Index
A
Access Control Entities (ACEs),
84
Access Control Lists (ACLs),
84
authentication
basics of, Requirement, ,
76–
84
and Requirements 8.5.1–8.5.7,
79–
81
case study
loose permissions case,
99–
100
stolen database case,
98–
99
Cisco enforcing session timeout,
90–
91
databases and Requirement 8.5.16,
83–
84
locking users out, Requirements 8.5.13–8.5.15,
82–
83
multifactor authentication,
77
password
design for PCI DSS, Requirements 8.5.8–8.5.12,
82
password complexity requirements,
89–
90,
82
PCI compliant access controls,
94
PCI DSS requirements,
73–
94
facility entry controls,
91
handling media, Requirements 9.5–9.10.2,
93–
94
handling visitors, Requirements 9.2–9.4,
92–
93
vulnerable area protection,
91–
92
POSIX access control,
88–
90
random password for users,
97
rendering passwords unreadable,
78–
79
setting up SSH in Cisco environment,
90–
91
user’s access, Requirement, ,
75–
76
two-factor authentication and Requirement 8.3,
77–
78
windows and PCI compliance,
84–
88
enabling password protected screen savers,
87
inactive accounts in active directory,
86
password requirement enforcement,
86–
87
setting file permissions,
87–
88
windows file access control,
84–
86
See also Network security
Access control systems,
89
Access lists (ACLs),
270,
57
Account lockout policy,
87
ACEs. See Access Control Entities
ACLs. See Access Control lists
in PCI payment ecosystem,
15
in PCI Validation Requirements submission,
315–
316
Active directory. See Windows Active Directory
Advanced Encryption Standard (AES),
137–
138
AES. See Advanced Encryption Standard
Albrecht Discount (ALDI),
Anti-Spoofing technology,
58
Antivirus software
automatic validation tools,
169–
172
for malicious software,
156
PCI Requirement, ,
150,
29
and Symantec AntiVirus,
200
AP. See Access point
Applicability of PCI DSS,
17–
19
Application vulnerability assessment,
149–
150
external vulnerability scanning with,
167
picking considerations,
167–
172
automatic validation of PCI DSS controls,
169–
172
avoiding blind selection,
167–
168
group identification,
168
using same technology provider,
168
See also Qualified Security Assessor (QSA); Vulnerability management
Approved scanning vendors (ASVs),
312–
314
setting up quarterly external network scans,
246–
247
balancing remediation needs,
255–
256
dealing with mistakes,
256–
258
use of failed assessment,
256
ASVs. See Approved scanning vendors
Attestation of Compliance forms,
26
Audio/visual equipment (A/V equipment),
147
Auditors. See Assessors
Authentication, access control,
76–
84
multifactor authentication,
77
two-factor authentication,
77–
78
B
Bank Identification Number (BIN),
110
Base scoring metrics,
261
BIN. See Bank Identification Number
BitLocker Drive Encryption,
113
Botnets,
Brand security programs,
25
C
CA. See Certificate Authority
Capital Expenditure (CapEx),
272
Card scheme. See Card brand
Card transmission rules. See Misc card transmission rules
Cardholder data environment (CDE),
151–
152
Cardholder data protection,
281–
282
Cardholder Information Security Program (CISP),
23–
24
CCO. See Chief compliance officer
Cellular data networks, recent advancement,
131
Certificate Authority (CA),
118
Chief compliance officer (CCO),
Chief information officer (CIO),
178
Chip & PIN technology,
294
CIA. See Confidentiality, integrity, and availability
CIP. See Critical Infrastructure Protection
Cisco and PCI requirements,
90
Cisco enforcing session timeout,
90–
91
setting up SSH in Cisco environment,
90–
91
Cisco ASA firewall device,
189
Client application vulnerability, half-life of,
180
Column-level encryption,
113–
116
See also File-level encryption; Full-disk encryption (FDE)
Commercial off-the-shelf (COTS) software,
166
Common Gateway Interface (CGI),
123–
124
Common Vulnerability and Exposures (CVE),
260
Common Vulnerability Scoring System (CVSS),
153,
260–
262
