PCI Compliance The Definitive Guide

Although organizations that store, process, or transmit cardholder information are required to comply with payment card industry standards, most find it extremely challenging to comply with and meet the requirements of these technically rigorous standards. PCI Compliance: The Definitive Guide explains the ins and outs of the payment card industry (PCI) security standards in a manner that is easy to understand. This step-by-step guidebook delves into PCI standards from an implementation standpoint. It begins with a basic introduction to PCI compliance, including its history and evolution. It then thoroughly and methodically examines the specific requirements of PCI compliance. PCI requirements are presented along with notes and assessment techniques for auditors and assessors.The text outlines application development and implementation strategies for Payment Application Data Security Standard (PA-DSS) implementation and validation. Explaining the PCI standards from an implementation standpoint, it clarifies the intent of the standards on key issues and challenges that entities must overcome in their quest to meet compliance requirements. The book goes beyond detailing the requirements of the PCI standards to delve into the multiple implementation strategies available for achieving PCI compliance. The book includes a special appendix on the recently released PCI-DSS v 3.0. It also contains case studies from a variety of industries undergoing compliance, including banking, retail, outsourcing, software development, and processors. Outlining solutions extracted from successful real-world PCI implementations, the book ends with a discussion of PA-DSS standards and validation requirements.

Payment-Card Industry: An EvolutionThe Development of a System: The Coming of the Credit Card The Need for Credit: A Historical Perspective Credit in the Mesopotamian Civilization Credit in the Era of Coins and Metal Bullion (800 BC to AD 600) The Rise of Virtual Money Transactions (AD 600 to AD 1500) The Reemergence of Coins and Precious Metal Currency (1500–1971) The Rise of Debt (1971 Onwards) The Need for Credit The Credit Card: A Means to Address the Need for Credit The History of the Credit Card The First Credit Cards The Development of a Credit Card IndustryDebit Cards and Automated Teller Machines The Coming of the Debit Card The Automated Teller Machine E-Commerce and Online PaymentsThe Future of Payments Trends for the Future of Payments Mobile Payments Contactless Payments Chip and PIN CardsSummaryCard Anatomy: The EssentialsPayment Cards: Types of Cards Payment Card with Magnetic Stripe Magnetic Stripe Cards: A Brief History Magnetic Stripe Coercivity Magnetic Stripe: A Primer on Data Sets Chip and PIN CardsPayment Cards: An Anatomy Payment Card: External Visage (Front) The Card Issuer’s Logo The Payment Brand Logo and Hologram The Card Number (PAN) The Expiration Date The Cardholder’s Name Payment Card: External Visage (Back) The Magnetic Stripe Signature Strip The CVV Service Disclaimer Bank Address and Contact Details Customer Service InformationData Sets: Payment CardTrack 1 Data Track 2 Data Track 3 Data Payment Card: Terminology The Payment Card Processing Cycle Merchants Acquirers Payment Networks Issuers Processors Other Service Providers Independent Sales OrganizationsPayment Card TransactionsCard-Present Transaction Card-Not-Present Transactions Open-Loop Payment Systems Closed-Loop Payment SystemsSummarySecurity and the Payment-Card IndustryA Brief History of Credit Card FraudA Brief History of Significant Card Data Breaches The CardSystems Breach The TJ-Maxx Card Breach The Heartland Payment Systems Breach The Sony Playstation Network BreachCardholder Security Programs Card Brand Cardholder Security Programs The Formation of the PCI-DSS and PCI-SSC Structure of the PCI Standards The PCI Assessment Environment PCI-QSAs and PCI-QSACs The PCI ASV (Approved Scanning Vendor) The PCI Internal Security Assessor The PCI Special-Interest Groups Payment Application Compliance PCI’s PA-DSS PA-QSA and PA-QSACSummaryPayment Card Industry Data Security Standard (PCI-DSS)Brief History of the PCI-DSSPCI Compliance Levels: Payment Brands Payment Brand Compliance Programs and PCI-DSS Compliance Levels and