book

PCI Compliance

by Abhay Bhargav

May 2014

Intermediate to advanced

351 pages

11h 32m

English

Auerbach Publications

Read now

Unlock full access

1.1 The Development of a System: The Coming of the Credit Card1.1.1 The Need for Credit: A Historical Perspective1.1.1.1 Credit in the Mesopotamian Civilization1.1.1.2 Credit in the Era of Coins and Metal Bullion (800 BC to AD 600)1.1.1.3 The Rise of Virtual Money Transactions (AD 600 to AD 1500)1.1.1.4 The Reemergence of Coins and Precious Metal Currency (1500–1971)1.1.1.5 The Rise of Debt (1971 Onwards)1.1.1.6 The Need for Credit1.1.2 The Credit Card: A Means to Address the Need for Credit1.1.2.1 The History of the Credit Card1.1.2.2 The First Credit Cards1.1.2.3 The Development of a Credit Card Industry1.2 Debit Cards and Automated Teller Machines1.2.1 The Coming of the Debit Card1.2.2 The Automated Teller Machine1.2.3 E-Commerce and Online Payments1.3 The Future of Payments1.3.1 Trends for the Future of Payments1.3.1.1 Mobile Payments1.3.1.2 Contactless Payments1.3.1.3 Chip and PIN Cards1.4 Summary
Card Anatomy: The Essentials2.1 Payment Cards: Types of Cards2.1.1 Payment Card with Magnetic Stripe2.1.1.1 Magnetic Stripe Cards: A Brief History2.1.1.2 Magnetic-Stripe Coercivity2.1.1.3 Magnetic Stripe: A Primer on Data Sets2.1.2 Chip and PIN Cards2.2 Payment Cards: An Anatomy2.2.1 Payment Card: External Visage (Front)2.2.1.1 The Card Issuer’s Logo2.2.1.2 The Payment Brand Logo and Hologram2.2.1.3 The Card Number (PAN)2.2.1.4 The Expiration Date2.2.1.5 The Cardholder’s Name2.2.2 Payment Card: External Visage (Back)2.2.2.1 The Magnetic Stripe2.2.2.2 Signature Strip2.2.2.3 The CVV2.2.2.4 Service Disclaimer2.2.2.5 Bank Address and Contact Details2.2.2.6 Customer Service Information2.3 Data Sets: Payment Card2.3.1 Track 1 Data2.3.2 Track 2 Data2.3.3 Track 3 Data2.4 Payment Card: Terminology2.4.1 The Payment Card Processing Cycle2.4.2 Merchants2.4.3 Acquirers2.4.4 Payment Networks2.4.5 Issuers2.4.6 Processors2.4.7 Other Service Providers2.4.8 Independent Sales Organizations2.5 Payment Card Transactions2.5.1 Card-Present Transaction2.5.2 Card-Not-Present Transaction2.5.3 Open-Loop Payment Systems2.5.4 Closed-Loop Payment Systems2.6 Summary
Security and the Payment-Card Industry3.1 A Brief History of Credit Card Fraud3.2 A Brief History of Significant Card Data Breaches3.2.1 The CardSystems Breach3.2.2 The T.J. Maxx Card Breach3.2.3 The Heartland Payment Systems Breach3.2.4 The Sony Playstation Network Breach3.3 Cardholder Security Programs3.3.1 Card Brand Cardholder Security Programs3.3.2 The Formation of the PCI-DSS and PCI-SSC3.3.3 Structure of the PCI Standards3.3.4 The PCI Assessment Environment3.3.4.1 PCI-QSAs and PCI-QSACs3.3.4.2 The PCI ASV (Approved Scanning Vendor)3.3.4.3 The PCI Internal Security Assessor3.3.4.4 The PCI Special-Interest Groups3.3.5 Payment Application Compliance3.3.5.1 PCI’s PA-DSS3.3.5.2 PA-QSA and PA-QSAC3.4 Summary
Payment Card Industry Data Security Standard (PCI-DSS)4.1 Brief History of the PCI-DSS4.2 PCI Compliance Levels: Payment Brands4.2.1 Payment Brand Compliance Programs and PCI-DSS4.2.2 Compliance Levels and Compliance Requirements4.2.2.1 Visa Merchant and Service Provider Validation Levels4.2.2.2 MasterCard Merchant and Service Provider Validation Levels4.2.2.3 American Express Merchant and Service Provider Compliance Validation Levels4.2.2.4 Compliance Validation Levels: Identification and Implementation4.3 PCI-DSS: Applicability4.3.1 Applicability of PCI Compliance and Interplay with Compliance Validation Requirements4.3.2 Merchant Organizations4.3.3 Service Providers: Processors4.3.4 Service Providers: Everybody Else4.3.5 Cloud Service Providers4.4 PCI: Attestation, Assessment, and Certification4.4.1 The Role of a PCI-QSA4.4.2 The PCI-DSS Requirements4.4.3 Compensatory Controls4.4.4 Documentation: The Report on Compliance4.4.5 Documentation: The Attestation of Compliance4.5 Summary
