PCI DSS
A practical guide to implementing and maintaining compliance
Published on 19. April 2011
253 pages
978-1-84928-187-4 (ISBN)
Description
A concise, easy to follow reference to PCI DSS complianceThis practical guide gives you a step by step guide to achieving Payment Card Industry Data Security Standard (PCI DSS) compliance - showing you how to create, design and build a PCI compliance framework.The objective of this revised PCI DSS practical guide is to give entities advice and tips on the entire PCI implementation process. It provides a roadmap, helping entities to navigate the broad, and sometimes confusing, PCI DSS v2, and shows them how to build and maintain a sustainable PCI DSS compliance programme.This latest revision includes increased guidance on how to ensure your PCI DSS compliance programme is 'sustainable' and has been based on real-life scenarios, which should help to ensure your PCI compliance programme remains compliant.An ideal, non-technical introduction to PCI DSSSave time and money with an easy to follow route-map to achieving PCI DSS complianceUnderstand the fundamental details of PCI DSS complianceBuild your business case for PCI DSS compliance by providing the key information neededThere is a huge amount of information on the PCI DSS freely available online, but it doesn't always answer your fundamental questions. Whether you're a manager, executive or director involved in the PCI compliance process as part of your day to day activities, then this book also functions as a key support reference.
More details
Other editions
Additional editions
IT Governance Publishing
PCI DSS A Practical Guide to Implementing and Maintaining Compliance
Book
04/2011
3rd Edition
IT Governance Publishing
€67.04
Article exhausted; check different version
Content
- Intro
- Foreword
- Preface
- About the Author
- Acknowledgements
- Contents
- Background
- What is PCI?
- Summary of changes to latest version of PCI DSS
- Top Ten myths about PCI
- Myth 1 - One vendor and product will make us compliant
- Myth 2 - Outsourcing card processing makes us compliant
- Myth 3 - PCI compliance is an IT project
- Myth 4 - PCI will make us secure
- Myth 5 - PCI is unreasonable
- it requires too much
- Myth 6 - PCI requires us to hire a Qualified Security Assessor
- Myth 7 - We don't take enough credit cards to be compliant
- Myth 8 - We completed a SAQ so we're compliant
- Myth 9 - PCI makes us store cardholder data
- Myth 10 - PCI is too hard
- Why PCI?
- What are the different types of threats (or vulnerabilities)?
- How does PCI compliance work?
- How is PCI compliance demonstrated?
- Validation requirements
- What is the role of the ASV?
- What is the role of the QSA?
- Getting started with PCI
- Other related PCI Standards to take into consideration
- Payment Application - Data Security Standard (PA-DSS)
- PCI PTS
- Compensating controls - Using what you already have in place
- A prioritised approach to compliance
- Milestone 1
- Milestone 2
- Milestone 3
- Milestone 4
- Milestone 5
- Milestone 6
- Some strategic thoughts
- Benefits of a combined approach to compliance
- The approach of this book
- Chapter 1: Step 1 - Establishing the PCI Project
- What is the project initiation workshop objective?
- What are the workshop deliverables?
