PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance
Gespeichert in:
| Hauptverfasser: | , |
|---|---|
| Format: | Buch |
| Sprache: | English |
| Veröffentlicht: |
Boca Raton ; London ; New York
CRC Press
2023
|
| Ausgabe: | fifth edition |
| Schlagworte: | |
| Beschreibung: | Description based on publisher supplied metadata and other sources |
| Beschreibung: | xix, 314 Seiten Diagramme |
| ISBN: | 9780367570026 9780367570033 |
Internformat
MARC
| LEADER | 00000nam a2200000zc 4500 | ||
|---|---|---|---|
| 001 | BV049326156 | ||
| 003 | DE-604 | ||
| 005 | 20231006 | ||
| 007 | t | ||
| 008 | 230914s2023 |||| |||| 00||| eng d | ||
| 020 | |a 9780367570026 |c hbk |9 978-0-367-57002-6 | ||
| 020 | |a 9780367570033 |c pbk |9 9780367570033 | ||
| 035 | |a (OCoLC)1403378343 | ||
| 035 | |a (DE-599)BVBBV049326156 | ||
| 040 | |a DE-604 |b ger |e rda | ||
| 041 | 0 | |a eng | |
| 049 | |a DE-N2 | ||
| 082 | 0 | |a 342.440858 | |
| 084 | |a ST 185 |0 (DE-625)143606: |2 rvk | ||
| 100 | 1 | |a Williams, Branden R. |4 aut | |
| 245 | 1 | 0 | |a PCI Compliance |b Understand and Implement Effective PCI Data Security Standard Compliance |c Dr. Branden Williams, James K. Adamson |
| 250 | |a fifth edition | ||
| 264 | 1 | |a Boca Raton ; London ; New York |b CRC Press |c 2023 | |
| 264 | 4 | |c ©2023 | |
| 300 | |a xix, 314 Seiten |b Diagramme | ||
| 336 | |b txt |2 rdacontent | ||
| 337 | |b n |2 rdamedia | ||
| 338 | |b nc |2 rdacarrier | ||
| 500 | |a Description based on publisher supplied metadata and other sources | ||
| 505 | 8 | |a Cover -- Half Title -- Title Page -- Copyright Page -- Contents -- Foreword -- Acknowledgments -- Authors -- Chapter 1: About PCI DSS and This Book -- Who Should Read This Book? -- How to Use the Book in Your Daily Job -- What This Book Is Not -- Organization of the Book -- Summary -- Notes -- Chapter 2: Introduction to Fraud, Identity Theft, and Related Regulatory Mandates -- Summary -- Notes -- Chapter 3: Why Is PCI Here? -- What Is PCI DSS and Who Must Comply? -- Electronic Card Payment Ecosystem -- Goal of PCI DSS -- Applicability of PCI DSS -- A Quick Note about Appendix A3 -- PCI DSS in Depth -- Compliance Deadlines -- Compliance and Validation -- Something New, the Customized Approach -- History of PCI DSS -- PCI Council -- QSAs -- Additional PCI SSC Qualifications -- PFIs -- PCIPs -- QIRs -- ASVs -- Quick Overview of PCI Requirements -- How Changes to PCI DSS Happen -- What's New in PCI DSS 4.0 -- Customized Approach -- Extra Guidance -- New Countermeasures -- Skimmers and Web Content -- Authenticated Vulnerability Scanning -- Inventory All the Things -- Scope Reviews -- In Place With Remediation -- PCI DSS and Risk -- Benefits of Compliance -- Case Study -- The Case of the Developing Security Program -- The Case of the Confusing Validation Requirements -- Summary -- Notes -- Chapter 4: Determining and Reducing Your PCI Scope -- The Basics of PCI DSS Scoping -- Connected-To Systems -- The "Gotchas" of PCI Scope -- Scope Reduction Tips -- Planning Your PCI Project -- Case Study -- The Case of the Leaky Data -- The Case of the Entrenched Enterprise -- Summary -- Notes -- Chapter 5: Building and Maintaining a Secure Network -- Which PCI DSS Requirements Are in This Domain? -- Establish NSC Configuration Standards -- Denying Traffic from Untrusted Networks and Hosts -- Restricting Connections -- Host or Network-Based Security Controls | |
| 505 | 8 | |a Micro-Segmentation -- Other Considerations for Requirement 1 -- The Oddball Requirement 11.5 -- Requirement 2: Defaults and Other Security Parameters -- Develop Configuration Standards -- Default Passwords -- Simple Network Management Protocol Defaults -- Delete Unnecessary Accounts -- Implement Single Purpose Servers -- Configure System Security Parameters -- Encrypt Non-Console Administrative Access -- What Else Can You Do to Be Secure? -- Tools and Best Practices -- Common Mistakes and Pitfalls -- Egress Filtering -- Documentation -- System Defaults -- Case Study -- The Case of the Small, Flat Store Network -- The Case of the Large, Flat Corporate Network -- The Case of the Do Over -- Summary -- Chapter 6: Strong Access Controls -- Which PCI DSS Requirements Are in This Domain? -- Principles of Access Control -- Confidentiality -- Integrity -- Availability -- Requirement 7: How Much Access Should a User Have? -- Databases and Requirement 7.2.6 -- Requirement 8: Authentication Basics -- Identification, Authentication, and Requirements 8.2.4-8.2.8 and 8.3.1-8.3.9 -- Locking Users Out: Requirements 8.2.8 and 8.3.4 -- Things Paired With Usernames -- Rendering Passwords Unreadable in Transit and Storage -- Password Design for PCI DSS: Requirements 8.3.5-8.3.9 and 8.3.11 -- MFA and Requirements 8.4-8.5 -- A Brief Word on System Accounts and Requirement 8.6 -- OAuth, OIDC, SSH Keys, and SSH Certs, OH MY! -- Educating Users -- Windows and PCI Compliance -- Windows File Access Control -- Finding Inactive Accounts in Active Directory -- Enforcing Password Requirements in Windows on Standalone Computers -- Enabling Password Protected Screen Savers on Standalone Windows Computers -- Setting File Permissions on Standalone Windows Computers -- POSIX (UNIX/Linux Systems) Access Control -- Linux Enforce Password Complexity Requirements | |
| 505 | 8 | |a Cisco and PCI Requirements -- Cisco Enforce Session Timeout -- Encrypt Cisco Passwords -- Setting Up SSH in a Cisco Environment -- Requirement 9: Physical Security -- Handling Visitors: Requirement 9.3 -- Media and Physical Data Entry Points: Requirements 9.4 -- Protecting the Point of Interaction: Requirement 9.5 -- What Else Can You Do to Be Secure? -- Tools and Best Practices -- Random Password for Users -- Common Mistakes and Pitfalls -- Poor Documentation -- Legacy Systems -- Cloud and PaaS -- Physical Access Monitoring -- Case Study -- The Case of the Stolen Database -- The Case of the Loose Permissions -- Summary -- Note -- Chapter 7: Protecting Cardholder Data -- What Is Data Protection and Why Is It Needed? -- The Confidentiality, Integrity, and Availability Triad -- Requirements Addressed in This Chapter -- Requirement 3: Protect Stored Account Data -- Requirement 3 Walk-Through -- Encryption Methods for Data at Rest -- File- or Folder-Level Encryption -- Full-Disk Encryption -- Database (Table-, Column-, or Field-Level) Encryption -- PCI and Key Management -- What Else Can You Do to Be Secure? -- Requirement 4 Walk-Through -- Transport Layer Security -- IPsec Virtual Private Networks -- Miscellaneous Card Transmission Rules -- Requirement 12 Walk-Through -- How to Become Compliant and Secure -- Step 1: Identify Business Processes With Card Data -- Step 2: Shrink the Scope -- Step 3: Identify Where Data Is Stored -- Step 4: Determine What to Do About Your Data -- Step 5: Determine Who Needs Access -- Step 6: Develop and Document Policies -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Leaky Data -- The Case of the Satellite Location -- Summary -- Note -- Chapter 8: Using Wireless Networking -- What Is Wireless Network Security? -- Where Is Wireless Network Security in PCI DSS? -- Requirements 1, 11, and 12: Documentation | |