newborn concierge case,
273–
275
encryption requirements,
266
store network segmentation,
270
Compliance Acceleration Program (CAP),
236,
249
See also Visa Compliance Acceleration Program (CAP) Fines
Compliance achievement, PCI DSS
bringing key players,
237
compliance team formation,
238
corporate sponsorship,
237–
238
roles and responsibilities of team,
238
budgeting time and resources,
239–
242
goals and milestones establishment,
240–
241
management’s expectations,
240
setting expectations,
240
justifying business case,
232–
237
cost for noncompliance,
235–
237
penalties for noncompliance,
235–
237
PCI DSS prioritized approach,
248
project quickstart guide. See Project quickstart guide
company training on compliance,
242–
243
compliance team training,
242
corporate compliance training program,
243–
244
Compliance efforts,
in corporate compliance training program,
243
justifying business case,
232
Compliance team
Confidentiality, Integrity, and Availability triad (CIA triad),
104–
105,
195
auditability component,
105
PCI DSS data protection,
106
Configuration standards development,
62–
63
Confusing validation requirements case,
36
Continuing Professional Education (CPE),
287
Core operating system vulnerability, half-life of,
180
Corporate social responsibility (CSR),
321
Corporate sponsorship, obtaining of,
237–
238,
245
Credit card acceptance risks,
224–
225
Credit card fraud,
cyber-criminals, –
See also Identity theft; Personal data theft; Payment Card Industry Data Security Standard (PCI DSS)
Critical Infrastructure Protection (CIP),
Cross-border prosecution issues, –
Cross-site request forgery (CSRF),
161
Cross-site scripting (XSS),
161
Customer experience, payment schemes,
298
Cyber-criminals, –
D
DACs. See Discretionary Access Control Lists
DAM. See Database activity monitoring
Data acquisition and vulnerability management,
153
Data encryption
column-level encryption. See Column-level encryption
file-based versus full-disk encryption,
114
file-level encryption. See File-level encryption
folder-level encryption. See File-level encryption
full-disk encryption (FDE). See Full-disk encryption (FDE)
data encryption mistakes,
126–
128
Data Loss Prevention (DLP),
41,
274
Data protection and requirement,
103–
105
Data Security Standard (DSS),
54
Database activity monitoring (DAM),
187–
188
Database Administrators (DBAs),
83–
84,
115
Database encryption. See Column-level encryption
DatalossDB,
DBAs. See Database Administrators
Developing security program case,
35–
36
Digital Subscriber Line (DSL),
69,
140
Discretionary Access Control Lists (DACs),
84,
272
Disk-only encryption,
268
DMZ. See De-Militarized Zone
Domain name server (DNS),
40,
63,
191
E
ECC. See Elliptical Curve Cryptography (ECC)
ED. See Expiration date
Electronic card payment ecosystem,
15–
19
Elliptical Curve Cryptography (ECC),
137–
138
E-mail scams,
Emerging technology. See Payment schemes, new; Europay, MasterCard, and Visa (EMV)
EMV technology. See Europay, MasterCard, and Visa (EMV)
Encrypted File System (EFS),
112
Environmental score metrics,
262
Europay, MasterCard, and Visa (EMV),
297
Europe vs US, payment schemes,
297–
298
Events Per Second (EPS),
211
Expiration date (ED),
109
External vulnerability scanning, with ASV,
167
F
Facility entry controls, Requirement 9.1,
91
FC. See Format code
FDE. See Full-disk encryption
Federal Energy Regulatory Commission (FERC),
Federal Information Security Management Act (FISMA), –
10
FERC. See Federal Energy Regulatory Commission
FHSS. See Frequency-Hopping Spread Spectrum
Field separation (FS),
109
File integrity monitoring,
182,
318
File permission
on Standalone Windows Computers,
87–
88
File Transfer Protocol (FTP),
199
File-level encryption,
111–
112
See also Column-level encryption; Full-disk encryption (FDE)
considerations for PCI DSS requirement,
58–
60