The Payment Application Data Security Standard (PA-DSS)5.1 History and Overview of the PA-DSS5.1.1 The Need for Payment Application Validation for PCI5.1.2 A Brief History of the PA-DSS5.1.3 Primer on the PA-DSS Standard5.1.3.1 The PA-DSS Requirements5.2 PA-DSS Validation5.2.1 The PA-DSS Validation Process5.2.2 The Differences in PCI-DSS and PA-DSS Validation5.2.3 Technical Testing and Validation for the PA-DSS5.2.4 The Role of a PA-QSA5.3 PA-DSS Documentation5.3.1 The PA-DSS Report on Validation5.3.2 The PA-DSS Implementation Guide5.3.3 The PA-DSS Attestation of Validation5.3.4 The PA-DSS Vendor Release Agreement5.4 PA-DSS Application Revalidation5.4.1 Annual Revalidation5.4.2 Changes to Payment Applications5.4.2.1 No-Impact Change5.4.2.2 Low-Impact Change5.4.2.3 High-Impact Change5.4.3 Change-Impact Documentation5.4.3.1 No-Impact Change-Impact Documentation5.4.3.2 Low-Impact Change-Impact Documentation5.4.3.3 High-Impact Change-Impact Documentation5.5 Summary
Enterprise Approach to PCI Compliance6.1 Industry Verticals and PCI Compliance6.1.1 PCI Approaches for Different Industry Verticals6.1.1.1 Basic Business Function6.1.1.2 Cardholder Information Touch Points6.1.1.3 The Organization Itself6.1.2 Merchants6.1.3 Service Providers6.1.3.1 Issuing TPPs6.1.3.2 Acquiring TPPs6.1.4 Banks6.1.5 Other Service Providers6.2 Enterprise Challenges: PCI Compliance6.2.1 Information Overload: A Perspective6.2.2 Knowledge of the Team6.2.3 Management Impetus6.2.4 Budgetary Constraints6.2.5 Technical Constraints6.3 Good Practices: To Get PCI-Compliant6.3.1 PCI Taskforce6.3.2 Create a Defined Scope6.3.3 Don’t Focus on PCI Compliance6.3.4 Understand Risk—Always6.3.5 Pick the Right QSA6.4 Good Practices for Application Vendors: PA-DSS6.4.1 Security from Incipiency6.4.2 Document, Document, Document6.4.3 Scope Out6.5 Summary
Scoping for PCI Compliance7.1 Scoping for PCI Compliance: A Primer7.2 The Cardholder-Data Environment (CDE)7.2.1 Defining the Cardholder-Data Environment7.2.2 Cardholder-Data Flow7.2.3 Cardholder-Data Matrix7.2.3.1 ATM Card Processing: Acquiring7.2.3.2 Card-Issuing Function7.2.3.3 POS Billing and Merchant Acquisition7.2.3.4 Fraud-Management Services7.2.3.5 Cardholder Customer Service Management7.2.3.6 Identifying Cardholder Data7.2.4 The Role of the PCI-QSA in the CDE7.3 Tips for Scope Reduction7.3.1 Why Reduce Scope?7.3.2 Network Segmentation7.3.3 Scoping Out E-Commerce Applications7.3.4 Tokenization and Other Data-Protection Techniques7.4 System Components in the PCI Scope7.4.1 Network and Network Components7.4.2 Servers and OS Components7.4.3 Applications7.5 Summary
Requirement 1: Build and Maintain a Secure Network8.1 Network Security: A Primer8.1.1 Network Security Architecture: Enterprise8.1.2 Network Architecture: Scoping Out8.1.2.1 Benefits of Scoping Out with Network Segmentation8.1.2.2 Common Resources8.1.2.3 Technology: Network Segmentation8.2 Network Security Requirements for PCI8.2.1 The Network Security Documentation8.2.1.1 Requirement 1.1: Firewall and Router Configuration Standards8.2.1.2 PCI Assessor’s Notes: Requirement 1.18.2.2 Network Components: Firewalls, Routers, and Other Network Components8.2.2.1 Firewall and Router Specifications and Configurations8.2.3 The Demilitarized Zone (DMZ)8.2.3.1 PCI Requirements Relating to the DMZ8.2.4 The Role of Managed Services8.3 Summary