| 505 | 8 | |a Actual Security of Wireless Devices: Requirements 2, 4, and 9 -- Logging and Wireless Networks: Requirement 10.3.3 -- Testing for Unauthorized Wireless: Requirement 11.2 -- Quarterly Sweeps or Wireless IDS/IPS: How to Choose -- Why Do We Need Wireless Network Security? -- Other Wireless Technologies -- Tools and Best Practices -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Untethered Laptop -- The Case of the Expansion Plan -- The Case of the Double Secret Wireless Network -- The Case of the Detached POS -- Summary -- Note -- Chapter 9: Vulnerability Management -- PCI DSS Requirements Covered -- Vulnerability Management in PCI -- Stages of Vulnerability Management Process -- Policy Definition -- Data Acquisition -- Prioritization -- Mitigation -- Requirement 5 Walk-Through -- What to Do to Be Secure and Compliant? -- Requirement 6 Walk-Through -- Public-Facing Web Application Protection -- Web Application Scanning (WAS) -- Web Application Firewalls (WAFs) -- Payment Pages -- Change Management -- Software Supply Chain Attacks -- Requirement 11 Walk-Through -- External Vulnerability Scanning With ASV -- What Is an ASV? -- Considerations When Picking an ASV -- How ASV Scanning Works -- Operationalizing ASV Scanning -- What Should You Expect From an ASV? -- Internal Vulnerability Scanning -- Penetration Testing -- Common PCI Vulnerability Management Mistakes -- Case Study -- PCI at a Retail Chain -- PCI at an E-Commerce Site -- Summary -- Chapter 10: Logging Events and Monitoring the Cardholder Data Environment -- PCI Requirements Covered -- Why Logging and Monitoring in PCI DSS? -- Logging and Monitoring in Depth -- PCI Relevance of Logs -- Logging in PCI Requirement 10 -- Monitoring Data and Log for Security Issues -- Logging and Monitoring in PCI-All Other Requirements -- PCI Dss Logging Policies and Procedures | |
| 505 | 8 | |a Building an Initial Baseline Manually -- Guidance for Identifying "Known Bad" Messages -- Main Workflow: Daily Log Review -- Exception Investigation and Analysis -- Validation of Log Review -- PCI Compliance Evidence Package -- Periodic Operational Task Summary -- Daily Tasks -- Tools for Logging in PCI -- Other Monitoring Tools -- Intrusion Detection and Prevention -- Integrity Monitoring -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Risky Risk-Based Approach -- The Case of Tweaking to Comply -- Summary -- Chapter 11: Cloud and Virtualization -- Cloud Basics -- What Is the Cloud? -- Cloud Badness -- Cloud Changes Everything! But Does It? -- Cloud Challenges and You -- PCI Cloud Examples -- So, Can I Use Cloud Resources in PCI DSS Environments? -- Containers and Kubernetes -- More Cloud for Better Security and Compliance? -- Maintaining and Assessing PCI DSS in the Cloud -- Enter the Matrix -- Tools and Best Practices -- Summary -- Notes -- Chapter 12: Mobile -- Where Is Mobility Addressed in PCI DSS 4.0? -- What Guidance Is Available? -- Deploying the Technology Safely -- Case Study -- The Case of the Summer Festival -- Summary -- Chapter 13: PCI for the Small Business -- The Risks of Credit Card Acceptance -- New Business Considerations -- Your POS Is Like My POS! -- A Basic Scheme for SMB Hardening -- Case Study -- The Case of the Outsourcing Decision -- Summary -- Chapter 14: PCI DSS for the Service Provider -- The Definition of a Service Provider -- Why Do Service Providers Have More Requirements? -- Variation on a Theme, or What Service Providers Should Care About? -- Service-Provider-Specific Requirements -- Protect Account Data -- Implement Strong Access Control Measures -- Regularly Monitor and Test Networks -- Maintain an Information Security Policy -- Additional PCI DSS Requirements for Multi-Tenant Service Providers | |
| 650 | 4 | |a Data protection | |
| 700 | 1 | |a Adamson, James K. |4 aut | |
| 776 | 0 | 8 | |i Erscheint auch als |n Online-Ausgabe |z 978-1-003-10030-0 |
| 776 | 0 | 8 | |i Erscheint auch als |n Online-Ausgabe |z 978-1-00-082232-8 |
| 999 | |a oai:aleph.bib-bvb.de:BVB01-034587014 | ||
Datensatz im Suchindex
| _version_ | 1804185839597518848 |
|---|---|
| adam_txt | |
| any_adam_object | |
| any_adam_object_boolean | |
| author | Williams, Branden R. Adamson, James K. |
| author_facet | Williams, Branden R. Adamson, James K. |
| author_role | aut aut |
| author_sort | Williams, Branden R. |
| author_variant | b r w br brw j k a jk jka |
| building | Verbundindex |
| bvnumber | BV049326156 |
| classification_rvk | ST 185 |
| contents | Cover -- Half Title -- Title Page -- Copyright Page -- Contents -- Foreword -- Acknowledgments -- Authors -- Chapter 1: About PCI DSS and This Book -- Who Should Read This Book? -- How to Use the Book in Your Daily Job -- What This Book Is Not -- Organization of the Book -- Summary -- Notes -- Chapter 2: Introduction to Fraud, Identity Theft, and Related Regulatory Mandates -- Summary -- Notes -- Chapter 3: Why Is PCI Here? -- What Is PCI DSS and Who Must Comply? -- Electronic Card Payment Ecosystem -- Goal of PCI DSS -- Applicability of PCI DSS -- A Quick Note about Appendix A3 -- PCI DSS in Depth -- Compliance Deadlines -- Compliance and Validation -- Something New, the Customized Approach -- History of PCI DSS -- PCI Council -- QSAs -- Additional PCI SSC Qualifications -- PFIs -- PCIPs -- QIRs -- ASVs -- Quick Overview of PCI Requirements -- How Changes to PCI DSS Happen -- What's New in PCI DSS 4.0 -- Customized Approach -- Extra Guidance -- New Countermeasures -- Skimmers and Web Content -- Authenticated Vulnerability Scanning -- Inventory All the Things -- Scope Reviews -- In Place With Remediation -- PCI DSS and Risk -- Benefits of Compliance -- Case Study -- The Case of the Developing Security Program -- The Case of the Confusing Validation Requirements -- Summary -- Notes -- Chapter 4: Determining and Reducing Your PCI Scope -- The Basics of PCI DSS Scoping -- Connected-To Systems -- The "Gotchas" of PCI Scope -- Scope Reduction Tips -- Planning Your PCI Project -- Case Study -- The Case of the Leaky Data -- The Case of the Entrenched Enterprise -- Summary -- Notes -- Chapter 5: Building and Maintaining a Secure Network -- Which PCI DSS Requirements Are in This Domain? -- Establish NSC Configuration Standards -- Denying Traffic from Untrusted Networks and Hosts -- Restricting Connections -- Host or Network-Based Security Controls Micro-Segmentation -- Other Considerations for Requirement 1 -- The Oddball Requirement 11.5 -- Requirement 2: Defaults and Other Security Parameters -- Develop Configuration Standards -- Default Passwords -- Simple Network Management Protocol Defaults -- Delete Unnecessary Accounts -- Implement Single Purpose Servers -- Configure System Security Parameters -- Encrypt Non-Console Administrative Access -- What Else Can You Do to Be Secure? -- Tools and Best Practices -- Common Mistakes and Pitfalls -- Egress Filtering -- Documentation -- System Defaults -- Case Study -- The Case of the Small, Flat Store Network -- The Case of the Large, Flat Corporate Network -- The Case of the Do Over -- Summary -- Chapter 6: Strong Access Controls -- Which PCI DSS Requirements Are in This Domain? -- Principles of Access Control -- Confidentiality -- Integrity -- Availability -- Requirement 7: How Much Access Should a User Have? -- Databases and Requirement 7.2.6 -- Requirement 8: Authentication Basics -- Identification, Authentication, and Requirements 8.2.4-8.2.8 and 8.3.1-8.3.9 -- Locking Users Out: Requirements 8.2.8 and 8.3.4 -- Things Paired With Usernames -- Rendering Passwords Unreadable in Transit and Storage -- Password Design for PCI DSS: Requirements 8.3.5-8.3.9 and 8.3.11 -- MFA and Requirements 8.4-8.5 -- A Brief Word on System Accounts and Requirement 8.6 -- OAuth, OIDC, SSH Keys, and SSH Certs, OH MY! -- Educating Users -- Windows and PCI Compliance -- Windows File Access Control -- Finding Inactive Accounts in Active Directory -- Enforcing Password Requirements in Windows on Standalone Computers -- Enabling Password Protected Screen Savers on Standalone Windows Computers -- Setting File Permissions on Standalone Windows Computers -- POSIX (UNIX/Linux Systems) Access Control -- Linux Enforce Password Complexity Requirements Cisco and PCI Requirements -- Cisco Enforce Session Timeout -- Encrypt Cisco Passwords -- Setting Up SSH in a Cisco Environment -- Requirement 9: Physical Security -- Handling Visitors: Requirement 9.3 -- Media and Physical Data Entry Points: Requirements 9.4 -- Protecting the Point of Interaction: Requirement 9.5 -- What Else Can You Do to Be Secure? -- Tools and Best Practices -- Random Password for Users -- Common Mistakes and Pitfalls -- Poor Documentation -- Legacy Systems -- Cloud and PaaS -- Physical Access Monitoring -- Case Study -- The Case of the Stolen Database -- The Case of the Loose Permissions -- Summary -- Note -- Chapter 7: Protecting Cardholder Data -- What Is Data Protection and Why Is It Needed? -- The Confidentiality, Integrity, and Availability Triad -- Requirements Addressed in This Chapter -- Requirement 3: Protect Stored Account Data -- Requirement 3 Walk-Through -- Encryption Methods for Data at Rest -- File- or Folder-Level Encryption -- Full-Disk Encryption -- Database (Table-, Column-, or Field-Level) Encryption -- PCI and Key Management -- What Else Can You Do to Be Secure? -- Requirement 4 Walk-Through -- Transport Layer Security -- IPsec Virtual Private Networks -- Miscellaneous Card Transmission Rules -- Requirement 12 Walk-Through -- How to Become Compliant and Secure -- Step 1: Identify Business Processes With Card Data -- Step 2: Shrink the Scope -- Step 3: Identify Where Data Is Stored -- Step 4: Determine What to Do About Your Data -- Step 5: Determine Who Needs Access -- Step 6: Develop and Document Policies -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Leaky Data -- The Case of the Satellite Location -- Summary -- Note -- Chapter 8: Using Wireless Networking -- What Is Wireless Network Security? -- Where Is Wireless Network Security in PCI DSS? -- Requirements 1, 11, and 12: Documentation Actual Security of Wireless Devices: Requirements 2, 4, and 9 -- Logging and Wireless Networks: Requirement 10.3.3 -- Testing for Unauthorized Wireless: Requirement 11.2 -- Quarterly Sweeps or Wireless IDS/IPS: How to Choose -- Why Do We Need Wireless Network Security? -- Other Wireless Technologies -- Tools and Best Practices -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Untethered Laptop -- The Case of the Expansion Plan -- The Case of the Double Secret Wireless Network -- The Case of the Detached POS -- Summary -- Note -- Chapter 9: Vulnerability Management -- PCI DSS Requirements Covered -- Vulnerability Management in PCI -- Stages of Vulnerability Management Process -- Policy Definition -- Data Acquisition -- Prioritization -- Mitigation -- Requirement 5 Walk-Through -- What to Do to Be Secure and Compliant? -- Requirement 6 Walk-Through -- Public-Facing Web Application Protection -- Web Application Scanning (WAS) -- Web Application Firewalls (WAFs) -- Payment Pages -- Change Management -- Software Supply Chain Attacks -- Requirement 11 Walk-Through -- External Vulnerability Scanning With ASV -- What Is an ASV? -- Considerations When Picking an ASV -- How ASV Scanning Works -- Operationalizing ASV Scanning -- What Should You Expect From an ASV? -- Internal Vulnerability Scanning -- Penetration Testing -- Common PCI Vulnerability Management Mistakes -- Case Study -- PCI at a Retail Chain -- PCI at an E-Commerce Site -- Summary -- Chapter 10: Logging Events and Monitoring the Cardholder Data Environment -- PCI Requirements Covered -- Why Logging and Monitoring in PCI DSS? -- Logging and Monitoring in Depth -- PCI Relevance of Logs -- Logging in PCI Requirement 10 -- Monitoring Data and Log for Security Issues -- Logging and Monitoring in PCI-All Other Requirements -- PCI Dss Logging Policies and Procedures Building an Initial Baseline Manually -- Guidance for Identifying "Known Bad" Messages -- Main Workflow: Daily Log Review -- Exception Investigation and Analysis -- Validation of Log Review -- PCI Compliance Evidence Package -- Periodic Operational Task Summary -- Daily Tasks -- Tools for Logging in PCI -- Other Monitoring Tools -- Intrusion Detection and Prevention -- Integrity Monitoring -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Risky Risk-Based Approach -- The Case of Tweaking to Comply -- Summary -- Chapter 11: Cloud and Virtualization -- Cloud Basics -- What Is the Cloud? -- Cloud Badness -- Cloud Changes Everything! But Does It? -- Cloud Challenges and You -- PCI Cloud Examples -- So, Can I Use Cloud Resources in PCI DSS Environments? -- Containers and Kubernetes -- More Cloud for Better Security and Compliance? -- Maintaining and Assessing PCI DSS in the Cloud -- Enter the Matrix -- Tools and Best Practices -- Summary -- Notes -- Chapter 12: Mobile -- Where Is Mobility Addressed in PCI DSS 4.0? -- What Guidance Is Available? -- Deploying the Technology Safely -- Case Study -- The Case of the Summer Festival -- Summary -- Chapter 13: PCI for the Small Business -- The Risks of Credit Card Acceptance -- New Business Considerations -- Your POS Is Like My POS! -- A Basic Scheme for SMB Hardening -- Case Study -- The Case of the Outsourcing Decision -- Summary -- Chapter 14: PCI DSS for the Service Provider -- The Definition of a Service Provider -- Why Do Service Providers Have More Requirements? -- Variation on a Theme, or What Service Providers Should Care About? -- Service-Provider-Specific Requirements -- Protect Account Data -- Implement Strong Access Control Measures -- Regularly Monitor and Test Networks -- Maintain an Information Security Policy -- Additional PCI DSS Requirements for Multi-Tenant Service Providers |
