30 of 30 people found the following review helpful:
5.0 out of 5 stars
Book Review: PCI Compliance: Implementing Effective PCI Data Security Standards, August 22, 2007
When I first received this book from Syngress I was very excited. I knew nothing about PCI compliance -- other than it was big ticket item and everyone processing Visa transactions was affected in some way because of it. I can honestly say that I tore through this book and didn't put it down until I reached chapter 13. I was completely wrapped up in it as it was something I knew nothing about and wanted to know more!
Chapters 1 through 3 introduce you to the concepts behind PCI compliance including what it is and who needs to comply. These chapters really set the stage for what the rest of the book has to offer the reader.
Chapter 4 provides a technology overview of firewalls, intrusion systems, antivirus solutions, and common system default settings. Personally I felt that Chapter 4 was filler content just to add a chapter. It may, however, serve as a good reference for those in management roles who do not have "hands-on" interaction with the architecture of their environment.
Chapter 5 explains how to go about protecting your cardholder data as dictated by PCI requirements 3 & 4. This is a great chapter for anyone new to securing infrastructure to meet the requirements of a PCI audit. The authors also provide a fantastic section entitled "The Absolute Essentials" which offers suggestions on the minimum protection you can employ to protect your cardholder data.
Chapter 6 was by far my most favorite chapter and Syngress has offered it as a free download from their website. Many of you know what I do for a living and know how important understanding logging and requirements for logging is for my day-to-day duties. This chapter focuses around PCI Requirement 10 which details how you must handle the log data collected in your PCI environment. As soon as I started reading this chapter I knew that Dr. Anton Chuvakin had written this section of the book, or at least had a heavy insight into its direction. This chapter alone makes the book worth its weight in gold.
Chapter 7 details the importance of access control in your PCI environment. For obvious reasons, access to your cardholder data must be recorded and checked with a fine tooth comb. User privileges, authentication, authorization, and user education is also covered in this chapter. This chapter goes further to provide examples of ensuring your Windows, Unix/Linux, and Cisco infrastructure meet PCI requirements.
Chapter 8 explains how to leverage vulnerability management solutions to meet the requirements outlined in sections 5, 6, and 11 of the PCI requirement. The authors also provide two very good case studies to help the reader put things into perspective.
Chapter 9 focusses on the monitoring and testing of your environment. The authors are quick to point out that monitoring and testing must continue even after the audit in order to ensure you remain compliant.
Chapter 10 details how to drive your PCI project from the business side in order to ensure you accomplish your objectives. Suggestions are provided on budgeting time and resources, keeping staff in the loop, and justifying the business case to your executive team. The authors also offer a step-by-step "checklist" for ensuring your project runs smoothly and that all of your bases are covered.
Chapter 11 explains the various responsibilities within the organization for ensuring the PCI project succeeds. One of the key things to take away from this chapter is the role of the Incident Response team and its need to understand the requirements of PCI compliance.
Chapter 12 is a really good "eye-opener" that prepares you for the failure of your first audit. The key thing to take away from this is chapter is to not blame the auditor the same way you shouldn't blame a referee in sports. They're simply there to do their job to the best of their ability. If you have a problem with the way they are doing their job, bring it up with their superior. Perhaps their decision will get overturned?
Chapter 13 brings you into a "OK, now what?" phase. This chapter provides a detailed overview of the various requirements and breaks each requirement into "Policy Checks" and "Hands-on Assessments" sections. The policy checks discuss policies that should be reviewed to verify that they are up-to-date and the hands-on assessments sections give ideas on testing these policies. The beauty part is that the authors suggest open source solutions to help you protect your PCI compliant investment.
I give this book 5 stars as it is the best PCI reference I have found on the market. Everything I found in this book will allow me to understand the compliance requirements of my existing customers, their process, and their overall goals. Hats off to the entire team of authors.
