skip to content
PCI Compliance: The Definitive Guide. Preview this item
ClosePreview this item

PCI Compliance: The Definitive Guide.

Author: Abhay Bhargav
Publisher: Auerbach Publications, 2014.
Edition/Format:   eBook : Document : EnglishView all editions and formats

(not yet rated) 0 with reviews - Be the first.


Find a copy online

Links to this item

Find a copy in the library

&AllPage.SpinnerRetrieving; Finding libraries that hold this item...


Genre/Form: Electronic books
Additional Physical Format: Print version:
Material Type: Document, Internet resource
Document Type: Internet Resource, Computer File
All Authors / Contributors: Abhay Bhargav
ISBN: 1439887403 9781439887400 9781306904346 130690434X
OCLC Number: 889999588
Description: 1 online resource
Contents: Payment-Card Industry: An EvolutionThe Development of a System: The Coming of the Credit Card The Need for Credit: A Historical Perspective Credit in the Mesopotamian Civilization Credit in the Era of Coins and Metal Bullion (800 BC to AD 600) The Rise of Virtual Money Transactions (AD 600 to AD 1500) The Reemergence of Coins and Precious Metal Currency (1500-1971) The Rise of Debt (1971 Onwards) The Need for Credit The Credit Card: A Means to Address the Need for Credit The History of the Credit Card The First Credit Cards The Development of a Credit Card IndustryDebit Cards and Automated Teller Machines The Coming of the Debit Card The Automated Teller Machine E-Commerce and Online PaymentsThe Future of Payments Trends for the Future of Payments Mobile Payments Contactless Payments Chip and PIN CardsSummaryCard Anatomy: The EssentialsPayment Cards: Types of Cards Payment Card with Magnetic Stripe Magnetic Stripe Cards: A Brief History Magnetic Stripe Coercivity Magnetic Stripe: A Primer on Data Sets Chip and PIN CardsPayment Cards: An Anatomy Payment Card: External Visage (Front) The Card Issuer's Logo The Payment Brand Logo and Hologram The Card Number (PAN) The Expiration Date The Cardholder's Name Payment Card: External Visage (Back) The Magnetic Stripe Signature Strip The CVV Service Disclaimer Bank Address and Contact Details Customer Service InformationData Sets: Payment Card Track 1 Data Track 2 Data Track 3 Data Payment Card: Terminology The Payment Card Processing Cycle Merchants Acquirers Payment Networks Issuers Processors Other Service Providers Independent Sales OrganizationsPayment Card Transactions Card-Present Transaction Card-Not-Present Transactions Open-Loop Payment Systems Closed-Loop Payment SystemsSummarySecurity and the Payment-Card IndustryA Brief History of Credit Card FraudA Brief History of Significant Card Data Breaches The CardSystems Breach The TJ-Maxx Card Breach The Heartland Payment Systems Breach The Sony Playstation Network BreachCardholder Security Programs Card Brand Cardholder Security Programs The Formation of the PCI-DSS and PCI-SSC Structure of the PCI Standards The PCI Assessment Environment PCI-QSAs and PCI-QSACs The PCI ASV (Approved Scanning Vendor) The PCI Internal Security Assessor The PCI Special-Interest Groups Payment Application Compliance PCI's PA-DSS PA-QSA and PA-QSACSummaryPayment Card Industry Data Security Standard (PCI-DSS)Brief History of the PCI-DSSPCI Compliance Levels: Payment Brands Payment Brand Compliance Programs and PCI-DSS Compliance Levels and Compliance Requirements Visa Merchant and Service Provider Validation Levels MasterCard Merchant and Service Provider Validation Levels American Express Merchant and Service Provider Compliance Validation Levels Compliance Validation Levels: Identification and ImplementationPCI-DSS: Applicability Applicability of PCI Compliance and Interplay with Compliance Validation Requirements Merchant Organizations Service Providers: Processors Service Providers: Everybody Else Cloud Service ProvidersPCI: Attestation, Assessment, and Certification The Role of a PCI-QSA The PCI-DSS Requirements Compensatory Controls Documentation: The Report on Compliance Documentation: The Attestation of ComplianceSummaryThe Payment Application Data Security Standard (PA-DSS)History and Overview of the PA-DSS The Need for Payment Application Validation for PCI A Brief History of the PA-DSS Primer on the PA-DSS Standard The PA-DSS RequirementsPA-DSS Validation The PA-DSS Validation Process The Differences in PCI-DSS and PA-DSS Validation Technical Testing and Validation for the PA-DSS Role of a PA-QSAPA-DSS Documentation The PA-DSS Report on Validation The PA-DSS Implementation Guide The PA-DSS Attestation of Validation The PA-DSS Vendor Release AgreementPA-DSS Application Revalidation Annual Revalidation Changes to Payment Applications No-Impact Change Low-Impact Change High-Impact Change Change-Impact Documentation No-Impact Change-Impact Documentation