| ctrlnum | (OCoLC)1403378343 (DE-599)BVBBV049326156 |
| dewey-full | 342.440858 |
| dewey-hundreds | 300 - Social sciences |
| dewey-ones | 342 - Constitutional and administrative law |
| dewey-raw | 342.440858 |
| dewey-search | 342.440858 |
| dewey-sort | 3342.440858 |
| dewey-tens | 340 - Law |
| discipline | Rechtswissenschaft Informatik |
| discipline_str_mv | Rechtswissenschaft Informatik |
| edition | fifth edition |
| format | Book |
| fullrecord | <?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>10699nam a2200433zc 4500</leader><controlfield tag="001">BV049326156</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20231006 </controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">230914s2023 |||| |||| 00||| eng d</controlfield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9780367570026</subfield><subfield code="c">hbk</subfield><subfield code="9">978-0-367-57002-6</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9780367570033</subfield><subfield code="c">pbk</subfield><subfield code="9">9780367570033</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)1403378343</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV049326156</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">rda</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-N2</subfield></datafield><datafield tag="082" ind1="0" ind2=" "><subfield code="a">342.440858</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 185</subfield><subfield code="0">(DE-625)143606:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Williams, Branden R.</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">PCI Compliance</subfield><subfield code="b">Understand and Implement Effective PCI Data Security Standard Compliance</subfield><subfield code="c">Dr. Branden Williams, James K. Adamson</subfield></datafield><datafield tag="250" ind1=" " ind2=" "><subfield code="a">fifth edition</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Boca Raton ; London ; New York</subfield><subfield code="b">CRC Press</subfield><subfield code="c">2023</subfield></datafield><datafield tag="264" ind1=" " ind2="4"><subfield code="c">©2023</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">xix, 314 Seiten</subfield><subfield code="b">Diagramme</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="500" ind1=" " ind2=" "><subfield code="a">Description based on publisher supplied metadata and other sources</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">Cover -- Half Title -- Title Page -- Copyright Page -- Contents -- Foreword -- Acknowledgments -- Authors -- Chapter 1: About PCI DSS and This Book -- Who Should Read This Book? -- How to Use the Book in Your Daily Job -- What This Book Is Not -- Organization of the Book -- Summary -- Notes -- Chapter 2: Introduction to Fraud, Identity Theft, and Related Regulatory Mandates -- Summary -- Notes -- Chapter 3: Why Is PCI Here? -- What Is PCI DSS and Who Must Comply? -- Electronic Card Payment Ecosystem -- Goal of PCI DSS -- Applicability of PCI DSS -- A Quick Note about Appendix A3 -- PCI DSS in Depth -- Compliance Deadlines -- Compliance and Validation -- Something New, the Customized Approach -- History of PCI DSS -- PCI Council -- QSAs -- Additional PCI SSC Qualifications -- PFIs -- PCIPs -- QIRs -- ASVs -- Quick Overview of PCI Requirements -- How Changes to PCI DSS Happen -- What's New in PCI DSS 4.0 -- Customized Approach -- Extra Guidance -- New Countermeasures -- Skimmers and Web Content -- Authenticated Vulnerability Scanning -- Inventory All the Things -- Scope Reviews -- In Place With Remediation -- PCI DSS and Risk -- Benefits of Compliance -- Case Study -- The Case of the Developing Security Program -- The Case of the Confusing Validation Requirements -- Summary -- Notes -- Chapter 4: Determining and Reducing Your PCI Scope -- The Basics of PCI DSS Scoping -- Connected-To Systems -- The "Gotchas" of PCI Scope -- Scope Reduction Tips -- Planning Your PCI Project -- Case Study -- The Case of the Leaky Data -- The Case of the Entrenched Enterprise -- Summary -- Notes -- Chapter 5: Building and Maintaining a Secure Network -- Which PCI DSS Requirements Are in This Domain? -- Establish NSC Configuration Standards -- Denying Traffic from Untrusted Networks and Hosts -- Restricting Connections -- Host or Network-Based Security Controls</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">Micro-Segmentation -- Other Considerations for Requirement 1 -- The Oddball Requirement 11.5 -- Requirement 2: Defaults and Other Security Parameters -- Develop Configuration Standards -- Default Passwords -- Simple Network Management Protocol Defaults -- Delete Unnecessary Accounts -- Implement Single Purpose Servers -- Configure System Security Parameters -- Encrypt Non-Console Administrative Access -- What Else Can You Do to Be Secure? -- Tools and Best Practices -- Common Mistakes and Pitfalls -- Egress Filtering -- Documentation -- System Defaults -- Case Study -- The Case of the Small, Flat Store Network -- The Case of the Large, Flat Corporate Network -- The Case of the Do Over -- Summary -- Chapter 6: Strong Access Controls -- Which PCI DSS Requirements Are in This Domain? -- Principles of Access Control -- Confidentiality -- Integrity -- Availability -- Requirement 7: How Much Access Should a User Have? -- Databases and Requirement 7.2.6 -- Requirement 8: Authentication Basics -- Identification, Authentication, and Requirements 8.2.4-8.2.8 and 8.3.1-8.3.9 -- Locking Users Out: Requirements 8.2.8 and 8.3.4 -- Things Paired With Usernames -- Rendering Passwords Unreadable in Transit and Storage -- Password Design for PCI DSS: Requirements 8.3.5-8.3.9 and 8.3.11 -- MFA and Requirements 8.4-8.5 -- A Brief Word on System Accounts and Requirement 8.6 -- OAuth, OIDC, SSH Keys, and SSH Certs, OH MY! -- Educating Users -- Windows and PCI Compliance -- Windows File Access Control -- Finding Inactive Accounts in Active Directory -- Enforcing Password Requirements in Windows on Standalone Computers -- Enabling Password Protected Screen Savers on Standalone Windows Computers -- Setting File Permissions on Standalone Windows Computers -- POSIX (UNIX/Linux Systems) Access Control -- Linux Enforce Password Complexity Requirements</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">Cisco and PCI Requirements -- Cisco Enforce Session Timeout -- Encrypt Cisco Passwords -- Setting Up SSH in a Cisco Environment -- Requirement 9: Physical Security -- Handling Visitors: Requirement 9.3 -- Media and Physical Data Entry Points: Requirements 9.4 -- Protecting the Point of Interaction: Requirement 9.5 -- What Else Can You Do to Be Secure? -- Tools and Best Practices -- Random Password for Users -- Common Mistakes and Pitfalls -- Poor Documentation -- Legacy Systems -- Cloud and PaaS -- Physical Access Monitoring -- Case Study -- The Case of the Stolen Database -- The Case of the Loose Permissions -- Summary -- Note -- Chapter 7: Protecting Cardholder Data -- What Is Data Protection and Why Is It Needed? -- The Confidentiality, Integrity, and Availability Triad -- Requirements Addressed in This Chapter -- Requirement 3: Protect Stored Account Data -- Requirement 3 Walk-Through -- Encryption Methods for Data at Rest -- File- or Folder-Level Encryption -- Full-Disk Encryption -- Database (Table-, Column-, or Field-Level) Encryption -- PCI and Key Management -- What Else Can You Do to Be Secure? -- Requirement 4 Walk-Through -- Transport Layer Security -- IPsec Virtual Private Networks -- Miscellaneous Card Transmission Rules -- Requirement 12 Walk-Through -- How to Become Compliant and Secure -- Step 1: Identify Business Processes With Card Data -- Step 2: Shrink the Scope -- Step 3: Identify Where Data Is Stored -- Step 4: Determine What to Do About Your Data -- Step 5: Determine Who Needs Access -- Step 6: Develop and Document Policies -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Leaky Data -- The Case of the Satellite Location -- Summary -- Note -- Chapter 8: Using Wireless Networking -- What Is Wireless Network Security? -- Where Is Wireless Network Security in PCI DSS? -- Requirements 1, 11, and 12: Documentation</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">Actual Security of Wireless Devices: Requirements 2, 4, and 9 -- Logging and Wireless Networks: Requirement 10.3.3 -- Testing for Unauthorized Wireless: Requirement 11.2 -- Quarterly Sweeps or Wireless IDS/IPS: How to Choose -- Why Do We Need Wireless Network Security? -- Other Wireless Technologies -- Tools and Best Practices -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Untethered Laptop -- The Case of the Expansion Plan -- The Case of the Double Secret Wireless Network -- The Case of the Detached POS -- Summary -- Note -- Chapter 9: Vulnerability Management -- PCI DSS Requirements Covered -- Vulnerability Management in PCI -- Stages of Vulnerability Management Process -- Policy Definition -- Data Acquisition -- Prioritization -- Mitigation -- Requirement 5 Walk-Through -- What to Do to Be Secure and Compliant? -- Requirement 6 Walk-Through -- Public-Facing Web Application Protection -- Web Application Scanning (WAS) -- Web Application Firewalls (WAFs) -- Payment Pages -- Change Management -- Software Supply Chain Attacks -- Requirement 11 Walk-Through -- External Vulnerability Scanning With ASV -- What Is an ASV? -- Considerations When Picking an ASV -- How ASV Scanning Works -- Operationalizing ASV Scanning -- What Should You Expect From an ASV? -- Internal Vulnerability Scanning -- Penetration Testing -- Common PCI Vulnerability Management Mistakes -- Case Study -- PCI at a Retail Chain -- PCI at an E-Commerce Site -- Summary -- Chapter 10: Logging Events and Monitoring the Cardholder Data Environment -- PCI Requirements Covered -- Why Logging and Monitoring in PCI DSS? -- Logging and Monitoring in Depth -- PCI Relevance of Logs -- Logging in PCI Requirement 10 -- Monitoring Data and Log for Security Issues -- Logging and Monitoring in PCI-All Other Requirements -- PCI Dss Logging Policies and Procedures</subfield></datafield><datafield tag="505" ind1="8" ind2=" "><subfield code="a">Building an Initial Baseline Manually -- Guidance for Identifying "Known Bad" Messages -- Main Workflow: Daily Log Review -- Exception Investigation and Analysis -- Validation of Log Review -- PCI Compliance Evidence Package -- Periodic Operational Task Summary -- Daily Tasks -- Tools for Logging in PCI -- Other Monitoring Tools -- Intrusion Detection and Prevention -- Integrity Monitoring -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Risky Risk-Based Approach -- The Case of Tweaking to Comply -- Summary -- Chapter 11: Cloud and Virtualization -- Cloud Basics -- What Is the Cloud? -- Cloud Badness -- Cloud Changes Everything! But Does It? -- Cloud Challenges and You -- PCI Cloud Examples -- So, Can I Use Cloud Resources in PCI DSS Environments? -- Containers and Kubernetes -- More Cloud for Better Security and Compliance? -- Maintaining and Assessing PCI DSS in the Cloud -- Enter the Matrix -- Tools and Best Practices -- Summary -- Notes -- Chapter 12: Mobile -- Where Is Mobility Addressed in PCI DSS 4.0? -- What Guidance Is Available? -- Deploying the Technology Safely -- Case Study -- The Case of the Summer Festival -- Summary -- Chapter 13: PCI for the Small Business -- The Risks of Credit Card Acceptance -- New Business Considerations -- Your POS Is Like My POS! -- A Basic Scheme for SMB Hardening -- Case Study -- The Case of the Outsourcing Decision -- Summary -- Chapter 14: PCI DSS for the Service Provider -- The Definition of a Service Provider -- Why Do Service Providers Have More Requirements? -- Variation on a Theme, or What Service Providers Should Care About? -- Service-Provider-Specific Requirements -- Protect Account Data -- Implement Strong Access Control Measures -- Regularly Monitor and Test Networks -- Maintain an Information Security Policy -- Additional PCI DSS Requirements for Multi-Tenant Service Providers</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Data protection</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Adamson, James K.</subfield><subfield code="4">aut</subfield></datafield><datafield tag="776" ind1="0" ind2="8"><subfield code="i">Erscheint auch als</subfield><subfield code="n">Online-Ausgabe</subfield><subfield code="z">978-1-003-10030-0</subfield></datafield><datafield tag="776" ind1="0" ind2="8"><subfield code="i">Erscheint auch als</subfield><subfield code="n">Online-Ausgabe</subfield><subfield code="z">978-1-00-082232-8</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-034587014</subfield></datafield></record></collection> |
| id | DE-604.BV049326156 |
| illustrated | Not Illustrated |
| index_date | 2024-07-03T22:44:18Z |
| indexdate | 2024-07-10T10:01:37Z |
| institution | BVB |
| isbn | 9780367570026 9780367570033 |
| language | English |
| oai_aleph_id | oai:aleph.bib-bvb.de:BVB01-034587014 |
| oclc_num | 1403378343 |
| open_access_boolean | |
| owner | DE-N2 |
| owner_facet | DE-N2 |
| physical | xix, 314 Seiten Diagramme |
| publishDate | 2023 |
| publishDateSearch | 2023 |
| publishDateSort | 2023 |