Help other customers find the most helpful reviews
Was this review helpful to you? Yes
No
10 of 11 people found the following review helpful:
5.0 out of 5 stars
Great book for one of the most sensible security standards ever, August 27, 2007
It has long been rumored that manufacturers of items such as razors and batteries specifically produce their products an inferior level in order to ensure repeat business. A similar paradox is occurring in the information security space where many are complaining that the PCI Data Security Standard (PCI DSS) is too complex and costly. What is most troubling is that such opinions are being written in periodicals and by people that should know better.
PCI came to life when Visa, MasterCard, American Express, Diner's Club, Discover, and JCB collaborated to create a new set of standards to deal with credit card fraud. PCI requires that all merchants and service providers that handle, transmit, store or process information concerning any of these cards, or related card data, be required to be compliant with the PCI DSS. If they are not compliant, they can face monetary penalties and/or have their card processing privileges terminated by the credit card issuers.
The primary purpose of PCI is to force organizations to embrace common security controls to protect credit card data and reduce fraud and theft. The following are the six primary control areas and 12 specific requirements of the PCI DSS:
Build and maintain a secure network
1. Install and maintain firewall configurations
2. Do not use vendor-supplied or default passwords
Protect cardholder data
3. Protect stored data
4. Encrypt transmissions of cardholder data across public networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to need-to-know
8. Assign unique IDs to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Monitor and track all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
A quick review of these 12 items shows that PCI is a textbook example of the fundamentals of information security. With that, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance is an excellent resource that provides the reader with all of the fundamental information needed to understand and implement PCI DSS.
The books 13 chapters provide the reader with a comprehensive overview of all of the details and requirements of PCI. The first three chapters provide an overview of the basics about PCI and the basic requirements of the standard. The following six chapters go into detail about each of the primary control areas.
In particular, chapter 6 provides a good overview of the PCI logging requirements. This requirement can be time-consuming to put into place. The author notes that a commonly overlooked but essential requirement, namely that of accurate and synchronized time on network devices. Enterprise information network and security infrastructure devices are highly dependent on synchronized time and PCI recognizes that correct time is critical for transactions across a network.
In a further discussion about synchronized time in chapter 9, the author unfortunately makes an error when he states that local hardware is considered a stratum 1 time source since it gets its time from its own CMOS. From an NTP perspective, only a device that is directly linked to a stratum-0 device is called a stratum-1. CMOS clocks are notoriously inaccurate and can't be relied upon.
The title of chapter 12 is both amusing and accurate `Planning to fail your first Audit'. The irony is that so many organizations lack a CISO or formal business security program in place designed to protect corporate information assets. They don't focus on information security as a process, rather as a set of products or regulatory items to be checked-off. Yet, these same organizations are surprised when they fail an audit.
The book concludes in chapter 13 with the well-known observation that security is a process, not an event. The book astutely notes that it is impossible to be PCI compliant without approaching security as a process. Trying to achieve compliance without integrating the various aspects in an integrated fashion is bound to fail.
Overall, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance is a great book for one of the most sensible security standards ever. Anyone who has PCI responsibilities or wants to gain a quick understanding of the PCI DSS requirements will find the book to be quite valuable.
Help other customers find the most helpful reviews
Was this review helpful to you? Yes
No
5 of 5 people found the following review helpful:
5.0 out of 5 stars
The best way to come up to speed on PCI-DSS requirements, August 2, 2010
I read a lot of books in an attempt to grasp PCI compliance. This is my favorite PCI book and I refer to it frequently.
One of the things I noticed about other books is they, in my opinion, went into way too much detail on some of the basics, and tended to glaze over the more complicated parts.
What I enjoy so much about this book is that it covers basics in enough detail that even a beginner can understand, and it is also answers in detail the hard questions that other books left me confused.
With this book I gained at least twice as good an understanding of PCI than after reading all of those other books. If you want to understand PCI-DSS, this book is a great way to do so.
Help other customers find the most helpful reviews
Was this review helpful to you? Yes
No
![[Start the discussion]](http://g-ecx.images-amazon.com/images/G/01/x-locale/communities/discussion_boards/start-new-discussion-sec._V192250339_.gif){kind=small}