Firewall configuration standards establishment,
54–
66
configuration standards development,
62–
63
connection restriction,
57–
58
deleting unnecessary accounts,
62
denying traffic from untrusted networks,
56–
57
firewall considerations for requirement,
58–
60
firewall implementation,
56
non-console administrative access encryption,
65
shared hosted environment protection,
65–
66
single purpose server implementation,
63–
64
system security parameter configuration,
64–
65
FISMA. See Federal Information Security Management Act
and compensating control,
265–
266
Folder-level encryption. See File-level encryption
Free open-source database MySQL,
115
Frequency-Hopping Spread Spectrum (FHSS),
134,
142
Full-disk encryption (FDE),
112
file-level encryption vs,
114
See also Column-level encryption; File-level encryption
G
Gantter, planning software,
240
GanttProject, planning software,
240
General Mobile Radio Service (GMRS),
134,
142
General Packet Radio Service (GPRS),
118,
120
Global System for Mobile Communications (GSM),
118
GMRS. See General Mobile Radio Service
GNU Privacy Guard (GPG),
112
GnuPG. See GNU Privacy Guard (GPG)
GPO. See Group Policy Object
GPRS. See General Packet Radio Service
Gramm–Leach–Bliley Act of 1999 (GLBA), –
10,
Group Policy Object (GPO),
84
GSM. See Global System for Mobile Communication
H
Hacking, –
“Hard-coding” secrets,
118
Health Insurance Portability and Accountability Act (HIPAA), , –
10,
233
HIDS. See Host-based intrusion detection system
HIPS. See Host-based intrusion system
Host-based intrusion detection system (HIDS),
59
Host-based intrusion system (HIPS),
59,
60
HTTP. See Hypertext Transfer Protocol
Hybrid interaction detection system (Hybrid ISD)
Hypertext Transfer Protocol (HTTP),
149–
150,
199
I
ID theft. See Identity theft
Identity theft,
computer attacks,
cyber-criminals, –
data breaches tracking tools,
hacking, –
personal data theft, ,
See also Credit card fraud; Payment Card Industry Data Security Standard (PCI DSS)
IEC. See International Electrotechnical Commission
Independent Sales Organizations (ISOs),
15,
229
Information risk management documents,
306
Information security,
185
Information technology (IT),
29–
30
and PCI DSS requirements,
264
and penetration testing,
150
secure coding practices,
279–
280
Initialization vector (IV),
144
Internal Security Assessor (ISA),
50,
23,
20
Internal vulnerability scanning,
176
PCI DSS scan issue tracking process,
177
system change issues,
178
See also Approved scanning vendor (ASV); Vulnerability management
International Electrotechnical Commission (IEC),
International Organization for Standardization (ISO),
Internet Control Message Protocol (ICMP),
53
Internet Protocol (IP),
83–
84
Internet Protocol SECurity (IPSec),
117
Internet Service Provider (ISP),
53
in monitoring cardholder data environment,
213
in monitoring cardholder data environment,
213–
214
IP-based Point of Sale (POS),
69
ISO17799 standard,
35,
307
ISO27005 “Information security risk management,”,
306
IT. See Information technology
J
Juniper firewall log message,
189
K
Key management
KISP. See Cardholder Information Security Program (CISP)
Knowledge of encryption,
268
L
Legitimate technological constraint,
263–
264
Lifecycle process for changes to PCI,
32
Lightweight Directory Access Protocol (LDAP),
77
Linux IPTables firewall,
189
access control systems,
89
password complexity requirements,
89–
90
Log management problem,
188
Logging and monitoring cardholder data environment,
187–
190
case study
risky risk-based approach case,
219–
220
tweaking to comply case,
220–
221
firewall log messages,
189
log management problem,
188
log-producing technologies,
189
mistakes and pitfalls,
218–
219
monitoring using logs,
189
PCI relevance of logs,
190–
191
web server log analysis,
190
Logging and monitoring in PCI,
197–
201
across PCI DSS requirements,
198–
199
