Understand and Implement Effective PCI Data Security Standard Compliance
4th—updated for PCI DSS 3.0 (see 3.2 note below!) (Click the book to buy!)
“I have this book in my office, highlighted, bookmarked, and within easy reach over the next few years as conflicts between business requirements and PCI compliance arise.” Dan Glass, Senior Manager Information Systems Security, American Airlines.
“Take the time to have some fun, initially read cover to cover, and then come back, as this is a solid reference as you mature your own organization in the never- ending battle of protecting global credit card commerce.” John Graham, Vice President Global Information Assurance and Risk, First Data.
“Finally we have a solid and comprehensive reference for PCI. This book explains in great detail not only how to apply PCI in a practical and cost-effective way, but more importantly why.” Joel Weise, Information Systems Security Association (ISSA) founder and chairman of the ISSA Journal Editorial Advisory Board.
PCI DSS v3.2:
What This Book is About:
If you are like most information technology and information security professionals, the idea of becoming compliant with PCI DSS or countless other regulations does not sound like much fun. It is much more common to associate compliance efforts with the other extreme—and that is PAIN. Whether it is the pain of not knowing what to do, pain of failing your first assessment or pain of complying on a $0 budget, there are plenty of challenges that earned compliance—and PCI DSS compliance in particular—that mental connection with pain.
Thus the author team faces the seemingly impossible challenge: to write a fun, useful and insightful book about PCI DSS. We realize all the difficulties of achieving this, and we are committed to the challenge. And we’d like to invite you, our reader, to travel with us in the hopes that when you turn the last page, you would come to realize that PCI DSS compliance can indeed be (YES) fun!
How to Use the Book in Your Daily Job:
You can use the book during the entire lifecycle from complete PCI unawareness to ultimate security and compliance enlightenment. Specifically, you can use it to:
- Learn what PCI DSS is and why it is here to stay
- Figure out how it applies to you and your organization
- Learn what to do about each of the 12 main requirements to get compliant
- Gain knowledge about dealing with PCI assessors and how to make your compliance validation as painless as possible
- Learn how to plan and manage a PCI DSS compliance project
- Understand all the technologies referenced by PCI DSS
- Understand what Visa and MasterCard really want from you
- Get the best experience out of what can be seen as a painful assessment process
- Build your plans even if you are a small business
Book materials (To be updated with 4e materials!):
- View Table of Contents for “PCI Compliance”, 3rd edition
- Download free sample chapter Chapter 3 “Why is PCI Here?”[PDF]
- Read another chapter excerpt (from Chapter 12 “The Art of Compensating Control” by Branden Williams) in “CSO Magazine”
- Book errata page (will be added as errors are reported [hopefully, not many])
- Ask the authors: email
“PCI Compliance” book reviews:
Useful PCI DSS materials:
- Sample PCI DSS Security Policy – Acceptable Use Policy [PDF], provided by CSRSI, developers of the PCI ToolKit®
- Sample PCI DSS Security Policy – Incident Response Policy [PDF], provided by CSRSI, developers of the PCI ToolKit®
Papers by the authors on PCI DSS:
- “Data Flows Made Easy”[PDF] by Branden Williams
- “The Seven Deadly Sins of a QSA”[PDF] by Branden Williams
- “Herding Cats, Practical Security Tips for a Wacky World”[PDF] by Branden Williams, ISSA Journal (Monthly Column)
- “The Art of the Compensating Control”[PDF] by Branden Williams
- “How Tokenization and Encryption can enable PCI DSS compliance,” [non-free PDF] Information Security Technical Report (ISTR2187), Elsevier (February 2011), by Branden Williams
- “Security First or Compliance First?” by Anton Chuvakin
- “How to Stay Compliant? or Ongoing Tasks in PCI DSS” by Anton Chuvakin
- “REAL PCI Compliance Percentages?” by Anton Chuvakin
- “More on PCI DSS and Logging” by Anton Chuvakin
- “PCI DSS logging: A must for compliance” (part 1) by Anton Chuvakin
- “Practical priorities in PCI DSS logging” (part 2) by Anton Chuvakin
- “Shut up and Log!” by Anton Chuvakin
- All blog posts about PCI DSS from Anton Chuvakin’s blog
- All blog posts about PCI DSS from Branden Williams’s blog
Presentations by the authors on PCI DSS:
- “The Mistakes QSAs Make” by Branden Williams
- “PCI DSS Prioritized Webcast Presentation” by Anton Chuvakin
- “PCI DSS: Myths, Mistakes, Misconceptions 2009” by Anton Chuvakin
- “The Need for PCI” by Branden Williams
- “PCI: The Real Deal” by Branden Williams
- “PCI 2010: Trends and Technologies” by Anton Chuvakin (registration required) or get slides here
- “PCI DSS Myths: Fiction and Reality” by Anton Chuvakin (registration required) or get slides here
- “PCI DSS as a Security Framework: Good, Bad or Maybe Ugly” by Anton Chuvakin (registration required)
PCI DSS Videos:
This section contains videos of exciting PCI DSS compliance discussions – with the PCI book authors playing a role:
- Tips to Get Ahead of PCI Compliance, RSA Conference 2013.
- Security and Compliance in a Virtualized World, EMC World 2012.
- ShmooCon 2010 Conference Panel “An Existential Threat To Security As We Know It?” (direct video link [FLV]”)
- Security BSides San Francisco Panel “The Great Compliance Debate: No Child Left Behind or The Polio Vaccine” (part 1, part 2)
- RSA 2010 Quick Clip “If you’re going for PCI compliance, just shut up and log” (video)
PCI DSS tips:
- Anton’s PCI DSS Tip #1: Passwords
- Anton’s PCI DSS Tip #2: Prohibited Data Storage
- Anton’s PCI DSS Tip #3: Vulnerability Management
- Brando’s PCI Requirements Review: Sampling
- Brando’s Guide to Making a Mobile App Comply with PCI DSS
- Brando’s PCI Requirements Review: Patching & IPS
- Brando’s Proclamation on the Death of PCI Assessments
Meet the authors:
- Check each author’s website for upcoming talks, but expect to see them at RSA Conference, BlackHat, SOURCE, and lots of local events
- Podcasts on PCI by Anton: linked from here
- More PCI DSS podcasts, including “Great PCI Debate of 2010” are linked from here.
- Brando’s Flight Blog!