Requirement 2: Vendor-Supplied Defaults, System Passwords, and Security Parameters9.1 Vendor-Supplied Default Passwords9.1.1 Configuration Standards and Vendor-Supplied Default Passwords and Security Parameters9.1.1.1 Requirement 2.1: Change Vendor-Supplied Default Passwords9.1.1.2 Requirement 2.2: Configuration Standards for System Components9.1.1.3 Requirement 2.2.1: One Primary Function per Server9.1.1.4 Insecure Protocols and Services9.1.1.5 Requirements 2.2.3 and 2.2.4 Security Parameters: To Prevent Misuse9.1.2 Nonconsole Administrative Access9.1.3 Wireless Security Consideration: Vendor-Supplied Defaults9.2 PA-DSS: Application Requirements for Vendor-Supplied Defaults and Security Parameters9.2.1 Payment Application Vendor-Supplied Defaults9.2.1.1 Requirement 3.1b of the PA-DSS9.2.1.2 Requirement 5.1.3 of the PA-DSS9.2.2 Secure Network Implementation: Payment Applications9.2.2.1 Requirement 5.4 of the PA-DSS9.2.2.2 Requirement 8.1 of the PA-DSS9.2.2.3 Requirement 6 of the PA-DSS: Wireless Security Requirements9.3 Summary
Requirement 3: Protect Stored Cardholder Data10.1 Storage, Retention, and Destruction of Stored Cardholder Data10.1.1 Do You Really Need to Store Cardholder Data?10.1.2 Policies and Procedures around Storage of Cardholder Data10.2 Requirement 3.2: Sensitive Authentication Data at Rest10.2.1 Authentication Parameters: Concept Overview10.2.1.1 CVV/CVC/CAV1&210.2.1.2 PIN Verification Value (PVV) and PIN Offset10.2.1.3 PIN/PIN Block10.2.2 Authentication Parameters10.2.3 Issuers and Storage of Sensitive Authentication Data10.2.4 Requirement 3.2: Assessment Notes10.3 Display of the Card PAN10.4 Requirement 3.4: Rendering the PAN Unreadable wherever Stored10.4.1 An Overview of Techniques to Render the PAN Unreadable10.4.1.1 Use of One-Way Hashing10.4.1.2 One-Way Hashing Algorithms and Security Considerations10.4.1.3 Use of Truncation10.4.1.4 Use of Tokenization10.4.1.5 Use of Strong Cryptography10.4.2 Rendering the PAN Unreadable Everywhere It Is Stored10.5 Cryptography: Terminology and Concept Review10.5.1 Cryptosystem10.5.2 Key and Keyspace10.5.3 Initialization Vector10.5.4 Symmetric and Asymmetric Cryptography10.5.5 Block Ciphers and Stream Ciphers10.5.6 Block Cipher Modes of Encryption10.5.6.1 Electronic Code Book10.5.6.2 Cipher Block Chaining10.5.6.3 Cipher Feedback10.5.6.4 Output Feedback10.5.6.5 Counter10.6 Requirements 3.5 and 3.6: Key Security and Key Management10.6.1 Key-Management Considerations: Enterprises10.6.2 Key-Management Practices for Banks and Acquiring and Issuing TPPs10.6.2.1 Hardware Security Module (HSM)10.6.2.2 Local Master Key10.6.2.3 Zone-Control Master Keys10.6.2.4 PIN Working Keys10.6.2.5 PIN Verification Key10.6.2.6 Message Authentication Keys10.6.2.7 Card Verification Keys10.6.2.8 Derived Unique Key per Transaction (DUKPT)10.6.3 Principles of Encryption and Key Management for Protecting the Stored PAN10.6.3.1 Secure Key Generation10.6.3.2 Single-Purpose Cryptographic Keys10.6.3.3 Secure Key Storage10.6.3.4 Secure Key Distribution and Exchange10.6.3.5 Cryptoperiod and Key Changes10.6.3.6 Dual-Key Management for Manual Cryptography10.7 Summary