Compliance Requirements Visa Merchant and Service Provider Validation Levels MasterCard Merchant and Service Provider Validation Levels American Express Merchant and Service Provider Compliance Validation Levels Compliance Validation Levels: Identification and ImplementationPCI-DSS: Applicability Applicability of PCI Compliance and Interplay with Compliance Validation Requirements Merchant Organizations Service Providers: Processors Service Providers: Everybody Else Cloud Service ProvidersPCI: Attestation, Assessment, and Certification The Role of a PCI-QSA The PCI-DSS Requirements Compensatory Controls Documentation: The Report on Compliance Documentation: The Attestation of ComplianceSummaryThe Payment Application Data Security Standard (PA-DSS)History and Overview of the PA-DSS The Need for Payment Application Validation for PCI A Brief History of the PA-DSS Primer on the PA-DSS Standard The PA-DSS RequirementsPA-DSS Validation The PA-DSS Validation Process The Differences in PCI-DSS and PA-DSS Validation Technical Testing and Validation for the PA-DSS Role of a PA-QSAPA-DSS Documentation The PA-DSS Report on Validation The PA-DSS Implementation Guide The PA-DSS Attestation of Validation The PA-DSS Vendor Release AgreementPA-DSS Application Revalidation Annual Revalidation Changes to Payment Applications No-Impact Change Low-Impact Change High-Impact ChangeChange-Impact Documentation No-Impact Change-Impact Documentation Low-Impact Change-Impact Documentation High-Impact Change-Impact DocumentationSummaryEnterprise Approach to PCI ComplianceIndustry Verticals and PCI Compliance PCI Approaches for Different Industry Verticals Basic Business Function Cardholder Information Touch Points The Organization Itself Merchants Service Providers Issuing TPPs Acquiring TPPs Banks Other Service ProvidersEnterprise Challenges: PCI Compliance Information Overload: A Perspective Knowledge of the Team Management Impetus Budgetary Constraints Technical ConstraintsGood Practices: To Get PCI CompliantPCI Taskforce Create a Defined Scope Don’t Focus on PCI Compliance Understand Risk—Always Pick the Right QSAGood Practices for Application Vendors: PA-DSS Security from Incipiency Document, Document, Document Scope OutSummaryScoping for PCI ComplianceScoping for PCI Compliance: A PrimerThe Cardholder-Data Environment (CDE) Defining the Cardholder-Data Environment Cardholder-Data Flow Cardholder-Data Matrix ATM Card Processing: Acquiring Card-Issuing Function POS Billing and Merchant Acquisition Fraud-Management Services Cardholder Customer Service Management Identifying Cardholder Data The Role of the PCI-QSA in the CDETips for Scope Reduction Why Reduce Scope? Network Segmentation Scoping Out E-Commerce Applications Tokenization and Other Data-Protection TechniquesSystem Components in the PCI Scope Network and Network Components Servers and OS Components ApplicationsSummaryRequirement 1: Build and Maintain a Secure NetworkNetwork Security: A Primer Network Security Architecture: Enterprise Network Architecture: Scoping Out Benefits of Scoping Out with Network Segmentation Common Resources Technology: Network SegmentationNetwork Security Requirements for PCI The Network Security Documentation Requirement 1.1: Firewall and Router Configuration Standards PCI Assessor’s Notes: Requirement 1.1 Network Components: Firewalls, Routers, and Other Network Components Firewall and Router Specifications and Configurations The Demilitarized Zone (DMZ) PCI Requirements Relating to the DMZ The Role of Managed ServicesSummaryRequirement 2: Vendor-Supplied Defaults, System Passwords, and Security ParametersVendor-Supplied Default Passwords Configuration Standards and Vendor-Supplied Default Passwords and Security Parameters Requirement 2.1: Change Vendor-Supplied Default Passwords Requirement 2.2: Configuration Standards for System Components Requirement 2.2.1: One Primary Function per Server Insecure Protocols and Services Requirements 2.2.3 and 2.2.4 Security Parameters: To Prevent Misuse Nonconsole Administrative Access Wireless Security Consideration: Vendor-Supplied DefaultsPA-DSS: Application Requirements for Vendor-Supplied Defaults and Security Parameters Payment Application Vendor-Supplied Defaults Requirement 3.1b of the PA-DSS Requirement 5.1.3 of the PA-DSS Secure