Low-Impact Change-Impact Documentation High-Impact Change-Impact DocumentationSummaryEnterprise Approach to PCI ComplianceIndustry Verticals and PCI Compliance PCI Approaches for Different Industry Verticals Basic Business Function Cardholder Information Touch Points The Organization Itself Merchants Service Providers Issuing TPPs Acquiring TPPs Banks Other Service ProvidersEnterprise Challenges: PCI Compliance Information Overload: A Perspective Knowledge of the Team Management Impetus Budgetary Constraints Technical ConstraintsGood Practices: To Get PCI Compliant PCI Taskforce Create a Defined Scope Don't Focus on PCI Compliance Understand Risk-Always Pick the Right QSAGood Practices for Application Vendors: PA-DSS Security from Incipiency Document, Document, Document Scope OutSummaryScoping for PCI ComplianceScoping for PCI Compliance: A PrimerThe Cardholder-Data Environment (CDE) Defining the Cardholder-Data Environment Cardholder-Data Flow Cardholder-Data Matrix ATM Card Processing: Acquiring Card-Issuing Function POS Billing and Merchant Acquisition Fraud-Management Services Cardholder Customer Service Management Identifying Cardholder Data The Role of the PCI-QSA in the CDETips for Scope Reduction Why Reduce Scope? Network Segmentation Scoping Out E-Commerce Applications Tokenization and Other Data-Protection TechniquesSystem Components in the PCI Scope Network and Network Components Servers and OS Components ApplicationsSummaryRequirement 1: Build and Maintain a Secure NetworkNetwork Security: A Primer Network Security Architecture: Enterprise Network Architecture: Scoping Out Benefits of Scoping Out with Network Segmentation Common Resources Technology: Network SegmentationNetwork Security Requirements for PCI The Network Security Documentation Requirement 1.1: Firewall and Router Configuration Standards PCI Assessor's Notes: Requirement 1.1 Network Components: Firewalls, Routers, and Other Network Components Firewall and Router Specifications and Configurations The Demilitarized Zone (DMZ) PCI Requirements Relating to the DMZ The Role of Managed ServicesSummaryRequirement 2: Vendor-Supplied Defaults, System Passwords, and Security ParametersVendor-Supplied Default Passwords Configuration Standards and Vendor-Supplied Default Passwords and Security Parameters Requirement 2.1: Change Vendor-Supplied Default Passwords Requirement 2.2: Configuration Standards for System Components Requirement 2.2.1: One Primary Function per Server Insecure Protocols and Services Requirements 2.2.3 and 2.2.4 Security Parameters: To Prevent Misuse Nonconsole Administrative Access Wireless Security Consideration: Vendor-Supplied DefaultsPA-DSS: Application Requirements for Vendor-Supplied Defaults and Security Parameters Payment Application Vendor-Supplied Defaults Requirement 3.1b of the PA-DSS Requirement 5.1.3 of the PA-DSS Secure Network Implementation: Payment Applications Requirement 5.4 of the PA-DSS Requirement 8.1 of the PA-DSS Requirement 6 of the PA-DSS: Wireless Security RequirementsSummaryRequirement 3: Protect Stored Cardholder DataStorage, Retention, and Destruction of Stored Cardholder Data Do You Really Need to Store Cardholder Data? Policies and Procedures around Storage of Cardholder DataRequirement 3.2: Sensitive Authentication Data at Rest Authentication Parameters: Concept Overview CVV/CVC/CAV1&2 PIN Verification Value (PVV) and PIN Offset PIN/PIN Block Authentication Parameters Issuers and Storage of Sensitive Authentication Data Requirement 3.2: Assessment NotesDisplay of the Card PANRequirement 3.4: Rendering the PAN Unreadable whereverStored An Overview of Techniques to Render the PAN Unreadable Use of One-Way Hashing One-Way Hashing Algorithms and Security Considerations Use of Truncation Use of Tokenization Use of Strong Cryptography Rendering the PAN Unreadable Everywhere It Is StoredCryptography: Terminology and Concept Review Cryptosystem Key and Keyspace Initialization Vector Symmetric and Asymmetric Cryptography Block Ciphers and Stream Ciphers Block Cipher Modes of Encryption Electronic Code Book Cipher Block Chaining Cipher Feedback Output Feedback CounterRequirements 3.5 and 3.6: Key Security and Key Management Key-Management Considerations: Enterprises Key-Management Practices for Banks and Acquiring and Issuing TPPs Hardware Security Module (HSM) Local Master Key Zone-Control Master Keys PIN Working Keys PIN Verification Key Message Authentication Keys Card Verification Keys Derived Unique Key per Transaction (DUKPT) Principles of Encryption and Key Management for Protecting the Stored PAN Secure Key Generation Single-Purpose Cryptographic Keys Secure Key Storage Secure Key Distribution and Exchange Cryptoperiod and Key Changes Dual-Key Management for Manual CryptographySummaryRequirement 