Requirement 4: Securing Cardholder Information in Transit11.1 Requirement 4.1: Secure Transmission of Cardholder Information over Open, Public Networks11.1.1 Open, Public Networks: A PCI Viewpoint11.1.2 Secure Protocols11.1.2.1 HTTPS with SSL/TLS11.1.2.2 Secure Shell (SSH)11.1.2.3 IPSec VPN11.1.3 Requirement 4.1.1: WiFi Security Practices for Cardholder Data Transmissions11.2 Requirement 4.2: Unprotected PANs over End-User Messaging Technologies11.3 Summary
Requirement 5: Use and Regularly Update Antivirus Software12.1 Requirement 5.1: Use of Antivirus Programs to Protect Commonly Affected Systems12.1.1 Antivirus Deployment within the PCI Environment (CDE)12.2 Requirement 5.2: Managing the Antivirus Application12.2.1 Managing and Monitoring the Antivirus Application for PCI Compliance12.3 Commercial Applications: Antivirus Requirements12.4 Summary
Requirement 6: Develop and Maintain Secure Systems13.1 Requirement 6.1: Patch-Management Practices for PCI Compliance13.1.1 Patch Management for PCI Compliance13.1.2 Approaches to Patching and Patch Management13.1.2.1 Change-Management Process of System Patch Deployment13.1.3 Risk-Based Approach to Patch Management13.1.4 Assessor’s Notes for Verifying Patch-Management Practices13.2 Requirement 6.2: Vulnerability-Management Practices for PCI Compliance13.3 Secure Application Development Practices for PCI-DSS and PA-DSS13.3.1 Requirement 6.3: Secure SDLC for Application Development13.3.1.1 The Risk-Assessment Approach to Secure SDLC13.3.1.2 Requirement 6.3.1: Removal of Default User Accounts, IDs, and Passwords13.3.1.3 Requirement 6.3.2: Custom Code Review for Security13.3.2 Requirement 6.4: Application Change Management and Change Control13.3.2.1 Requirement 6.4.5: Change-Management Document and the Essentials of Change Control and Change Management13.3.2.2 Requirements 6.4.2 and 6.4.3: Separation of Production, Development, and Test Environments13.3.2.3 Requirement 6.4.3: Use of Live PANs for Testing13.3.2.4 Requirement 6.4.4: Removal of Test Data in Production13.4 Requirement 6.5: Secure Coding Guidelines for Applications13.4.1 Secure Coding Guidelines: References and Best Practices13.4.2 Requirement 6.5.1: Secure Coding to Address Injection Flaws13.4.2.1 SQL Injection13.4.2.2 XPath Injection13.4.2.3 LDAP Injection13.4.2.4 Command Injection13.4.3 Requirement 6.5.2: Secure Coding to Address Buffer Overflows13.4.4 Requirement 6.5.3: Secure Coding to Address Cryptographic Flaws13.4.4.1 Cryptography Essentials13.4.5 Requirement 6.5.4: Secure Coding to Address Insecure Transmissions13.4.5.1 The SSL/TLS Handshake Process13.4.5.2 Implementation Best Practices for Secure Transmission: Web Applications13.4.6 Requirement 6.5.5: Secure Coding to Address Improper Error Handling13.4.7 Requirement 6.5.6: Remediation Measures to Address High-Severity Vulnerabilities13.4.8 Requirement 6.5.7: Secure Coding to Address Cross-Site Scripting13.4.8.1 Reflected XSS13.4.8.2 Persistent XSS13.4.9 Requirement 6.5.8: Secure Coding to Address Flawed Access Control13.4.9.1 Session Hijacking13.4.9.2 Cross-Site Request Forgery13.4.9.3 Session Fixation13.4.9.4 Forceful Browsing13.4.10 Requirement 6.5.9: Secure Coding to Address Cross-Site Request Forgery13.5 Ongoing Vulnerability-Management Practices for Web Applications13.5.1 Web-Application Vulnerability Assessments13.5.2 Usage of a Web-Application Firewall13.6 Summary