Network Implementation: Payment Applications Requirement 5.4 of the PA-DSS Requirement 8.1 of the PA-DSS Requirement 6 of the PA-DSS: Wireless Security RequirementsSummaryRequirement 3: Protect Stored Cardholder DataStorage, Retention, and Destruction of Stored Cardholder Data Do You Really Need to Store Cardholder Data? Policies and Procedures around Storage of Cardholder DataRequirement 3.2: Sensitive Authentication Data at Rest Authentication Parameters: Concept Overview CVV/CVC/CAV1&2 PIN Verification Value (PVV) and PIN Offset PIN/PIN Block Authentication Parameters Issuers and Storage of Sensitive Authentication Data Requirement 3.2: Assessment NotesDisplay of the Card PANRequirement 3.4: Rendering the PAN Unreadable whereverStored An Overview of Techniques to Render the PAN Unreadable Use of One-Way Hashing One-Way Hashing Algorithms and Security Considerations Use of Truncation Use of Tokenization Use of Strong Cryptography Rendering the PAN Unreadable Everywhere It Is StoredCryptography: Terminology and Concept Review Cryptosystem Key and Keyspace Initialization Vector Symmetric and Asymmetric

Abhay Bhargav is the founder and chief technical officer of the we45 Group, a Bangalore based information security solutions company. He has extensive experience with information security and compliance, having performed security assessments for many enterprises in various domains, such as banking, software development, retail, telecom, and legal. He is a qualified security assessor (QSA) for the payment-card industry and has led several security assessments for payment-card industry compliance. He is also the coauthor of Secure Java for Web Application Development, published by CRC Press.Abhay is a specialist in Web-application security with broad experience in vulnerability assessment and penetration testing, and he has served as a consultant for a wide array of enterprises and governmental/quasi-governmental entities. He was recently awarded the prestigious SANS Certified GIAC Web Application Penetration Tester certification. He has been interviewed by leading media outlets for his expertise on information security, particularly application security. Links to the interviews are available here and here.Abhay is a regular speaker at industry events. He was a featured speaker at the JavaOne Conference in September 2010 at the Moscone Center in San Francisco. He also regularly speaks at OWASP (Open Web Application Security Project) conferences around the world, notably in New York at the world’s largest application security conference, the OWASP AppSec Conference, in September 2008. He has also spoken at various other conferences and seminars, such as the PCI summit in Mumbai in December 2008. He is a regular speaker at industry events such as the Business Technology Summit and events organized by the Confederation of Indian Industry (CII). He has also delivered several talks to government entities and their stakeholders on information security and application security. He is also a trainer in information security and has led several public workshops on PCI, PA-DSS, and risk assessment. Abhay is well versed in risk assessment and risk management, with rich consulting experience in the OCTAVE® Risk Assessment and NIST SP 800-30 methodologies. His expertise also extends to providing solutions on information security based on the ISO-27001, HIPAA, SOX, GLBA, and other security-compliance standards. Previously, Abhay was the leader of application security and PCI compliance at SISA Information Security Pvt Ltd. Prior to that, he was involved in implementing enterprise IT solutions for various verticals, including manufacturing and retail. He has developed various business applications in Java and proprietary object-oriented program languages such as TDL. He has also written various articles on application security and security compliance. Apart from his professional interests, Abhay is also a trained Carnatic classical flutist and has delivered several concerts. He is also a theater enthusiast and playwright with an English comedy play to his writing credits. He blogs actively and maintains a security blog and a personal blog. He also writes a weekly article on computer education in a leading Kannada daily newspaper for the rural youth.