Customer Reviews

PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance

5 star:		(6)
4 star:		(3)
3 star:		(0)
2 star:		(1)
1 star:		(1)

 

 

When I first received this book from Syngress I was very excited. I knew nothing about PCI compliance -- other than it was big ticket item and everyone processing Visa transactions was affected in some way because of it. I can honestly say that I tore through this book and didn't put it down until I reached chapter 13. I was completely wrapped up in it as it was something I knew nothing about and wanted to know more!

Chapters 1 through 3 introduce you to the concepts behind PCI compliance including what it is and who needs to comply. These chapters really set the stage for what the rest of the book has to offer the reader.

Chapter 4 provides a technology overview of firewalls, intrusion systems, antivirus solutions, and common system default settings. Personally I felt that Chapter 4 was filler content just to add a chapter. It may, however, serve as a good reference for those in management roles who do not have "hands-on" interaction with the architecture of their environment.

Chapter 5 explains how to go about protecting your cardholder data as dictated by PCI requirements 3 & 4. This is a great chapter for anyone new to securing infrastructure to meet the requirements of a PCI audit. The authors also provide a fantastic section entitled "The Absolute Essentials" which offers suggestions on the minimum protection you can employ to protect your cardholder data.

Chapter 6 was by far my most favorite chapter and Syngress has offered it as a free download from their website. Many of you know what I do for a living and know how important understanding logging and requirements for logging is for my day-to-day duties. This chapter focuses around PCI Requirement 10 which details how you must handle the log data collected in your PCI environment. As soon as I started reading this chapter I knew that Dr. Anton Chuvakin had written this section of the book, or at least had a heavy insight into its direction. This chapter alone makes the book worth its weight in gold.

Chapter 7 details the importance of access control in your PCI environment. For obvious reasons, access to your cardholder data must be recorded and checked with a fine tooth comb. User privileges, authentication, authorization, and user education is also covered in this chapter. This chapter goes further to provide examples of ensuring your Windows, Unix/Linux, and Cisco infrastructure meet PCI requirements.

Chapter 8 explains how to leverage vulnerability management solutions to meet the requirements outlined in sections 5, 6, and 11 of the PCI requirement. The authors also provide two very good case studies to help the reader put things into perspective.

Chapter 9 focusses on the monitoring and testing of your environment. The authors are quick to point out that monitoring and testing must continue even after the audit in order to ensure you remain compliant.

Chapter 10 details how to drive your PCI project from the business side in order to ensure you accomplish your objectives. Suggestions are provided on budgeting time and resources, keeping staff in the loop, and justifying the business case to your executive team. The authors also offer a step-by-step "checklist" for ensuring your project runs smoothly and that all of your bases are covered.

Chapter 11 explains the various responsibilities within the organization for ensuring the PCI project succeeds. One of the key things to take away from this chapter is the role of the Incident Response team and its need to understand the requirements of PCI compliance.

Chapter 12 is a really good "eye-opener" that prepares you for the failure of your first audit. The key thing to take away from this is chapter is to not blame the auditor the same way you shouldn't blame a referee in sports. They're simply there to do their job to the best of their ability. If you have a problem with the way they are doing their job, bring it up with their superior. Perhaps their decision will get overturned?

Chapter 13 brings you into a "OK, now what?" phase. This chapter provides a detailed overview of the various requirements and breaks each requirement into "Policy Checks" and "Hands-on Assessments" sections. The policy checks discuss policies that should be reviewed to verify that they are up-to-date and the hands-on assessments sections give ideas on testing these policies. The beauty part is that the authors suggest open source solutions to help you protect your PCI compliant investment.

I give this book 5 stars as it is the best PCI reference I have found on the market. Everything I found in this book will allow me to understand the compliance requirements of my existing customers, their process, and their overall goals. Hats off to the entire team of authors.

It has long been rumored that manufacturers of items such as razors and batteries specifically produce their products an inferior level in order to ensure repeat business. A similar paradox is occurring in the information security space where many are complaining that the PCI Data Security Standard (PCI DSS) is too complex and costly. What is most troubling is that such opinions are being written in periodicals and by people that should know better.

PCI came to life when Visa, MasterCard, American Express, Diner's Club, Discover, and JCB collaborated to create a new set of standards to deal with credit card fraud. PCI requires that all merchants and service providers that handle, transmit, store or process information concerning any of these cards, or related card data, be required to be compliant with the PCI DSS. If they are not compliant, they can face monetary penalties and/or have their card processing privileges terminated by the credit card issuers.

The primary purpose of PCI is to force organizations to embrace common security controls to protect credit card data and reduce fraud and theft. The following are the six primary control areas and 12 specific requirements of the PCI DSS:
Build and maintain a secure network
1. Install and maintain firewall configurations
2. Do not use vendor-supplied or default passwords

Protect cardholder data
3. Protect stored data
4. Encrypt transmissions of cardholder data across public networks

Maintain a vulnerability management program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications


Implement Strong Access Control Measures
7. Restrict access to need-to-know
8. Assign unique IDs to each person with computer access
9. Restrict physical access to cardholder data

Regularly monitor and test networks
10. Monitor and track all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an information security policy
12. Maintain a policy that addresses information security

A quick review of these 12 items shows that PCI is a textbook example of the fundamentals of information security. With that, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance is an excellent resource that provides the reader with all of the fundamental information needed to understand and implement PCI DSS.

The books 13 chapters provide the reader with a comprehensive overview of all of the details and requirements of PCI. The first three chapters provide an overview of the basics about PCI and the basic requirements of the standard. The following six chapters go into detail about each of the primary control areas.

