Chapter 1
About PCI and This Book
Information in this chapter:
The Payment Card Industry Data Security Standard (PCI DSS) just celebrated its seventh year (December 15, 2004) and the PCI Security Standards Council its fifth birthday (September 7, 2006). Most of you reading these words have probably heard about PCI DSS, worked on a project tied to PCI DSS compliance, or said a few words out loud about PCI DSS that would have earned at least one of the authors a big smack across the face from his mother. For those of you just starting with PCI DSS, we authors hope this book can be your guide to a successful end result.
If you are like most professionals, the idea of becoming compliant with Payment Card Industry Data Security Standard (PCI DSS) or countless other regulations does not sound fun. Information technologists and information security professionals aren’t the only ones that share this feeling. Not only have other C-Level individuals had to deal with compliance and regulation around payments at some point in the last five years of their career, but we have even created a new position that has become quite popular—the Chief Compliance Officer (CCO).
Compliance efforts are rarely described as fun among those working with them. Painful is probably a better description. Whether it is the pain of not knowing what to do, pain of failing the assessment, or pain of “doing compliance” without an adequate budget, there are plenty of challenges that compliance—PCI DSS compliance in particular—have in common with pain.
Thus, we face the seemingly impossible challenge to write a fun and insightful book about PCI DSS. We realize the near impossible task ahead, and we are committed to the challenge. We’d like to invite you, our reader, to travel with us in the hopes that when you turn the last page, you would come to realize that PCI DSS compliance can indeed be (YES) fun!
There are many standards and regulations out there. If your company’s stock is publicly traded in the United States, you must adhere to the Sarbanes–Oxley (SOX) mandates. Financial companies fall under the Gramm–Leach–Bliley Act (GLBA). Those in the energy sector work toward North American Electric Reliability Corporation (NERC), Federal Energy Regulatory Commission (FERC), or Critical Infrastructure Protection (CIP) standards. If you are in the health care industry, your network must comply with the Health Insurance Portability and Accountability Act (HIPAA) standards. Other countries have their own “alphabet soup” of standards such as British BSI, Russian GOST (Russian for “gosudarstvennyy standart” or “state standard”), worldwide International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), and so on. PCI DSS occupies a special place among the standards for two reasons: broad, worldwide applicability and the presence of enforcement mechanism that is seen as imminent and unavoidable, unlike for some other mentioned regulations.
The overarching theme of all these standards, laws, and regulations is that organizations need to secure data and protect their networks to keep citizens’ data safe. In some cases, weak information security may only affect one company. However, when the data on the corporate network contains personal information about patients, customers, or employees, a breach of security can have implications far beyond the breached company. A breach dealing with hundreds of millions of customers, such as a payment card processor, will have implications touching nearly every family, thus, decreasing such occurrences is in the public interest.
Visa, MasterCard, American Express, Discover, and JCB banded together to develop PCI DSS to ensure that credit-card customer information and the payment systems are adequately protected. Breaches of customer information lead to money loss and damaged reputations, and the credit-card industry wants to protect itself from financial loss or eroded consumer confidence in credit cards as a means of doing business.
We will use our experience with PCI DSS, both from the PCI Qualified Security Assessor (QSA) side and the information security side, to explain the most up-to-date PCI DSS guidelines to you (Version 2.0 as of this writing). The objective of this book is not only to teach you about the PCI DSS requirements but to help you understand how the PCI DSS requirements fit into an organization’s information security framework, and how to effectively implement information security controls so that you can be both compliant and secure. In addition, we will focus on how to do this in the easiest and most pain-free way without compromising security in the process.
This book will make constant reference to the PCI DSS. PCI DSS, and its related standards, is owned by the PCI Security Standards Council (PCI SSC), sometimes known in the industry as PCI Co. Before you start reading this book, you should go to the Council’s Web site at www.pcisecuritystandards.org and download PCI DSS version 2.0. You can find the relevant documents by clicking on “PCI Standards & Documents,” then “Documents Library.”
As of this publication, PCI DSS is at version 2.0. Where there are significant changes between the previous version 1.2 and this version, we will call out what has changed and what you need to do as someone complying with the standard.
