rendering the PAN Unreadable wherever Stored
      1. 10.4.1 An Overview of Techniques to Render the PAN Unreadable
        1. 10.4.1.1 Use of One-Way Hashing
        2. 10.4.1.2 One-Way Hashing Algorithms and Security Considerations
        3. 10.4.1.3 Use of Truncation
        4. 10.4.1.4 Use of Tokenization
        5. 10.4.1.5 Use of Strong Cryptography
      2. 10.4.2 Rendering the PAN Unreadable Everywhere It Is Stored
    5. 10.5 Cryptography: Terminology and Concept Review
      1. 10.5.1 Cryptosystem
      2. 10.5.2 Key and Keyspace
      3. 10.5.3 Initialization Vector
      4. 10.5.4 Symmetric and Asymmetric Cryptography
      5. 10.5.5 Block Ciphers and Stream Ciphers
      6. 10.5.6 Block Cipher Modes of Encryption
        1. 10.5.6.1 Electronic Code Book
        2. 10.5.6.2 Cipher Block Chaining
        3. 10.5.6.3 Cipher Feedback
        4. 10.5.6.4 Output Feedback
        5. 10.5.6.5 Counter
    6. 10.6 Requirements 3.5 and 3.6: Key Security and Key Management
      1. 10.6.1 Key-Management Considerations: Enterprises
      2. 10.6.2 Key-Management Practices for Banks and Acquiring and Issuing TPPs
        1. 10.6.2.1 Hardware Security Module (HSM)
        2. 10.6.2.2 Local Master Key
        3. 10.6.2.3 Zone-Control Master Keys
        4. 10.6.2.4 PIN Working Keys
        5. 10.6.2.5 PIN Verification Key
        6. 10.6.2.6 Message Authentication Keys
        7. 10.6.2.7 Card Verification Keys
        8. 10.6.2.8 Derived Unique Key per Transaction (DUKPT)
      3. 10.6.3 Principles of Encryption and Key Management for Protecting the Stored PAN
        1. 10.6.3.1 Secure Key Generation
        2. 10.6.3.2 Single-Purpose Cryptographic Keys
        3. 10.6.3.3 Secure Key Storage
        4. 10.6.3.4 Secure Key Distribution and Exchange
        5. 10.6.3.5 Cryptoperiod and Key Changes
        6. 10.6.3.6 Dual-Key Management for Manual Cryptography
    7. 10.7 Summary
  22. 11
  23. Requirement 4: Securing Cardholder Information in Transit
    1. 11.1 Requirement 4.1: Secure Transmission of Cardholder Information over Open, Public Networks
      1. 11.1.1 Open, Public Networks: A PCI Viewpoint
      2. 11.1.2 Secure Protocols
        1. 11.1.2.1 HTTPS with SSL/TLS
        2. 11.1.2.2 Secure Shell (SSH)
        3. 11.1.2.3 IPSec VPN
      3. 11.1.3 Requirement 4.1.1: WiFi Security Practices for Cardholder Data Transmissions
    2. 11.2 Requirement 4.2: Unprotected PANs over End-User Messaging Technologies
    3. 11.3 Summary
  24. 12
  25. Requirement 5: Use and Regularly Update Antivirus Software
    1. 12.1 Requirement 5.1: Use of Antivirus Programs to Protect Commonly Affected Systems
      1. 12.1.1 Antivirus Deployment within the PCI Environment (CDE)
    2. 12.2 Requirement 5.2: Managing the Antivirus Application
      1. 12.2.1 Managing and Monitoring the Antivirus Application for PCI Compliance
    3. 12.3 Commercial Applications: Antivirus Requirements
    4. 12.4 Summary
  26. 13
  27. Requirement 6: Develop and Maintain Secure Systems
    1. 13.1 Requirement 6.1: Patch-Management Practices for PCI Compliance
      1. 13.1.1 Patch Management for PCI Compliance
      2. 13.1.2 Approaches to Patching and Patch Management
        1. 13.1.2.1 Change-Management Process of System Patch Deployment
      3. 13.1.3 Risk-Based Approach to Patch Management
      4. 13.1.4 Assessor’s Notes for Verifying Patch-Management Practices
    2. 13.2 Requirement 6.2: Vulnerability-Management Practices for PCI Compliance
    3. 13.3 Secure Application Development Practices for PCI-DSS and PA-DSS
      1. 13.3.1 Requirement 6.3: Secure SDLC for Application Development
        1. 13.3.1.1 The Risk-Assessment Approach to Secure SDLC
        2. 13.3.1.2 Requirement 6.3.1: Removal of Default User Accounts, IDs, and Passwords
        3. 13.3.1.3 Requirement 6.3.2: Custom Code Review for Security
      2. 13.3.2 Requirement 6.4: Application Change Management and Change Control
        1. 13.3.2.1 Requirement 6.4.5: Change-Management Document and the Essentials of Change Control and Change Management
        2. 13.3.2.2 Requirements 6.4.2 and 6.4.3: Separation of Production, Development, and Test Environments