4: Securing Cardholder Information in TransitRequirement 4.1: Secure Transmission of Cardholder Information Over Open, Public Networks Open, Public Networks: A PCI Viewpoint Secure Protocols HTTPS with SSL/TLS Secure Shell (SSH) IPSec VPN Requirement 4.1.1: WiFi Security Practices for Cardholder Data TransmissionsRequirement 4.2: Unprotected PANs over End-User Messaging TechnologiesSummaryRequirement 5: Use and Regularly Update Antivirus SoftwareRequirement 5.1: Use of Antivirus Programs to Protect Commonly Affected Systems Antivirus Deployment within the PCI Environment (CDE)Requirement 5.2: Managing the Antivirus Application Managing and Monitoring the Antivirus Application for PCI ComplianceCommercial Applications: Antivirus RequirementsSummaryRequirement 6: Develop and Maintain Secure SystemsRequirement 6.1: Patch-Management Practices for PCI Compliance Patch Management for PCI Compliance Approaches to Patching and Patch Management Change-Management Process of System Patch Deployment Risk-Based Approach to Patch Management Assessor's Notes for Verifying Patch-Management PracticesRequirement 6.2: Vulnerability-Management Practices for PCI ComplianceSecure Application Development Practices for PCI-DSS and PA-DSS Requirement 6.3: Secure SDLC for Application Development The Risk-Assessment Approach to Secure SDLC Requirement 6.3.1: Removal of Default User Accounts, IDs, and Passwords Requirement 6.3.2: Custom Code Review for Security Requirement 6.4: Application Change Management and Change Control Requirement 6.4.5: Change-Management Document and the Essentials of Change Control and Change Management Requirements 6.4.2 and 6.4.3: Separation of Production, Development, and Test Environments Requirement 6.4.3: Use of Live PANs for Testing Requirement 6.4.4: Removal of Test Data in ProductionRequirement 6.5: Secure Coding Guidelines for Applications Secure Coding Guidelines: References and Best Practices Requirement 6.5.1: Secure Coding to Address Injection Flaws SQL Injection XPath Injection LDAP Injection Command Injection Requirement 6.5.2: Secure Coding to Address Buffer Overflows Requirement 6.5.3: Secure Coding to Address Cryptographic Flaws Cryptography Essentials Requirement 6.5.4: Secure Coding to Address Insecure Transmissions The SSL/TLS Handshake Process Implementation Best Practices for Secure Transmission: Web Applications Requirement 6.5.5: Secure Coding to Address Improper Error Handling Requirement 6.5.6: Remediation Measures to Address High-Severity Vulnerabilities Requirement 6.5.7: Secure Coding to Address Cross-Site Scripting Reflected XSS Persistent XSS Requirement 6.5.8: Secure Coding to Address Flawed Access Control Session Hijacking Cross-Site Request Forgery Session Fixation Forceful Browsing Requirement 6.5.9: Secure Coding to Address Cross-SiteRequest ForgeryOngoing Vulnerability-Management Practices for Web Applications Web-Application Vulnerability Assessments Usage of a Web-Application FirewallSummaryRequirement 7: Restrict Access to Cardholder Data by BusinessNeed to KnowRequirement 7.1: Restrict Access to Systems with Cardholder Data Access Restrictions across the PCI Environment The Principle of Least Privilege Documentation of Approval: Access Privileges Automated Access-Control SystemSummaryRequirement 8: Access-Control Requirements for PCI EnvironmentsUnique IDs for Users: PCI Environment Requirement 8.1: Assign Unique IDs to Users in PCI EnvironmentFactors of Authentication The Three Factors of Authentication Supplementing User IDs Something You Know: Knowledge Factors Something You Are: Physical Factors Something You Have: Physical Token Parameters Two-Factor Authentication: Remote AccessProtection of Passwords: Transmission and Storage Protection of Passwords in Transit Protection of Passwords at RestAuthentication Management for PCI Environments Access-Control Procedure Requirement 8.5.1: Control of Operations on Access Control Requirement 8.5.2: Verification of User Identity (Password Resets) Requirement 8.5.3: Unique Password Value and First-Use Change Requirement 8.5.4 and 8.5.5: Revocation and Removal of User Access Rights Requirement 8.5.4: Revocation of User Access Rights Immediately after User Separation Requirement 8.5.5: Disabling User Accounts within 90 Days Requirement 8.5.6: Vendor Account Access Management Requirement 8.5.8: Prohibit Shared, Group, or Generic Accounts Requirements 8.5.9-8.5.15: Password Management for PCI EnvironmentsDatabase Access Requirements for PCI Environments Requirement 8.5.16: Database Authentication RequirementsPA-DSS Requirements for Authentication Requirement 8 of PCI and Requirement 3 of the PA-DSSSummaryRequirement 9: Restrict Physical Access to Cardholder DataRequirement 9.1: Physical Access Controls for the