changing user passwords,
200
installing and maintaining firewall configuration,
197
justification and documentation,
199
scanning in-scope systems,
201
secure systems and applications,
200
Longitudinal redundancy check (LRC),
109
LRC. See Longitudinal redundancy check
M
MAC. See Mandatory access control
Malicious software, ,
156
automatic validation of,
169–
172
Management sponsorship,
237
Mandatory access control (MAC),
272
Level 1 and 2 merchants,
236
Media Access Control (MAC),
133
Merchant Service Provider (MSP),
15
PCI DSS
compliance deadlines for,
19
See also Service providers
Message Digest 5 (MD5),
90
Microsoft MS SQL Server,
115
Microsoft Project, planning software,
240
Minnesota’s Plastic Card Security Act,
Misc card transmission rules,
120–
121
Mitigation, vulnerability management and,
150–
151
Monitoring
data and log for security issues,
195–
197
and logging
in PCI, other requirements,
197–
201
Multifactor authentication. See Two-factor authentication, and Requirements 8.3
N
National Security Agency (NSA),
89
National Vulnerability Database (NVD),
154,
260
user privilege violation vulnerability in,
163
Near-Field Communication (NFC),
292–
294
“Need-to-know,” for access,
75,
81
Network intrusion detection system (NIDS),
59,
189
in monitoring cardholder data environment,
213
Network security
firewall configuration standard establishment,
54–
55
configuration standards development,
62–
63
connection restriction,
57–
58
deleting unnecessary accounts,
62
denying traffic from untrusted networks,
56–
57
firewall considerations for Requirement 1,
58–
60
firewall implementation,
56
non-console administrative access encryption,
65
shared hosted environment protection,
65–
66
vvvsingle purpose server implementation,
63–
64
system security parameter configuration,
64–
65
arge, flat corporate network case,
70–
71
network administration,
66
PCI DSS requirements,
54–
66
small, flat store network case,
68–
70
See also Access controls; Payment Card Industry Data Security Standard (PCI DSS)
Network Test Access Ports (TAPs),
59–
60
Network time protocol (NTP),
40,
191
Network vulnerability assessment. See Vulnerability assessment
Network vulnerability scanner,
152
Network vulnerability scanning. See Vulnerability assessment
Network vulnerability testing. See Vulnerability assessment
Network-based intrusion prevention system (NIPS),
60
New Technology File System (NTFS),
86
Next-gen Payments. See Payment schemes, new; Europay, MasterCard, and Visa (EMV)
NFC. See Near-Field Communication
NIDS. See Network intrusion detection system
Nigerian e-mail scams,
NIST 800-30 “Risk Management Guide for Information Technology Systems,”,
306
Noncompliance
Non-console administrative access encryption,
65
North American Electric Reliability Corporation (NERC),
NSA. See National Security Agency
NTP. See Network time protocol
NVD. See National Vulnerability Database
O
OmniPlan, planning software,
240
Open Source Vulnerability Database (OSVDB),
260
Open Web Application Security Protocol (OWASP)
OpenProj, planning software,
240
OpenWorkbench, planning software,
240
OSVDB. See Open Source Vulnerability Database
OWASP. See Open Web Application Security Protocol
P
PA-DSS. See Payment Application Data Security Standard
PA-QSAs. See Payment Application Qualified Security Assessors
Packet filtering router,
53
Password
complexity requirements,
82
default passwords. See Default passwords
design for PCI DSS, Requirements 8.5.8—8.5.12,
82
and Linux distributions,
89–
90
policies and procedures,
61
random passwords. See Random password for users
unreadable in transit and storage,
78–
79
for Windows computers,
86–
87
Payment Application Best Practices (PABP),
27–
28
Payment Application Data Security Standard (PA-DSS),
19,
24–
25,
27–
28
Payment Application Qualified Security Assessors (PA-QSAs),
24,
27–
28
Payment brand. See Card brand