        3. 13.3.2.3 Requirement 6.4.3: Use of Live PANs for Testing
        4. 13.3.2.4 Requirement 6.4.4: Removal of Test Data in Production
    4. 13.4 Requirement 6.5: Secure Coding Guidelines for Applications
      1. 13.4.1 Secure Coding Guidelines: References and Best Practices
      2. 13.4.2 Requirement 6.5.1: Secure Coding to Address Injection Flaws
        1. 13.4.2.1 SQL Injection
        2. 13.4.2.2 XPath Injection
        3. 13.4.2.3 LDAP Injection
        4. 13.4.2.4 Command Injection
      3. 13.4.3 Requirement 6.5.2: Secure Coding to Address Buffer Overflows
      4. 13.4.4 Requirement 6.5.3: Secure Coding to Address Cryptographic Flaws
        1. 13.4.4.1 Cryptography Essentials
      5. 13.4.5 Requirement 6.5.4: Secure Coding to Address Insecure Transmissions
        1. 13.4.5.1 The SSL/TLS Handshake Process
        2. 13.4.5.2 Implementation Best Practices for Secure Transmission: Web Applications
      6. 13.4.6 Requirement 6.5.5: Secure Coding to Address Improper Error Handling
      7. 13.4.7 Requirement 6.5.6: Remediation Measures to Address High-Severity Vulnerabilities
      8. 13.4.8 Requirement 6.5.7: Secure Coding to Address Cross-Site Scripting
        1. 13.4.8.1 Reflected XSS
        2. 13.4.8.2 Persistent XSS
      9. 13.4.9 Requirement 6.5.8: Secure Coding to Address Flawed Access Control
        1. 13.4.9.1 Session Hijacking
        2. 13.4.9.2 Cross-Site Request Forgery
        3. 13.4.9.3 Session Fixation
        4. 13.4.9.4 Forceful Browsing
      10. 13.4.10 Requirement 6.5.9: Secure Coding to Address Cross-Site Request Forgery
    5. 13.5 Ongoing Vulnerability-Management Practices for Web Applications
      1. 13.5.1 Web-Application Vulnerability Assessments
      2. 13.5.2 Usage of a Web-Application Firewall
    6. 13.6 Summary
  28. 14
  29. Requirement 7: Restrict Access to Cardholder Data by Business Need to Know
    1. 14.1 Requirement 7.1: Restrict Access to Systems with Cardholder Data
      1. 14.1.1 Access Restrictions across the PCI Environment
      2. 14.1.2 The Principle of Least Privilege
      3. 14.1.3 Documentation of Approval: Access Privileges
      4. 14.1.4 Automated Access-Control System
    2. 14.2 Summary
  30. 15
  31. Requirement 8: Access-Control Requirements for PCI Environments
    1. 15.1 Unique IDs for Users: PCI Environment
      1. 15.1.1 Requirement 8.1: Assign Unique IDs to Users in PCI Environment
    2. 15.2 Factors of Authentication
      1. 15.2.1 The Three Factors of Authentication Supplementing User IDs
        1. 15.2.1.1 Something You Know: Knowledge Factors
        2. 15.2.1.2 Something You Are: Physical Factors
        3. 15.2.1.3 Something You Have: Physical Token Parameters
      2. 15.2.2 Two-Factor Authentication: Remote Access
    3. 15.3 Protection of Passwords: Transmission and Storage
      1. 15.3.1 Protection of Passwords in Transit
      2. 15.3.2 Protection of Passwords at Rest
    4. 15.4 Authentication Management for PCI Environments
      1. 15.4.1 Access-Control Procedure
      2. 15.4.2 Requirement 8.5.1: Control of Operations on Access Control
      3. 15.4.3 Requirement 8.5.2: Verification of User Identity (Password Resets)
      4. 15.4.4 Requirement 8.5.3: Unique Password Value and First-Use Change
      5. 15.4.5 Requirements 8.5.4 and 8.5.5: Revocation and Removal of User Access Rights
        1. 15.4.5.1 Requirement 8.5.4: Revocation of User Access Rights Immediately after User Separation
        2. 15.4.5.2 Requirement 8.5.5: Disabling User Accounts within 90 Days
      6. 15.4.6 Requirement 8.5.6: Vendor Account Access Management
      7. 15.4.7 Requirement 8.5.8: Prohibit Shared, Group, or Generic Accounts
      8. 15.4.8 Requirements 8.5.9–8.5.15: Password Management for PCI Environments
    5. 15.5 Database Access Requirements for PCI Environments
      1. 15.5.1 Requirement 8.5.16: Database Authentication Requirements
    6. 15.6 PA-DSS Requirements for Authentication
      1. 15.6.1 Requirement 8 of PCI and Requirement 3 of the PA-DSS
    7. 15.7 Summary
  32. 16
  33. Requirement 9: Restrict Physical Access to Cardholder Data
    1. 16.1 Requirement 9.1: Physical Access Controls for the PCI Environment