Who Should Read This Book?
Every company that accepts card payments, processes credit- or debit-card transactions, stores payment card data, or in any other way touches personal or sensitive data associated with payment card processing is affected by the PCI DSS. Nowadays, it means that virtually all businesses, no matter how big or small, need to understand their scope of PCI DSS and how to implement PCI controls to reduce their compliance risk, or face penalties or even the possibility of having their merchant status revoked.
Even with such a broad audience compelled to comply with the PCI DSS, this book had to be written for a specific technical level. This book could have been written in very simple terms to educate the general population about PCI DSS. We could have written an in-depth technical tome providing every bit of detail a network engineer or security administrator might need to configure and implement all controls mandated by PCI DSS. This book aims in the middle and is more of a strategic guide to help management and practitioners understand the implications of PCI DSS and what it takes to be compliant. Overall, the book is useful for every stakeholder in an organization dealing with credit cards. This would include executive management, IT and IT security management, network, server, application developers, database managers, legal, marketing, sales, HR, front-line managers, as well as anyone interested in payment security.
Because of the wide impact that PCI DSS has on any organization, this book is like the small business with five employees—it can wear multiple hats and will appeal to multiple audiences. This book is for the IT managers and company managers who need to understand how PCI DSS applies to their organizations. This book is for the small- and medium-size businesses that don’t have an IT department to delegate to. This book is also for large organizations whose PCI DSS project scope is immense. It is for all organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is also compliant. This book is intended as an introduction to PCI DSS, but with a deeper and more technical understanding of how to put it into action. Finally, even PCI “literati” will benefit from the stories and case studies presented by us!
How to Use The Book in Your Daily Job
You can use the book during the entire lifecycle from complete PCI unawareness to ultimate security and compliance enlightenment. Specifically, you can use it as provided in the following:
• Learn what PCI DSS is and why it is here to stay,
• Understand how it applies to you and your organization,
• Learn what to do about each of the 12 main requirements,
• Learn how to deal with PCI assessors and internal auditors,
• Learn how to plan and manage your PCI DSS project,
• Understand all the technologies referenced by PCI DSS,
• Get the best experience out of what can be seen as a painful assessment and remediation process.
What This Book is Not
While reading the book, remember that this is not the book that will unambiguously answer every esoteric PCI DSS question. There is simply no way to create a book with every use case in it with the goal of answering PCI DSS questions as the regulation applies to your own environment. Indeed, there is similarity in how networks and systems are deployed, but given the broad applicability of PCI DSS—from small e-commerce sites to huge worldwide retailers—there is no way to have a book “customized” for your networks, systems, and applications. It is not meant to be the final authority for all issues related to PCI DSS, and it is not the unabridged guide to all things of PCI DSS. Finally, even though the book is written using one of the authors’ QSA1 and consulting experiences, your Acquiring Bank is the ultimate judge of most PCI “puzzles” you will face on your journey to compliance and your QSA (or other similarly credentialed and experienced individual) should be your guide to lead you to top of PCI Compliance Mountain.
Organization of the Book
Each chapter of the book is designed to provide you the information you need to know in a way that you can easily understand and apply. The chapters in this book follow a common structure which, wherever possible, includes the description of the PCI DSS requirement, the value of the requirement for PCI DSS and security, common tips and select tools useful for satisfying the requirement, as well as common mistakes and pitfalls.
In simple and direct terms, we will first explain the control or concept we are talking about in a way that illustrates its intent. Then, we explain where this concept sits in PCI DSS and why it is needed for information security; i.e. how it reduces risk. Next, we explain what you should do with this concept to be secure and compliant using examples and common practices. Most chapters have detailed and entertaining case studies. When we said that we will make PCI DSS fun, we really mean it! Most chapters have a summary that provides a brief recap of the concepts discussed to reinforce what you read or to help you identify areas that you may need to re-read if you feel you don’t understand them yet. Where possible, we also try to highlight common mistakes and pitfalls with these requirements or PCI concepts.
