Foreword
Just the mere fact that you have purchased and begun reading this book means you are gaining insight into a rarely seen battleground between global criminals and those protecting our world’s credit card commerce engine. The Payment Card Industry Data Security Standard (PCI DSS) is a ‘household’ term for any organization that handles credit card information as a part of doing business. The authors have taken the time to pull together a real world, fun way to look at and achieve PCI DSS compliance as you join or continue your battle against the criminal element.
While large and medium organizations have worked to become compliant and battle the criminals directly since the inception of PCI DSS in 2004, many small organizations are just now starting to understand the need to comply and join the battle. Not by coincidence, the criminal element has also learned that smaller organizations have been less likely to work toward PCI compliance. In 2011 alone, several data compromises occurred across many small organizations identifying that criminal activity has switched to ‘trolling’, where the criminals target many smaller organizations rather than one or two large organizations to gain the same amount of credit card numbers.
Although the battle has been in process since the inception of the credit card industry, PCI DSS is unique as the standard was created and is maintained by the credit card industry through an independent governing body known as the PCI Security Standards Council. In my opinion, to date the standard has largely succeeded in its initial purpose, which has been to raise the maturity of security controls across those handling credit cards in any industry. By bringing organizations and individuals into the battle, we expand the army of good guys. Initially, this has been achieved by a very descriptive set of security controls that must be followed in detail, in order for an organization to gain PCI DSS compliance.
An entire industry has been created in support of PCI DSS, as we now have Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs), and many consulting organizations all specializing in working with companies to ensure they are supporting the fight by complying with the PCI DSS standards. As I mentioned earlier, just the fact that you are reading this book means you have taken the leap to gain insight and understanding of the entire PCI space. PCI DSS should be considered as the bare minimum requirements for organizations that handle credit cards. An organization must realize that the battle of balancing business needs with proper security controls continues daily, as there is no single solution. PCI DSS compliance makes a strong statement as to an organization’s commitment to protecting commerce, globally. The authors of PCI Compliance: Understand and Implement Effective PCI Compliance (3e) will provide you with the needed information and reference material so that you can take the next step in building a security organization that continually evolves the security controls required to compete with the criminal element.
I have called myself an information security professional for roughly sixteen years, in that time I have grown to appreciate like-minded peers. That said, you are safe with Branden Williams & Dr. Anton Chuvakin as they cover the topic of PCI DSS in a balanced, well-constructed methodology. As you read and apply the concepts to your organization, always work to create a continuous improvement cycle as the criminal element you are competing with never gets tired of trying new inventive attacks. Take the time to have some fun, initially read cover to cover, and then come back, as this is a solid reference as you mature your own organization in the neverending battle of protecting global credit card commerce.
-- John W Graham, CISSP, CISM, CISA, CIRSC, HISP, MISA
Vice President Global Information Assurance and Risk for a First Data Corporation, Board Member PCI Standards Council