- Chapter 2: Step 2 - Determine the Scope
- Scoping the PCI target environment
- The approach used to determine the exact scope
- Workshop objective:
- Chapter 3: Step 3 - Review the Information Security Policy
- Chapter 4: Step 4 - Conduct Gap Analysis
- Gap analysis objectives
- Gap analysis approach
- PCI gap analysis reporting and security improvement plan
- Chapter 5: Step 5 - Conduct Risk Analysis
- The goal of the risk management process
- The benefits of risk management
- The elements of the risk management process
- Risk step 1 - Scoping meeting (identify and record high-level risks)
- Task 1 - Risk (threat) identification
- Task 2 - Risk (threat) description
- Risk step 2 - Desktop study - analyse and prioritise risks
- Task 1 - Impact identification
- Task 2 - Vulnerability identification
- Task 3 - Likelihood determination
- Task 4 - Control analysis
- Task 5 - Risk register
- Risk step 3 - Conduct risk planning
- Decision
- Risk treatment
- Residual risk reporting
- Risk step 4 - Update risk register, monitor and track risks
- Monitor and tracking risks
- Risk control
- Risk step 5 - Prepare risk management report
- Risk step 6 - Debriefing meeting and presentation of the risk report
- Chapter 6: Step 6 - Establish the Baseline
- Build and maintain a secure network
- Task 1 (Requirement 1) - Install and maintain a firewall configuration to protect data
- Task 2 (Requirement 2) - Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect cardholder data
- Task 3 (Requirement 3) - Protect stored cardholder data
- Task 4 (Requirement 4) - Encrypt transmission of cardholder data and sensitive information across public networks
- Maintain a vulnerability management programme
- Task 5 (Requirement 5) - Use and regularly update anti-virus software
- Task 6 (Requirement 6) - Develop and maintain secure systems and applications
- Implement strong access control measures
- Task 7 (Requirement 7) - Restrict access to cardholder data by business 'need-to know'
- Task 8 (Requirement 8) - Assign a unique ID to each person with computer access
- Task 9 (Requirement 9) - Restrict physical access to cardholder data
- Regularly monitor and test networks
- Task 10 (Requirement 10) - Track and monitor all access to network resources and cardholder data
- Task 11 (Requirement 11) - Regularly test security systems and processes
- Maintain an information security policy
- Task 12 (Requirement 12) - Maintain a policy that addresses information security for employees and contractors
- Chapter 7: Step 7 - Auditing
- Initiation of the audit (objectives and scope)
- What are the PCI auditing objectives?
- Auditing objectives
- Technical audit objectives
- Scope
- Auditor preparation
- Technical audit preparation
- Conduct the audit
- Task 1) Review the information security management system components
- Task 2) Review policy components
- Task 3) Review the process functions
- Task 4) Review the procedure components
- Task 5) Review the standards
- Task 6) Review the user management
- Task 7) Review the technical components
- Report the findings
- Audit reporting
- Audit deliverables
- Agree follow-up action and clearance of any findings
- Chapter 8: Step 8 - Remediation Planning
- Chapter 9: Step 9 - Maintaining and Demonstrating Compliance
- Validation requirements
- How to meet these requirements
- Using log management information for PCI compliance
- Regular monitoring and testing
- Arriving where you want to be: PCI compliant
- Demonstrating compliance - ROC
- Instructions and content for report on compliance
- Contact information and report date
- Executive summary
- Description of scope of work and approach taken
- Maintaining your PCI compliance
- Example compliance mapping for your current environment
- Future PCI compliance considerations
- Example compliance mapping for applications
- Payment Application Data Security Standard (PA-DSS) Application
- Application operating systems
- Example compliance mapping for POS
- Chapter 10: PCI DSS and ISO27001
- PCI and ISO27001 - the comparisons
- Appendix 1 - Project Checklist
- Appendix 2 - PCI DSS Project Plan
- Appendix 3 - Bibliography and Sources
- Appendix 4 - Further Useful Information
- PCI DSS available resources
- The PCI self-assessment questionnaire (SAQ)
- Payment card industry self-assessment questionnaire (pdf)
- PCI DSS payment card industry self-assessment questionnaire (locked Word)
- PCI DSS security audit procedures (pdf)
- PCI DSS security audit procedures (locked Word)
- PCI DSS security scanning procedures
- PCI DSS validation requirements for qualified security assessors (QSAs) v 1.2.
- PCI qualified security assessor (QSA) agreement sample
- QSA feedback form
- PCI DSS validation requirements for approved Scanning vendors (ASVs) v 1.1
- PCI ASV compliance test agreement sample ASV
- Feedback form
- PCI DSS technical and operational requirements for approved scanning vendors (ASVs) v 1.1
- PCI DSS approved scanning vendors
- Appendix 5 - PCI DSS Mapping to ISO27001
- ITG Resources
- Other Websites
- Pocket Guides
- Toolkits
- Best Practice Reports
- Training and Consultancy
- Newsletter