| publisher | CRC Press |
| record_format | marc |
| spelling | Williams, Branden R. aut PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance Dr. Branden Williams, James K. Adamson fifth edition Boca Raton ; London ; New York CRC Press 2023 ©2023 xix, 314 Seiten Diagramme txt rdacontent n rdamedia nc rdacarrier Description based on publisher supplied metadata and other sources Cover -- Half Title -- Title Page -- Copyright Page -- Contents -- Foreword -- Acknowledgments -- Authors -- Chapter 1: About PCI DSS and This Book -- Who Should Read This Book? -- How to Use the Book in Your Daily Job -- What This Book Is Not -- Organization of the Book -- Summary -- Notes -- Chapter 2: Introduction to Fraud, Identity Theft, and Related Regulatory Mandates -- Summary -- Notes -- Chapter 3: Why Is PCI Here? -- What Is PCI DSS and Who Must Comply? -- Electronic Card Payment Ecosystem -- Goal of PCI DSS -- Applicability of PCI DSS -- A Quick Note about Appendix A3 -- PCI DSS in Depth -- Compliance Deadlines -- Compliance and Validation -- Something New, the Customized Approach -- History of PCI DSS -- PCI Council -- QSAs -- Additional PCI SSC Qualifications -- PFIs -- PCIPs -- QIRs -- ASVs -- Quick Overview of PCI Requirements -- How Changes to PCI DSS Happen -- What's New in PCI DSS 4.0 -- Customized Approach -- Extra Guidance -- New Countermeasures -- Skimmers and Web Content -- Authenticated Vulnerability Scanning -- Inventory All the Things -- Scope Reviews -- In Place With Remediation -- PCI DSS and Risk -- Benefits of Compliance -- Case Study -- The Case of the Developing Security Program -- The Case of the Confusing Validation Requirements -- Summary -- Notes -- Chapter 4: Determining and Reducing Your PCI Scope -- The Basics of PCI DSS Scoping -- Connected-To Systems -- The "Gotchas" of PCI Scope -- Scope Reduction Tips -- Planning Your PCI Project -- Case Study -- The Case of the Leaky Data -- The Case of the Entrenched Enterprise -- Summary -- Notes -- Chapter 5: Building and Maintaining a Secure Network -- Which PCI DSS Requirements Are in This Domain? -- Establish NSC Configuration Standards -- Denying Traffic from Untrusted Networks and Hosts -- Restricting Connections -- Host or Network-Based Security Controls Micro-Segmentation -- Other Considerations for Requirement 1 -- The Oddball Requirement 11.5 -- Requirement 2: Defaults and Other Security Parameters -- Develop Configuration Standards -- Default Passwords -- Simple Network Management Protocol Defaults -- Delete Unnecessary Accounts -- Implement Single Purpose Servers -- Configure System Security Parameters -- Encrypt Non-Console Administrative Access -- What Else Can You Do to Be Secure? -- Tools and Best Practices -- Common Mistakes and Pitfalls -- Egress Filtering -- Documentation -- System Defaults -- Case Study -- The Case of the Small, Flat Store Network -- The Case of the Large, Flat Corporate Network -- The Case of the Do Over -- Summary -- Chapter 6: Strong Access Controls -- Which PCI DSS Requirements Are in This Domain? -- Principles of Access Control -- Confidentiality -- Integrity -- Availability -- Requirement 7: How Much Access Should a User Have? -- Databases and Requirement 7.2.6 -- Requirement 8: Authentication Basics -- Identification, Authentication, and Requirements 8.2.4-8.2.8 and 8.3.1-8.3.9 -- Locking Users Out: Requirements 8.2.8 and 8.3.4 -- Things Paired With Usernames -- Rendering Passwords Unreadable in Transit and Storage -- Password Design for PCI DSS: Requirements 8.3.5-8.3.9 and 8.3.11 -- MFA and Requirements 8.4-8.5 -- A Brief Word on System Accounts and Requirement 8.6 -- OAuth, OIDC, SSH Keys, and SSH Certs, OH MY! -- Educating Users -- Windows and PCI Compliance -- Windows File Access Control -- Finding Inactive Accounts in Active Directory -- Enforcing Password Requirements in Windows on Standalone Computers -- Enabling Password Protected Screen Savers on Standalone Windows Computers -- Setting File Permissions on Standalone Windows Computers -- POSIX (UNIX/Linux Systems) Access Control -- Linux Enforce Password Complexity Requirements Cisco and PCI Requirements -- Cisco Enforce Session Timeout -- Encrypt Cisco Passwords -- Setting Up SSH in a Cisco Environment -- Requirement 9: Physical Security -- Handling Visitors: Requirement 9.3 -- Media and Physical Data Entry Points: Requirements 9.4 -- Protecting the Point of Interaction: Requirement 9.5 -- What Else Can You Do to Be Secure? -- Tools and Best Practices -- Random Password for Users -- Common Mistakes and Pitfalls -- Poor Documentation -- Legacy Systems -- Cloud and PaaS -- Physical Access Monitoring -- Case Study -- The Case of the Stolen Database -- The Case of the Loose Permissions -- Summary -- Note -- Chapter 7: Protecting Cardholder Data -- What Is Data Protection and Why Is It Needed? -- The Confidentiality, Integrity, and Availability Triad -- Requirements Addressed in This Chapter -- Requirement 3: Protect Stored Account Data -- Requirement 3 Walk-Through -- Encryption Methods for Data at Rest -- File- or Folder-Level Encryption -- Full-Disk Encryption -- Database (Table-, Column-, or Field-Level) Encryption -- PCI and Key Management -- What Else Can You Do to Be Secure? -- Requirement 4 Walk-Through -- Transport Layer Security -- IPsec Virtual Private Networks -- Miscellaneous Card Transmission Rules -- Requirement 12 Walk-Through -- How to Become Compliant and Secure -- Step 1: Identify Business Processes With Card Data -- Step 2: Shrink the Scope -- Step 3: Identify Where Data Is Stored -- Step 4: Determine What to Do About Your Data -- Step 5: Determine Who Needs Access -- Step 6: Develop and Document Policies -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Leaky Data -- The Case of the Satellite Location -- Summary -- Note -- Chapter 8: Using Wireless Networking -- What Is Wireless Network Security? -- Where Is Wireless Network Security in PCI DSS? -- Requirements 1, 11, and 12: Documentation Actual Security of Wireless Devices: Requirements 2, 4, and 9 -- Logging and Wireless Networks: Requirement 10.3.3 -- Testing for Unauthorized Wireless: Requirement 11.2 -- Quarterly Sweeps or Wireless IDS/IPS: How to Choose -- Why Do We Need Wireless Network Security? -- Other Wireless Technologies -- Tools and Best Practices -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Untethered Laptop -- The Case of the Expansion Plan -- The Case of the Double Secret Wireless Network -- The Case of the Detached POS -- Summary -- Note -- Chapter 9: Vulnerability Management -- PCI DSS Requirements Covered -- Vulnerability Management in PCI -- Stages of Vulnerability Management Process -- Policy Definition -- Data Acquisition -- Prioritization -- Mitigation -- Requirement 5 Walk-Through -- What to Do to Be Secure and Compliant? -- Requirement 6 