Requirement 7: Restrict Access to Cardholder Data by Business Need to Know14.1 Requirement 7.1: Restrict Access to Systems with Cardholder Data14.1.1 Access Restrictions across the PCI Environment14.1.2 The Principle of Least Privilege14.1.3 Documentation of Approval: Access Privileges14.1.4 Automated Access-Control System14.2 Summary
Requirement 8: Access-Control Requirements for PCI Environments15.1 Unique IDs for Users: PCI Environment15.1.1 Requirement 8.1: Assign Unique IDs to Users in PCI Environment15.2 Factors of Authentication15.2.1 The Three Factors of Authentication Supplementing User IDs15.2.1.1 Something You Know: Knowledge Factors15.2.1.2 Something You Are: Physical Factors15.2.1.3 Something You Have: Physical Token Parameters15.2.2 Two-Factor Authentication: Remote Access15.3 Protection of Passwords: Transmission and Storage15.3.1 Protection of Passwords in Transit15.3.2 Protection of Passwords at Rest15.4 Authentication Management for PCI Environments15.4.1 Access-Control Procedure15.4.2 Requirement 8.5.1: Control of Operations on Access Control15.4.3 Requirement 8.5.2: Verification of User Identity (Password Resets)15.4.4 Requirement 8.5.3: Unique Password Value and First-Use Change15.4.5 Requirements 8.5.4 and 8.5.5: Revocation and Removal of User Access Rights15.4.5.1 Requirement 8.5.4: Revocation of User Access Rights Immediately after User Separation15.4.5.2 Requirement 8.5.5: Disabling User Accounts within 90 Days15.4.6 Requirement 8.5.6: Vendor Account Access Management15.4.7 Requirement 8.5.8: Prohibit Shared, Group, or Generic Accounts15.4.8 Requirements 8.5.9–8.5.15: Password Management for PCI Environments15.5 Database Access Requirements for PCI Environments15.5.1 Requirement 8.5.16: Database Authentication Requirements15.6 PA-DSS Requirements for Authentication15.6.1 Requirement 8 of PCI and Requirement 3 of the PA-DSS15.7 Summary
Requirement 9: Restrict Physical Access to Cardholder Data16.1 Requirement 9.1: Physical Access Controls for the PCI Environment16.1.1 Requirement 9.1.1: Use of Cameras and/or Access-Control Mechanisms16.1.2 Requirement 9.1.2 and 9.1.3: Restrict Physical Access to Network Components16.1.2.1 The Dangers of Visitor Network Access16.1.2.2 Protection Strategies for Visitor Network Access16.1.2.3 Requirement 9.1.3: Physical Protection for Network Devices16.2 Requirements 9.2, 9.3, and 9.4: Employee and Visitor Access16.2.1 Visitor-Management Procedure16.2.1.1 Visitor Access and Employee Access Distinctions16.2.1.2 Granting Visitor Access16.2.1.3 Visitor Access Privileges and Restrictions16.2.1.4 Revocation of Visitor and Employee Access16.2.1.5 Access to Badge System/Physical Access-Control System16.2.1.6 Visitor Distinction16.2.1.7 Visitor Access Records16.3 Requirements 9.5–9.10: Media Management and Security16.3.1 Requirement 9.5: Physical Security—Off-Site Media Backup Location16.3.1.1 The Need for Off-Site Backup16.3.1.2 Security Controls: Off-Site Backup16.3.2 Requirements 9.9 and 9.10: Media Destruction16.4 Summary