PCI Environment Requirement 9.1.1: Use of Cameras and/or Access-Control Mechanisms Requirement 9.1.2 and 9.1.3: Restrict Physical Access to Network Components The Dangers of Visitor Network Access Protection Strategies for Visitor Network Access Requirement 9.1.3: Physical Protection for Network DevicesRequirements 9.2, 9.3, and 9.4: Employee and Visitor Access Visitor-Management Procedure Visitor Access and Employee Access Distinctions Granting Visitor Access Visitor Access Privileges and Restrictions Revocation of Visitor and Employee Access Access to Badge System/Physical Access-Control System Visitor Distinction Visitor Access RecordsRequirements 9.5-9.10: Media Management and Security Requirement 9.5: Physical Security-Off-Site Media Backup Location The Need for Off-Site Backup Security Controls: Off-Site Backup Requirements 9.9 and 9.10: Media DestructionSummaryRequirement 10: Logging and Monitoring for the PCI StandardsAudit Trails: PCI Requirements The Need for Audit Trails and Logs Challenges: Log Management Distributed Event Logs Volume of Log Entries Nonstandard Logging Practices Multiple Tools People Intensive Access-Control Link: Audit TrailsDetails: Audit Trail Capture Audit Logs: Details Individual Access to Cardholder Data Actions by Root or Administrative Users Access to Audit Trails Invalid Access Attempts Use of Identification and Authentication Mechanisms Initialization of Audit Logs Creation of System-Level Objects Audit-Trail Entries and Records User Identification Type of Event Date and Time Indication of Success or Failure Origination of Event Identification of Affected System, Resource, or Component Application Logging Best PracticesThe Importance of Time and Its Consistency Time Sync across IT Components Network Time Protocol for Time SynchronizationSecuring Audit Trails and Logs Business Need to Know: Logs and Audit Trails Securing Log Information Strong Access Control System Hardening Centralized Log Server File-Integrity MonitoringLog Monitoring, Review, and Retention Requirement 10.6: Log Review and Monitoring Requirement 10.7: Log RetentionSummaryRequirement 11: Security Testing for the PCI EnvironmentWireless Access Point: Testing Testing for Rogue/Unauthorized Wireless Access Points Wireless Network Scanning Physical Inspection Network Access Control Wireless IDS/IPS DeploymentInternal and External Network Vulnerability Scanning Vulnerability Scanning: Concept Note Vulnerability Categorization Vulnerability Scanning: Methodology Internal and External Network Vulnerability Scanning Internal and External Vulnerability Scanning Network Vulnerability Scanning Scanning by PCI Approved Scanning Vendor (ASV) Internal and External Penetration Testing Fundamental Differences: Vulnerability Assessment and Penetration Testing Why Perform a Penetration Test? Network-Layer Penetration Tests Application-Layer Penetration TestingDeployment of Intrusion Detection/Prevention Devices or Applications Intrusion Detection/Prevention Systems: An Overview Signature Based Statistical-Based Anomaly Detection Stateful Protocol Analysis Detection PCI Requirement: Intrusion Detection/Prevention SystemFile-Integrity Monitoring: Critical System Files and Configurations Attacks: Key System Files File-Integrity Monitoring: Critical System Files, Processes, and Content FilesSummaryRequirement 12: Information Security Policies and Practices for PCI ComplianceInformation Security Policy: PCI Requirements Security Policy Definition Risk Assessment: PCI Compliance A Question of Adequacy Risk Assessment: Process and Overview Annual Review: Policy and Risk-Management FrameworkOperational Security Procedures Security Focus Areas Acceptable Usage Policies and Procedures List of Acceptable Technologies, Applications, and Devices Explicit Approval for Technology Usage Inventory and Labeling Authentication for the Use of Technology Acceptable UsageSecurity Roles and Responsibilities Documentation: Roles and Responsibilities The Chief Information Security Officer Distribution of Policies and Procedures and Monitoring of Security Alerts User Management: Roles and ResponsibilitiesPeople Security Practices Security Awareness Training and Monitoring Employee Background VerificationVendor Management and PCI Compliance Vendors: Data Sharing and Risk ManagementIncident Management and Incident Response Incident-Response Plans and Procedures Elements of Incident-Response Plan Incident-Response Success FactorsSummaryBeyond PCI ComplianceMaintaining PCI Compliance: The Challenge The Challenge: The Dilemma Produced by Success The Information Problem The Technology Challenge Management AttitudeSuccess Factors for Continuing PCI Compliance A Change of Attitude Deep Understanding of Risk and Its Application The CISOSummaryIndex