Payment Card Industry (PCI), ,
54
Payment Card Industry Co (PCI Co). See Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS), , ,
263
Chief Compliance Officer (CCO),
compliance,
controls, automatic validation,
169–
172
organization, –
standards and regulations,
usability in daily job, –
users,
Payment Card Industry Data Security Standard (PCI DSS), access control,
263
password complexity requirements,
82
password design for, Requirements 8.5.8—8.5.12,
82
pitfalls
physical access monitoring,
98
Payment Card Industry Data Security Standard (PCI DSS), data protection
Appendix A of. See PCI DSS, Appendix A of
awareness in industries,
12
in credit card industry,
10
satellite location case,
128–
130
stopping security breaches,
11
Payment Card Industry Data Security Standard (PCI DSS), logging and monitoring
building initial baseline,
204
exception investigation and analysis,
205–
206
intrusion prevention functionality,
213
“known bad” message identification,
204–
205
log review validation,
207
PCI-related reports and alerts,
212
periodic operational task,
208
policies and procedures,
201–
209
implicit event type creation,
202–
203
prioritized approach,
319
Payment Card Industry Data Security Standard (PCI DSS), myths and misconceptions
cardless merchant case,
321–
322
conceptual risk formula,
320
Myth #1, application aspects,
302–
305
Myth #2, clarity and unambiguous,
305–
307
Myth #3, onerous process,
307–
309
Myth #4, relevancy aspects,
309–
312
requirements for data security,
310
Myth #5, PCI for security need,
312–
314
for multipurpose usage,
312–
313
Myth #7, on PCI compliance,
316–
319
prioritized approach,
319
Myth #8, on security power,
319–
321
rules
for health care providers,
302
Payment Card Industry Data Security Standard (PCI DSS), need for,
13
compensating control use,
32
compliance deadlines,
19–
20
data protection issue,
14
electronic card payment ecosystem,
15–
19
PA-DSS implementation,
31
Principal-Associate QSA,
28
vendor certifications programs,
25
security-motivated regulatory guidance,
31
types based on card acceptance methods,
22
Payment Card Industry Data Security Standard scoping (PCI DSS scoping),
39–
40
cardholder data environment,
45–
46
cardholder information,
40–
41
entrenched enterprise case,
51–
52
Prioritized Approach tool for,
49
smaller versus larger businesses,
40
under-scoping problem,
44–
45
Payment Card Industry Security Standards Council (PCI SSC), ,
24–
26
Principal-Associate QSA,
28
Prioritized Approach for,
49
vendor certifications programs,
25
cashless cover charge case,
298–
299
for global businesses,
297–
298
NFC. See Near-Field Communication (NFC)
payment acceptance effect,
293
Paypal. See Paypal
PCI and key management,
116–
117
PCI compliance, pitfalls,
126–
128
complexity of key management,
126
data encryption mistakes,
126–
128
database data encryption,
127
hard-coded secret effects,
127
secure data deletion,
126
PCI Compliance Evidence Package,
207–
208
PCI DSS, Appendix A of
business process identification,
124–
125
data location identification,
125
policy development and documentation,
126
work with identified data,
125
shared hosting provider,
123–
124
PCI Forensic Investigator (PFI),
24–
25,
28–
29
PCI project, planning,
48–
50
PCI Requirement 3, cardholder data protection,
103,
106–
107,
128
data encryption methods
column-level encryption,
113–
116
file-level encryption,
111–
112
ensuring transmitted data,
117–
121
key management practices,
116
by mainframe systems,
117
PCI DSS subrequirements
processes and procedures,
110
sensitive authentication data storage,
110
policy angle of encryption,
116–
117
processes and activities,
104
misc card transmission rules,
120–
121
Transport Layer Security (TLS) and secure sockets layer,
118
wireless transmission,
119–
120
PCI Security Standards Council (PCI SSC), ,
13
PCI vulnerability management