Requirement 10: Logging and Monitoring for the PCI Standards17.1 Audit Trails: PCI Requirements17.1.1 The Need for Audit Trails and Logs17.1.2 Challenges: Log Management17.1.2.1 Distributed Event Logs17.1.2.2 Volume of Log Entries17.1.2.3 Nonstandard Logging Practices17.1.2.4 Multiple Tools17.1.2.5 People Intensive17.1.3 Access-Control Link: Audit Trails17.2 Details: Audit Trail Capture17.2.1 Audit Logs: Details17.2.1.1 Individual Access to Cardholder Data17.2.1.2 Actions by Root or Administrative Users17.2.1.3 Access to Audit Trails17.2.1.4 Invalid Access Attempts17.2.1.5 Use of Identification and Authentication Mechanisms17.2.1.6 Initialization of Audit Logs17.2.1.7 Creation of System-Level Objects17.2.2 Audit-Trail Entries and Records17.2.2.1 User Identification17.2.2.2 Type of Event17.2.2.3 Date and Time17.2.2.4 Indication of Success or Failure17.2.2.5 Origination of Event17.2.2.6 Identification of Affected System, Resource, or Component17.2.3 Application Logging Best Practices17.3 The Importance of Time and Its Consistency17.3.1 Time Sync across IT Components17.3.2 Network Time Protocol for Time Synchronization17.4 Securing Audit Trails and Logs17.4.1 Business Need to Know: Logs and Audit Trails17.4.2 Securing Log Information17.4.2.1 Strong Access Control17.4.2.2 System Hardening17.4.2.3 Centralized Log Server17.4.2.4 File-Integrity Monitoring17.5 Log Monitoring, Review, and Retention17.5.1 Requirement 10.6: Log Review and Monitoring17.5.2 Requirement 10.7: Log Retention17.6 Summary
Requirement 11: Security Testing for the PCI Environment18.1 Wireless Access Point: Testing18.1.1 Testing for Rogue/Unauthorized Wireless Access Points18.1.1.1 Wireless Network Scanning18.1.1.2 Physical Inspection18.1.1.3 Network Access Control18.1.1.4 Wireless IDS/IPS Deployment18.2 Internal and External Network Vulnerability Scanning18.2.1 Vulnerability Scanning: Concept Note18.2.1.1 Vulnerability Categorization18.2.1.2 Vulnerability Scanning: Methodology18.2.2 Internal and External Network Vulnerability Scanning18.2.2.1 Internal and External Vulnerability Scanning18.2.2.2 Network Vulnerability Scanning18.2.3 Scanning by PCI-Approved Scanning Vendor (ASV)18.3 Internal and External Penetration Testing18.3.1 Fundamental Differences: Vulnerability Assessment and Penetration Testing18.3.1.1 Why Perform a Penetration Test?18.3.2 Network-Layer Penetration Tests18.3.3 Application-Layer Penetration Testing18.4 Deployment of Intrusion Detection/Prevention Devices or Applications18.4.1 Intrusion Detection/Prevention Systems: An Overview18.4.1.1 Signature Based18.4.1.2 Statistical-Based Anomaly Detection18.4.1.3 Stateful Protocol Analysis Detection18.4.2 PCI Requirement: Intrusion Detection/Prevention System18.5 File-Integrity Monitoring: Critical System Files and Configurations18.5.1 Attacks: Key System Files18.5.2 File-Integrity Monitoring: Critical System Files, Processes, and Content Files18.6 Summary