      1. 16.1.1 Requirement 9.1.1: Use of Cameras and/or Access-Control Mechanisms
      2. 16.1.2 Requirement 9.1.2 and 9.1.3: Restrict Physical Access to Network Components
        1. 16.1.2.1 The Dangers of Visitor Network Access
        2. 16.1.2.2 Protection Strategies for Visitor Network Access
        3. 16.1.2.3 Requirement 9.1.3: Physical Protection for Network Devices
    2. 16.2 Requirements 9.2, 9.3, and 9.4: Employee and Visitor Access
      1. 16.2.1 Visitor-Management Procedure
        1. 16.2.1.1 Visitor Access and Employee Access Distinctions
        2. 16.2.1.2 Granting Visitor Access
        3. 16.2.1.3 Visitor Access Privileges and Restrictions
        4. 16.2.1.4 Revocation of Visitor and Employee Access
        5. 16.2.1.5 Access to Badge System/Physical Access-Control System
        6. 16.2.1.6 Visitor Distinction
        7. 16.2.1.7 Visitor Access Records
    3. 16.3 Requirements 9.5–9.10: Media Management and Security
      1. 16.3.1 Requirement 9.5: Physical Security—Off-Site Media Backup Location
        1. 16.3.1.1 The Need for Off-Site Backup
        2. 16.3.1.2 Security Controls: Off-Site Backup
      2. 16.3.2 Requirements 9.9 and 9.10: Media Destruction
    4. 16.4 Summary
  34. 17
  35. Requirement 10: Logging and Monitoring for the PCI Standards
    1. 17.1 Audit Trails: PCI Requirements
      1. 17.1.1 The Need for Audit Trails and Logs
      2. 17.1.2 Challenges: Log Management
        1. 17.1.2.1 Distributed Event Logs
        2. 17.1.2.2 Volume of Log Entries
        3. 17.1.2.3 Nonstandard Logging Practices
        4. 17.1.2.4 Multiple Tools
        5. 17.1.2.5 People Intensive
      3. 17.1.3 Access-Control Link: Audit Trails
    2. 17.2 Details: Audit Trail Capture
      1. 17.2.1 Audit Logs: Details
        1. 17.2.1.1 Individual Access to Cardholder Data
        2. 17.2.1.2 Actions by Root or Administrative Users
        3. 17.2.1.3 Access to Audit Trails
        4. 17.2.1.4 Invalid Access Attempts
        5. 17.2.1.5 Use of Identification and Authentication Mechanisms
        6. 17.2.1.6 Initialization of Audit Logs
        7. 17.2.1.7 Creation of System-Level Objects
      2. 17.2.2 Audit-Trail Entries and Records
        1. 17.2.2.1 User Identification
        2. 17.2.2.2 Type of Event
        3. 17.2.2.3 Date and Time
        4. 17.2.2.4 Indication of Success or Failure
        5. 17.2.2.5 Origination of Event
        6. 17.2.2.6 Identification of Affected System, Resource, or Component
      3. 17.2.3 Application Logging Best Practices
    3. 17.3 The Importance of Time and Its Consistency
      1. 17.3.1 Time Sync across IT Components
      2. 17.3.2 Network Time Protocol for Time Synchronization
    4. 17.4 Securing Audit Trails and Logs
      1. 17.4.1 Business Need to Know: Logs and Audit Trails
      2. 17.4.2 Securing Log Information
        1. 17.4.2.1 Strong Access Control
        2. 17.4.2.2 System Hardening
        3. 17.4.2.3 Centralized Log Server
        4. 17.4.2.4 File-Integrity Monitoring
    5. 17.5 Log Monitoring, Review, and Retention
      1. 17.5.1 Requirement 10.6: Log Review and Monitoring
      2. 17.5.2 Requirement 10.7: Log Retention
    6. 17.6 Summary
  36. 18
  37. Requirement 11: Security Testing for the PCI Environment
    1. 18.1 Wireless Access Point: Testing
      1. 18.1.1 Testing for Rogue/Unauthorized Wireless Access Points
        1. 18.1.1.1 Wireless Network Scanning
        2. 18.1.1.2 Physical Inspection
        3. 18.1.1.3 Network Access Control
        4. 18.1.1.4 Wireless IDS/IPS Deployment
    2. 18.2 Internal and External Network Vulnerability Scanning
      1. 18.2.1 Vulnerability Scanning: Concept Note
        1. 18.2.1.1 Vulnerability Categorization
        2. 18.2.1.2 Vulnerability Scanning: Methodology
      2. 18.2.2 Internal and External Network Vulnerability Scanning
        1. 18.2.2.1 Internal and External Vulnerability Scanning
        2. 18.2.2.2 Network Vulnerability Scanning
      3. 18.2.3 Scanning by PCI-Approved Scanning Vendor (ASV)
    3. 18.3 Internal and External Penetration Testing
      1. 18.3.1 Fundamental Differences: Vulnerability Assessment and Penetration Testing
        1. 18.3.1.1 Why Perform a Penetration Test?