case study
PCI at e-commerce site case 182—183
PCI at retail chain case,
181–
182
Personal data theft, –
Personal identification number (PIN),
108
Personally identifiable information (PII),
10
Phishing attacks,
Pluggable Authentication Modules (PAM),
89
POSIX access control,
88–
90
access control systems,
89
password complexity requirements,
89–
90
Principal-Associate QSAs,
28
Prioritization, vulnerability management and,
153–
154
Prioritized Approach for DSS 2.0,
26
Prioritized Approach tool,
49
Privacy Rights Clearinghouse,
Project quickstart guide,
244–
248
annual assessment preparation,
248
corporate sponsorship,
245
gap analysis, performing,
247
PCI DSS compliance plan creation,
247–
248
PCI DSS SAQ-D completion,
246
PCI level determination,
246
setting up quarterly external network scans,
246–
247
team identification and establishment,
245–
246
Q
QSAs. See Qualified Security Assessors
Qualified Security Assessors (QSAs), ,
20,
26–
27,
263
employee lookup tools,
28
firewall installation in wireless network,
135
on-site DSS assessments,
27
See also Assessors
Quality assurance (QA),
165
Quarterly external vulnerability scans,
166,
168,
174
PCI DSS Requirement 11.2,
173–
174
R
RACLs. See Reflexive access list
Radio frequency (RF),
131
Radio-Frequency IDentification (RFID) chips,
293
Random Number Generator (RNG),
268
Random password for users,
97
Reflexive Access Lists (RACLs),
57,
135,
271
Relational Database Management Systems (RDBMSs),
190
compliant company case,
288–
289
reviewing PCI requirements,
280
access control measure implementation,
284–
285
building and maintaining secure network,
280–
281
cardholder data protection,
281–
282
maintaining information security policy,
286–
287
monitoring and testing networks,
285–
286
vulnerability management program,
282–
284
security. See Security
Request For Comment (RFC),
57
Requirement 11.1, PCI DSS
testing for unauthorized wireless,
138–
140
Requirement 5, PCI DSS
ensuring system components and software,
158
new vulnerability identification,
158–
159
review of custom code,
160
software application development,
159
software development and maintenance practices,
159–
160
testing security systems and processes,
165–
166
web application firewalls,
164–
165
web application scanning,
161–
164
application scanner work,
163
commercial tools’ vendors,
162
free or open-source tools,
162
user privilege violation vulnerability,
163
web-application security,
161
and web vulnerabilities,
161–
165
Requirement 6, PCI DSS,
165–
176
secure and compliant,
165
vulnerability management activities in,
183
Requirements 2, 4, and 9 PCI DSS
wireless devices actual security of,
136–
138
Rest of the world, vs Europe vs US, payment schemes,
297–
298
Rule Set Based Access Control (RSBAC),
89
S
SAQ. See Self Assessment Questionnaire
Sarbanes–Oxley Act (SOX), , –
10,
193,
233
PCI DSS requirements,
279
periodic review and training,
278–
280
professionals’ training,
280
secure coding practices,
279–
280
Security assessment procedures
assessors. See Assessors
reassessment planning,
262
remediation planning,
258
risk classification tools,
258–
260
Security Content Automation Protocol (SCAP),
153
Security Focus Bugtraq,
260
Security policy consideration
complying with PCI DSS,
122
data sharing with service providers,
122
defining policy and procedures,
121–
122
human resources requirement,
122
incident response plan,
122–
123
information security management,
122
operational security procedure development,
121
policy detail handling,
121
See also Cardholder data protection
Self Assessment Questionnaire (SAQ),
49–
50,
235
Instructions and Guidelines document,
26
Self-assessment questionnaire (SAQ) Type A,
303–
304
under Requirement 12, PCI DSS,
305
under Requirement 9, PCI DSS,
304–
305
“validation for Type 1,”,
303
Self-Assessment Questionnaire (SAQ),
20,
54