Requirement 12: Information Security Policies and Practices for PCI Compliance19.1 Information Security Policy: PCI Requirements19.1.1 Security Policy Definition19.1.2 Risk Assessment: PCI Compliance19.1.2.1 A Question of Adequacy19.1.2.2 Risk Assessment: Process and Overview19.1.3 Annual Review: Policy and Risk-Management Framework19.2 Operational Security Procedures19.2.1 Security Focus Areas19.2.2 Acceptable Usage Policies and Procedures19.2.2.1 List of Acceptable Technologies, Applications, and Devices19.2.2.2 Explicit Approval for Technology Usage19.2.2.3 Inventory and Labeling19.2.2.4 Authentication for the Use of Technology19.2.2.5 Acceptable Usage19.3 Security Roles and Responsibilities19.3.1 Documentation: Roles and Responsibilities19.3.1.1 The Chief Information Security Officer19.3.1.2 Distribution of Policies and Procedures and Monitoring of Security Alerts19.3.1.3 User Management: Roles and Responsibilities19.4 People Security Practices19.4.1 Security Awareness Training and Monitoring19.4.2 Employee Background Verification19.5 Vendor Management and PCI Compliance19.5.1 Vendors: Data Sharing and Risk Management19.6 Incident Management and Incident Response19.6.1 Incident-Response Plans and Procedures19.6.1.1 Elements of Incident-Response Plan19.6.1.2 Incident-Response Success Factors19.7 Summary
Beyond PCI Compliance20.1 Maintaining PCI Compliance: The Challenge20.1.1 The Challenge: The Dilemma Produced by Success20.1.1.1 The Information Problem20.1.1.2 The Technology Challenge20.1.1.3 Management Attitude20.2 Success Factors for Continuing PCI Compliance20.2.1 A Change of Attitude20.2.2 Deep Understanding of Risk and Its Application20.2.3 The CISO20.3 Summary
What’s New in PCI-DSS v 3.0?A1 – Current Network Diagram with Cardholder Data FlowsA2 – Inventory of System Components in the PCI Scoped EnvironmentA3 – Malware Protection for Uncommon System ComponentsA4 – Enhanced List of Secure Coding GuidelinesA5 – Clarifications for Multiple Authentication FactorsA6 – Protection of Physical POS DevicesA7 – Penetration Testing for Segmentation and Scope ReductionA8 – Vendor PCI Compliance

Content preview from PCI Compliance

Chapter 19

Requirement 12

Information Security Policies and Practices for PCI Compliance

The foundations of an enduring security practice rest with the organization’s policies, procedures, and risk-management framework. Most of what we have discussed in the rest of the book is largely operational and technical security. However, there needs to be a binding frame that ensures that good security practices are consistent, repeatable, and measurable. This chapter focuses on Requirement 12 of the PCI-DSS. This requirement details the need for a binding security policy and operational security procedures. I will also explore an oft-forgotten but extremely important aspect of PCI compliance—risk assessment. We will understand how organizations should ...