Walk-Through -- Public-Facing Web Application Protection -- Web Application Scanning (WAS) -- Web Application Firewalls (WAFs) -- Payment Pages -- Change Management -- Software Supply Chain Attacks -- Requirement 11 Walk-Through -- External Vulnerability Scanning With ASV -- What Is an ASV? -- Considerations When Picking an ASV -- How ASV Scanning Works -- Operationalizing ASV Scanning -- What Should You Expect From an ASV? -- Internal Vulnerability Scanning -- Penetration Testing -- Common PCI Vulnerability Management Mistakes -- Case Study -- PCI at a Retail Chain -- PCI at an E-Commerce Site -- Summary -- Chapter 10: Logging Events and Monitoring the Cardholder Data Environment -- PCI Requirements Covered -- Why Logging and Monitoring in PCI DSS? -- Logging and Monitoring in Depth -- PCI Relevance of Logs -- Logging in PCI Requirement 10 -- Monitoring Data and Log for Security Issues -- Logging and Monitoring in PCI-All Other Requirements -- PCI Dss Logging Policies and Procedures Building an Initial Baseline Manually -- Guidance for Identifying "Known Bad" Messages -- Main Workflow: Daily Log Review -- Exception Investigation and Analysis -- Validation of Log Review -- PCI Compliance Evidence Package -- Periodic Operational Task Summary -- Daily Tasks -- Tools for Logging in PCI -- Other Monitoring Tools -- Intrusion Detection and Prevention -- Integrity Monitoring -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Risky Risk-Based Approach -- The Case of Tweaking to Comply -- Summary -- Chapter 11: Cloud and Virtualization -- Cloud Basics -- What Is the Cloud? -- Cloud Badness -- Cloud Changes Everything! But Does It? -- Cloud Challenges and You -- PCI Cloud Examples -- So, Can I Use Cloud Resources in PCI DSS Environments? -- Containers and Kubernetes -- More Cloud for Better Security and Compliance? -- Maintaining and Assessing PCI DSS in the Cloud -- Enter the Matrix -- Tools and Best Practices -- Summary -- Notes -- Chapter 12: Mobile -- Where Is Mobility Addressed in PCI DSS 4.0? -- What Guidance Is Available? -- Deploying the Technology Safely -- Case Study -- The Case of the Summer Festival -- Summary -- Chapter 13: PCI for the Small Business -- The Risks of Credit Card Acceptance -- New Business Considerations -- Your POS Is Like My POS! -- A Basic Scheme for SMB Hardening -- Case Study -- The Case of the Outsourcing Decision -- Summary -- Chapter 14: PCI DSS for the Service Provider -- The Definition of a Service Provider -- Why Do Service Providers Have More Requirements? -- Variation on a Theme, or What Service Providers Should Care About? -- Service-Provider-Specific Requirements -- Protect Account Data -- Implement Strong Access Control Measures -- Regularly Monitor and Test Networks -- Maintain an Information Security Policy -- Additional PCI DSS Requirements for Multi-Tenant Service Providers Data protection Adamson, James K. aut Erscheint auch als Online-Ausgabe 978-1-003-10030-0 Erscheint auch als Online-Ausgabe 978-1-00-082232-8 |
| spellingShingle | Williams, Branden R. Adamson, James K. PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance Cover -- Half Title -- Title Page -- Copyright Page -- Contents -- Foreword -- Acknowledgments -- Authors -- Chapter 1: About PCI DSS and This Book -- Who Should Read This Book? -- How to Use the Book in Your Daily Job -- What This Book Is Not -- Organization of the Book -- Summary -- Notes -- Chapter 2: Introduction to Fraud, Identity Theft, and Related Regulatory Mandates -- Summary -- Notes -- Chapter 3: Why Is PCI Here? -- What Is PCI DSS and Who Must Comply? -- Electronic Card Payment Ecosystem -- Goal of PCI DSS -- Applicability of PCI DSS -- A Quick Note about Appendix A3 -- PCI DSS in Depth -- Compliance Deadlines -- Compliance and Validation -- Something New, the Customized Approach -- History of PCI DSS -- PCI Council -- QSAs -- Additional PCI SSC Qualifications -- PFIs -- PCIPs -- QIRs -- ASVs -- Quick Overview of PCI Requirements -- How Changes to PCI DSS Happen -- What's New in PCI DSS 4.0 -- Customized Approach -- Extra Guidance -- New Countermeasures -- Skimmers and Web Content -- Authenticated Vulnerability Scanning -- Inventory All the Things -- Scope Reviews -- In Place With Remediation -- PCI DSS and Risk -- Benefits of Compliance -- Case Study -- The Case of the Developing Security Program -- The Case of the Confusing Validation Requirements -- Summary -- Notes -- Chapter 4: Determining and Reducing Your PCI Scope -- The Basics of PCI DSS Scoping -- Connected-To Systems -- The "Gotchas" of PCI Scope -- Scope Reduction Tips -- Planning Your PCI Project -- Case Study -- The Case of the Leaky Data -- The Case of the Entrenched Enterprise -- Summary -- Notes -- Chapter 5: Building and Maintaining a Secure Network -- Which PCI DSS Requirements Are in This Domain? -- Establish NSC Configuration Standards -- Denying Traffic from Untrusted Networks and Hosts -- Restricting Connections -- Host or Network-Based Security Controls Micro-Segmentation -- Other Considerations for Requirement 1 -- The Oddball Requirement 11.5 -- Requirement 2: Defaults and Other Security Parameters -- Develop Configuration Standards -- Default Passwords -- Simple Network Management Protocol Defaults -- Delete Unnecessary Accounts -- Implement Single Purpose Servers -- Configure System Security Parameters -- Encrypt Non-Console Administrative Access -- What Else Can You Do to Be Secure? -- Tools and Best Practices -- Common Mistakes and Pitfalls -- Egress Filtering -- Documentation -- System Defaults -- Case Study -- The Case of the Small, Flat Store Network -- The Case of the Large, Flat Corporate Network -- The Case of the Do Over -- Summary -- Chapter 6: Strong Access Controls -- Which PCI DSS Requirements Are in This Domain? -- Principles of Access Control -- Confidentiality -- Integrity -- Availability -- Requirement 7: How Much Access Should a User Have? -- Databases and Requirement 7.2.6 -- Requirement 8: Authentication Basics -- Identification, Authentication, and Requirements 8.2.4-8.2.8 and 8.3.1-8.3.9 -- Locking Users Out: Requirements 8.2.8 and 8.3.4 -- Things Paired With Usernames -- Rendering Passwords Unreadable in Transit and Storage -- Password Design for PCI DSS: Requirements 8.3.5-8.3.9 and 8.3.11 -- MFA and Requirements 8.4-8.5 -- A Brief Word on System Accounts and Requirement 8.6 -- OAuth, OIDC, SSH Keys, and SSH Certs, OH MY! -- Educating Users -- Windows and PCI Compliance -- Windows File Access Control -- Finding Inactive Accounts in Active Directory -- Enforcing Password Requirements in Windows on Standalone Computers -- Enabling Password Protected Screen Savers on Standalone Windows Computers -- Setting File Permissions on Standalone Windows Computers -- POSIX (UNIX/Linux Systems) Access Control -- Linux Enforce Password Complexity