      2. 18.3.2 Network-Layer Penetration Tests
      3. 18.3.3 Application-Layer Penetration Testing
    4. 18.4 Deployment of Intrusion Detection/Prevention Devices or Applications
      1. 18.4.1 Intrusion Detection/Prevention Systems: An Overview
        1. 18.4.1.1 Signature Based
        2. 18.4.1.2 Statistical-Based Anomaly Detection
        3. 18.4.1.3 Stateful Protocol Analysis Detection
      2. 18.4.2 PCI Requirement: Intrusion Detection/Prevention System
    5. 18.5 File-Integrity Monitoring: Critical System Files and Configurations
      1. 18.5.1 Attacks: Key System Files
      2. 18.5.2 File-Integrity Monitoring: Critical System Files, Processes, and Content Files
    6. 18.6 Summary
  38. 19
  39. Requirement 12: Information Security Policies and Practices for PCI Compliance
    1. 19.1 Information Security Policy: PCI Requirements
      1. 19.1.1 Security Policy Definition
      2. 19.1.2 Risk Assessment: PCI Compliance
        1. 19.1.2.1 A Question of Adequacy
        2. 19.1.2.2 Risk Assessment: Process and Overview
      3. 19.1.3 Annual Review: Policy and Risk-Management Framework
    2. 19.2 Operational Security Procedures
      1. 19.2.1 Security Focus Areas
      2. 19.2.2 Acceptable Usage Policies and Procedures
        1. 19.2.2.1 List of Acceptable Technologies, Applications, and Devices
        2. 19.2.2.2 Explicit Approval for Technology Usage
        3. 19.2.2.3 Inventory and Labeling
        4. 19.2.2.4 Authentication for the Use of Technology
        5. 19.2.2.5 Acceptable Usage
    3. 19.3 Security Roles and Responsibilities
      1. 19.3.1 Documentation: Roles and Responsibilities
        1. 19.3.1.1 The Chief Information Security Officer
        2. 19.3.1.2 Distribution of Policies and Procedures and Monitoring of Security Alerts
        3. 19.3.1.3 User Management: Roles and Responsibilities
    4. 19.4 People Security Practices
      1. 19.4.1 Security Awareness Training and Monitoring
      2. 19.4.2 Employee Background Verification
    5. 19.5 Vendor Management and PCI Compliance
      1. 19.5.1 Vendors: Data Sharing and Risk Management
    6. 19.6 Incident Management and Incident Response
      1. 19.6.1 Incident-Response Plans and Procedures
        1. 19.6.1.1 Elements of Incident-Response Plan
        2. 19.6.1.2 Incident-Response Success Factors
    7. 19.7 Summary
  40. 20
  41. Beyond PCI Compliance
    1. 20.1 Maintaining PCI Compliance: The Challenge
      1. 20.1.1 The Challenge: The Dilemma Produced by Success
        1. 20.1.1.1 The Information Problem
        2. 20.1.1.2 The Technology Challenge
        3. 20.1.1.3 Management Attitude
    2. 20.2 Success Factors for Continuing PCI Compliance
      1. 20.2.1 A Change of Attitude
      2. 20.2.2 Deep Understanding of Risk and Its Application
      3. 20.2.3 The CISO
    3. 20.3 Summary
  42. Addendum
    1. What’s New in PCI-DSS v 3.0?
      1. A1 – Current Network Diagram with Cardholder Data Flows
      2. A2 – Inventory of System Components in the PCI Scoped Environment
      3. A3 – Malware Protection for Uncommon System Components
      4. A4 – Enhanced List of Secure Coding Guidelines
      5. A5 – Clarifications for Multiple Authentication Factors
      6. A6 – Protection of Physical POS Devices
      7. A7 – Penetration Testing for Segmentation and Scope Reduction
      8. A8 – Vendor PCI Compliance