In particular, chapter 6 provides a good overview of the PCI logging requirements. This requirement can be time-consuming to put into place. The author notes that a commonly overlooked but essential requirement, namely that of accurate and synchronized time on network devices. Enterprise information network and security infrastructure devices are highly dependent on synchronized time and PCI recognizes that correct time is critical for transactions across a network.

In a further discussion about synchronized time in chapter 9, the author unfortunately makes an error when he states that local hardware is considered a stratum 1 time source since it gets its time from its own CMOS. From an NTP perspective, only a device that is directly linked to a stratum-0 device is called a stratum-1. CMOS clocks are notoriously inaccurate and can't be relied upon.

The title of chapter 12 is both amusing and accurate `Planning to fail your first Audit'. The irony is that so many organizations lack a CISO or formal business security program in place designed to protect corporate information assets. They don't focus on information security as a process, rather as a set of products or regulatory items to be checked-off. Yet, these same organizations are surprised when they fail an audit.

The book concludes in chapter 13 with the well-known observation that security is a process, not an event. The book astutely notes that it is impossible to be PCI compliant without approaching security as a process. Trying to achieve compliance without integrating the various aspects in an integrated fashion is bound to fail.

Overall, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance is a great book for one of the most sensible security standards ever. Anyone who has PCI responsibilities or wants to gain a quick understanding of the PCI DSS requirements will find the book to be quite valuable.

I read a lot of books in an attempt to grasp PCI compliance. This is my favorite PCI book and I refer to it frequently.

One of the things I noticed about other books is they, in my opinion, went into way too much detail on some of the basics, and tended to glaze over the more complicated parts.

What I enjoy so much about this book is that it covers basics in enough detail that even a beginner can understand, and it is also answers in detail the hard questions that other books left me confused.

With this book I gained at least twice as good an understanding of PCI than after reading all of those other books. If you want to understand PCI-DSS, this book is a great way to do so.

I bought this book a year ago, shortly after it came out and I am just now getting around to reviewing it although I have been benefiting from its guidance for the past year as I go through another PCI implementation.

This is an excellent book. One of my best tech book buys in quite some time. It answered some questions I had been wondering about for a few years as I have gone through PCI implementations just using my sysadmin security experience and common sense plus the PCI DSS requirements themselves. It covers each of the 12 PCI DSS requirements (each of which has on average another 12 sub-requirements, don't let anyone tell you that "PCI is easy, just 12 things!") in order and gives examples and shows you how they apply.

This book does not cover PCI DSS 1.2 but the differences are quite small so don't let that worry you. Everything in the book is still correct, it just doesn't address virtualization which was the major thing added in 1.2.

I have even corresponded with one of the authors, Anton Chuvakin, a couple of times and he has always been friendly and helpful. I listen to his security podcast also.

If you have a need to learn about PCI DSS I strongly recommend this book as it is the best.

This book serves as a great introduction to PCI compliance - later chapters step through the high points of what's required to be compliant, and, while useful, may be a bit simplistic for an experienced IT person....I thought the first few chapters were even more valuable, providing background on what PCI is, how it came to be, and also giving perspective on commonly used terms, required levels of certification, and other pieces of information that would have been quite difficult for me to pull together on my own. Worth the money!

I've read Branden Williams blog on Information Security and PCI Compliance in the past and found it to be valuable.
Now I would say his coauthored book is an excellent read for anyone who would like to understand what PCI is and how to best implement information security procedures to adhere to PCI.

If you have to comply with PCI in your business or work in a company dealing with companies who have to comply then this book is a must read.

This book is a true guide to carrying out a project of PCI DSS compliance. Useful references, case studies and tips to avoid common mistakes. The chapter of myths is really fantastic. It's clearly a highly recommended book for professionals who must work in relation to the PCI standard. Congratulations!

[[ASIN:1597494992 PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance

It definitely helped me to understand the PCI Compliance.The subject is new to me. The book has everything that you need to know. But it will not happen at one time if you do not have any idea. Once you read it and go over it than gradually you start understanding it. I would recommend it.

Definitely a mix-up on Amazon's part--you see another reviewer here state that "this" book is a huge improvement on the 1st edition. However, this book (with the orange and white cover) IS the first edition, published in 2007. The 2nd edition, with the black cover, was published in 2009--and shows the exact same set of reviews. "Let the buyer beware."

(Full disclosure - I received a free copy of this book in return for a promise to review it here. That said, I didn't have any particular reason or incentive to be generous or positive if I was disappointed in the book.)
I read and reviewed the first edition of this book, somewhat negatively - I felt that it didn't include much practical advice and that you'd be better off just reading the PCI DSS itself. Well, apparently the author either read my review or heard similar criticism - with this second edition of the book, a lot of new, useful material has been added. Most significant to me were the case studies - I'm pretty sure that the case studies presented throughout the book were real examples with names changed to protect the innocent. This real-world perspective is hugely useful to somebody who's battling with the ambiguity of the PCI specification itself.
My only real complaint was the index. At the moment, my organization is dealing with CVV codes and tokenization. I turned to the index to see what this book had to say about each topic, but although neither appeared in the index, I found references to both in the text. The index is just 5 pages long - which strikes me as a bit light for a 340-page technical book. Hopefully the publisher can address this with the third edition.
All in all, this book is a significant improvement over the first edition, and I found it genuinely helpful in planning out a PCI compliance roadmap. The writing style is a bit more conversational than the first edition as well - although sometimes in a good way, sometimes in a bad way. For instance, whenever one of the two authors wants to relate a personal anecdote (most of which were very useful and very welcome), they avoid using first person and say something like, "one of the authors found that... he then tried to... he further discovered that...". This style is mostly just distracting - first person would have been just fine in this case.
Other than that, I'd definitely recommend this book to anybody who's trying to pick through the minefield of PCI compliance - this book includes a lot of helpful advice on what to focus on and what you might not need to worry as much about as you might have thought.