Self-Assessment Questionnaire D (SAQ-D),
234
Server
for single purpose, implementation of,
63–
64
PCI DSS requirements on,
16
See also Merchants
Service Set IDentifier (SSID) broadcast,
133
Shared hosted environment protection,
65–
66
Shared hosting provider,
123–
124
Simple Network Management Protocol (SNMP),
61,
136
Single purpose server implementation,
63–
64
Site assessment. See Testing of controls, limitations, and restrictions
Small business, PCI DSS for
cashless cover charge case,
229
new business considerations,
225–
227
scheme for SMB hardening,
228
SmartPay (MasterCard),
293
SMB hardening, scheme for,
228
Software-as-a-service (SaaS),
149–
150
SOX. See Sarbanes–Oxley Act
Special Interest Group (SIG),
39
Spider from Cornell Labs,
41
Spyware,
SQL injection vulnerability,
162
Structured Query Language (SQL),
154,
190
Boolean configuration switches,
67
System security parameter configuration,
64–
65
T
Technology Improvement Program (TIP),
293
Technology Innovation Program (TIP),
19,
248–
250
Temporal score metrics,
261
Testing of controls, limitations, and restrictions,
150
Tools, for logging in PCI,
209–
213
Top Ten Web Application Security Issues Project
Transport Layer Security (TLS),
117–
118
Two-factor authentication, and Requirements 8.3,
77–
78
U
UK Lottery scams,
Unauthorized wireless devices,
139
and Requirement 11.1,
138
Unified Compliance Framework (UCF), –
10
Unified Threat Management (UTM),
182
Uniform Resource Locator (URL),
195
Untrusted networks, denying traffic from,
56–
57
US vs Europe, payment schemes,
297–
298
User privilege violation vulnerability,
163
UTM. See Unified Threat Management
V
Validation
on card acceptance methods,
22
compliance validation, annual assessment of,
248
of confusing requirements,
36
Virtual local area networks (VLANs),
59–
60,
270
Visa Compliance Acceleration Program (CAP) Fines,
236
Voice over Internet Protocol (VoIP),
187–
188
Vulnerability assessment,
149–
150
Vulnerability management,
151–
152
antivirus log setting,
157
controls in PCI DSS requirements,
150–
151
ensuring antivirus mechanisms,
156
in information security,
151
National Vulnerability Database,
155
network vulnerability scanners,
152
updating antivirus programs,
156
use of vulnerability scanning tools,
152
Vulnerability scanning tool uses,
152
W
WAF. See Web application firewall
WAS. See Web application scanning
Web application scanning (WAS),
162–
164
application scanner work,
163
commercial tools’ vendors,
162
free or open-source tools,
162
user privilege violation vulnerability,
163
Web server
Whole disk encryption,
268
Wi-Fi Protected Access (WPA),
120,
137
Windows Active Directory,
63,
86–
87
Windows and PCI compliance
enabling password protected screen savers,
87
inactive accounts in active directory,
86
password requirement enforcement,
86–
87
setting file permissions,
87–
88
windows file access control,
84–
86
Wired Equivalent Privacy (WEP) key,
132
Wireless network security,
132–
134
case study
double secret wireless network case,
147–
148
untethered laptop case,
145–
146
in PCI DSS requirements
firewall installation,
135
incident response personnel,
136
Requirement 11.1, testing for unauthorized wireless,
138–
140
Requirements 1 and 12, documentation,
134
wireless installation,
136–
137
security functionality,
133
tools and best practices,
142–
143
WEP key
wireless devices security of, Requirements 2, 4, and 9,
136–
138
encryption technologies,
136–
138
wireless technologies,
141–
142
Wireless network testing, Requirement 11.1,
166
Wireless technologies,
141–
142
Wireless transmission,
119–
120
Worldwide Interoperability for Microwave Access (WiMAX),
142
WPA. See Wi-Fi Protected Access
WPA2 802.11 networks,
137
802.11b and 802.11g targets,
143
802.11i wireless network,
137,
147
with high-speed Bluetooth networks,
141–
142
Y
“Y,” clicking on computer,
315
Z