Summary
This section provides a brief description of the information covered in each chapter:
• Chapter 1: About PCI and This Book—This chapter explains why PCI DSS is special and what this book is about.
• Chapter 2: Introduction to Fraud, ID Theft, and Regulatory Mandates—This chapter explains cybercrime and regulations and is a brief look at payment card fraud, cybercrime, ID theft, and other things around PCI DSS.
• Chapter 3: Why Is PCI Here?—This chapter gives an overview of PCI DSS and why the card industry was compelled to create it. This chapter also includes some discussion about the benefits of PCI DSS compliance and the risks of noncompliance.
• Chapter 4: Determining and Reducing your PCI Scope—Every successful project around PCI DSS hinges on correctly scoping the environment. Expect that you should learn exactly how to scope your environment, learn ways to reduce it, and get tips for planning your PCI DSS projects.
• Chapter 5: Building and Maintaining a Secure Network—This chapter explains fundamental steps in protecting PCI DSS and other electronic data: making your network secure in the first place. This chapter discusses the basic components of a secure network and lays the foundation for building the rest of your PCI DSS compliance.
• Chapter 6: Strong Access Controls—This chapter covers one of the most important aspects of PCI DSS compliance: access control. The information in this chapter includes restricting access to only those individuals that need it, as well as restricting physical access to computer systems.
• Chapter 7: Protect Cardholder Data—This chapter explains how to protect the card data stored in your systems, as well as how to protect data while it is in transit on your network.
• Chapter 8: Using Wireless Networking—This chapter covers wireless security issues and wireless security controls and safeguards managed by PCI DSS. We include concepts that can be widely applied to Wi-Fi, Bluetooth, cellular, satellite, and emerging standards like Zigbee.
• Chapter 9: Vulnerability Management—This chapter explains performing vulnerability assessments to identify weaknesses in systems and applications, and how to mitigate or remediate the vulnerabilities to protect and secure your data.
• Chapter 10: Logging Events and Monitoring the Cardholder Data Environment—This chapter discusses how to configure logging and event data to capture the information you need to be able to show and maintain PCI compliance, as well as how to perform other security monitoring tasks.
• Chapter 11: PCI for the Small Business—PCI DSS isn’t just for big box retailers and large banks. Whether you handle millions or hundreds of cards per year, you must comply with the DSS. This chapter includes tips on how to achieve PCI Compliance in a small business, subsidiary, or satellite office setting.
• Chapter 12: Managing a PCI DSS Project to Achieve Compliance—This chapter gives an overview of the steps involved and tasks necessary to implement a successful PCI compliance project. This chapter includes a discussion of the basic elements that should be included in future projects and to proactively ensure they are PCI compliant.
• Chapter 13: Don’t Fear the Assessor—This chapter makes you understand that an assessor is there to work with you to validate your compliance and help you with security. They are only your enemy if you treat them this way. This chapter explains how to use the findings from a failed assessment to build ongoing compliance and security.
• Chapter 14: The Art of Compensating Control—This chapter explains how compensating controls are often talked about and misunderstood. This chapter will help build understanding and confidence in the reader when dealing with this tricky and often ambiguous component of PCI DSS, and most importantly, give you tips on creating your own controls.
• Chapter 15: You’re Compliant, Now What?—This chapter covers the details you need to keep in mind once you have achieved compliance. Security is not as simple as just getting it implemented. You have to monitor and maintain it. This chapter contains information about ongoing training and periodic reviews, as well as how to conduct a self-assessment to ensure continued compliance.
• Chapter 16: Emerging Technologies and Alternative Payment Schemes—This chapter looks to the future of payments and how they will impact your PCI DSS strategies.
• Chapter 17: PCI DSS Myths and Misconceptions—This final chapter explains common but damaging PCI myths and misconceptions, as well as the reality behind them.
For those of you new to PCI DSS, we recommend going right through the chapters in order. They build upon themselves as concepts continue to get more complex and we apply what we learn. Once you are through the book, you will be able to reference specific content a little bit easier.
And with that, let’s delve into fraud, identity theft, and regulatory mandates.