User-contributed reviews
Retrieving GoodReads reviews...
Retrieving DOGObooks reviews...


Be the first.
Confirm this request

You may have already requested this item. Please select Ok if you would like to proceed with this request anyway.

Linked Data

Primary Entity

<> # PCI Compliance: The Definitive Guide.
    a schema:CreativeWork, schema:Book, schema:MediaObject ;
   library:oclcnum "889999588" ;
   schema:about <> ;
   schema:bookFormat schema:EBook ;
   schema:creator <> ; # Abhay Bhargav
   schema:datePublished "2014" ;
   schema:exampleOfWork <> ;
   schema:genre "Electronic books"@en ;
   schema:inLanguage "en" ;
   schema:isSimilarTo <> ;
   schema:name "PCI Compliance: The Definitive Guide."@en ;
   schema:productID "889999588" ;
   schema:publication <> ;
   schema:publisher <> ; # Auerbach Publications
   schema:url <> ;
   schema:workExample <> ;
   schema:workExample <> ;
   wdrs:describedby <> ;

Related Entities

<> # Auerbach Publications
    a bgn:Agent ;
   schema:name "Auerbach Publications" ;

<> # Abhay Bhargav
    a schema:Person ;
   schema:familyName "Bhargav" ;
   schema:givenName "Abhay" ;
   schema:name "Abhay Bhargav" ;

    a schema:ProductModel ;
   schema:isbn "130690434X" ;
   schema:isbn "9781306904346" ;

    a schema:ProductModel ;
   schema:isbn "1439887403" ;
   schema:isbn "9781439887400" ;

Content-negotiable representations

Close Window

Please sign in to WorldCat 

Don't have an account? You can easily create a free account.