Requirements Cisco and PCI Requirements -- Cisco Enforce Session Timeout -- Encrypt Cisco Passwords -- Setting Up SSH in a Cisco Environment -- Requirement 9: Physical Security -- Handling Visitors: Requirement 9.3 -- Media and Physical Data Entry Points: Requirements 9.4 -- Protecting the Point of Interaction: Requirement 9.5 -- What Else Can You Do to Be Secure? -- Tools and Best Practices -- Random Password for Users -- Common Mistakes and Pitfalls -- Poor Documentation -- Legacy Systems -- Cloud and PaaS -- Physical Access Monitoring -- Case Study -- The Case of the Stolen Database -- The Case of the Loose Permissions -- Summary -- Note -- Chapter 7: Protecting Cardholder Data -- What Is Data Protection and Why Is It Needed? -- The Confidentiality, Integrity, and Availability Triad -- Requirements Addressed in This Chapter -- Requirement 3: Protect Stored Account Data -- Requirement 3 Walk-Through -- Encryption Methods for Data at Rest -- File- or Folder-Level Encryption -- Full-Disk Encryption -- Database (Table-, Column-, or Field-Level) Encryption -- PCI and Key Management -- What Else Can You Do to Be Secure? -- Requirement 4 Walk-Through -- Transport Layer Security -- IPsec Virtual Private Networks -- Miscellaneous Card Transmission Rules -- Requirement 12 Walk-Through -- How to Become Compliant and Secure -- Step 1: Identify Business Processes With Card Data -- Step 2: Shrink the Scope -- Step 3: Identify Where Data Is Stored -- Step 4: Determine What to Do About Your Data -- Step 5: Determine Who Needs Access -- Step 6: Develop and Document Policies -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Leaky Data -- The Case of the Satellite Location -- Summary -- Note -- Chapter 8: Using Wireless Networking -- What Is Wireless Network Security? -- Where Is Wireless Network Security in PCI DSS? -- Requirements 1, 11, and 12: Documentation Actual Security of Wireless Devices: Requirements 2, 4, and 9 -- Logging and Wireless Networks: Requirement 10.3.3 -- Testing for Unauthorized Wireless: Requirement 11.2 -- Quarterly Sweeps or Wireless IDS/IPS: How to Choose -- Why Do We Need Wireless Network Security? -- Other Wireless Technologies -- Tools and Best Practices -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Untethered Laptop -- The Case of the Expansion Plan -- The Case of the Double Secret Wireless Network -- The Case of the Detached POS -- Summary -- Note -- Chapter 9: Vulnerability Management -- PCI DSS Requirements Covered -- Vulnerability Management in PCI -- Stages of Vulnerability Management Process -- Policy Definition -- Data Acquisition -- Prioritization -- Mitigation -- Requirement 5 Walk-Through -- What to Do to Be Secure and Compliant? -- Requirement 6 Walk-Through -- Public-Facing Web Application Protection -- Web Application Scanning (WAS) -- Web Application Firewalls (WAFs) -- Payment Pages -- Change Management -- Software Supply Chain Attacks -- Requirement 11 Walk-Through -- External Vulnerability Scanning With ASV -- What Is an ASV? -- Considerations When Picking an ASV -- How ASV Scanning Works -- Operationalizing ASV Scanning -- What Should You Expect From an ASV? -- Internal Vulnerability Scanning -- Penetration Testing -- Common PCI Vulnerability Management Mistakes -- Case Study -- PCI at a Retail Chain -- PCI at an E-Commerce Site -- Summary -- Chapter 10: Logging Events and Monitoring the Cardholder Data Environment -- PCI Requirements Covered -- Why Logging and Monitoring in PCI DSS? -- Logging and Monitoring in Depth -- PCI Relevance of Logs -- Logging in PCI Requirement 10 -- Monitoring Data and Log for Security Issues -- Logging and Monitoring in PCI-All Other Requirements -- PCI Dss Logging Policies and Procedures Building an Initial Baseline Manually -- Guidance for Identifying "Known Bad" Messages -- Main Workflow: Daily Log Review -- Exception Investigation and Analysis -- Validation of Log Review -- PCI Compliance Evidence Package -- Periodic Operational Task Summary -- Daily Tasks -- Tools for Logging in PCI -- Other Monitoring Tools -- Intrusion Detection and Prevention -- Integrity Monitoring -- Common Mistakes and Pitfalls -- Case Study -- The Case of the Risky Risk-Based Approach -- The Case of Tweaking to Comply -- Summary -- Chapter 11: Cloud and Virtualization -- Cloud Basics -- What Is the Cloud? -- Cloud Badness -- Cloud Changes Everything! But Does It? -- Cloud Challenges and You -- PCI Cloud Examples -- So, Can I Use Cloud Resources in PCI DSS Environments? -- Containers and Kubernetes -- More Cloud for Better Security and Compliance? -- Maintaining and Assessing PCI DSS in the Cloud -- Enter the Matrix -- Tools and Best Practices -- Summary -- Notes -- Chapter 12: Mobile -- Where Is Mobility Addressed in PCI DSS 4.0? -- What Guidance Is Available? -- Deploying the Technology Safely -- Case Study -- The Case of the Summer Festival -- Summary -- Chapter 13: PCI for the Small Business -- The Risks of Credit Card Acceptance -- New Business Considerations -- Your POS Is Like My POS! -- A Basic Scheme for SMB Hardening -- Case Study -- The Case of the Outsourcing Decision -- Summary -- Chapter 14: PCI DSS for the Service Provider -- The Definition of a Service Provider -- Why Do Service Providers Have More Requirements? -- Variation on a Theme, or What Service Providers Should Care About? -- Service-Provider-Specific Requirements -- Protect Account Data -- Implement Strong Access Control Measures -- Regularly Monitor and Test Networks -- Maintain an Information Security Policy -- Additional PCI DSS Requirements for Multi-Tenant Service Providers Data protection |
| title | PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance |
| title_auth | PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance |
| title_exact_search | PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance |
| title_exact_search_txtP | PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance |
| title_full | PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance Dr. Branden Williams, James K. Adamson |
| title_fullStr | PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance Dr. Branden Williams, James K. Adamson |
| title_full_unstemmed | PCI Compliance Understand and Implement Effective PCI Data Security Standard Compliance Dr. Branden Williams, James K. Adamson |
| title_short | PCI Compliance |
| title_sort | pci compliance understand and implement effective pci data security standard compliance |
| title_sub | Understand and Implement Effective PCI Data Security Standard Compliance |
| topic | Data protection |
| topic_facet | Data protection |
| work_keys_str_mv | AT williamsbrandenr pcicomplianceunderstandandimplementeffectivepcidatasecuritystandardcompliance AT adamsonjamesk pcicomplianceunderstandandimplementeffectivepcidatasecuritystandardcompliance |