www.sharexxx.net - free books & magazines 436_XSS_FM.qxd 4/20/07 1:18 PM Page ii www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and deliv- ering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional mate- rials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our solutions@syngress.com Web pages. There you may find an assortment of value- added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at sales@ syngress.com for more information. CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at sales@syngress.com for more information. Visit us at 439_PCI_FM.qxd 6/4/07 4:00 PM Page i 439_PCI_FM.qxd 6/4/07 4:00 PM Page ii Tony Bradley Technical Editor James D. Burton Jr. Dr. Anton Chuvakin Anatoly Elberg Brian Freedman David King Scott Paladino Paul Shcooping Implementing Effective PCI Data Security Standards 439_PCI_FM.qxd 6/4/07 4:00 PM Page iii Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 BAL923457U 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance Copyright © 2007 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN-13: 978-1-59749-165-5 Publisher: Amorette Pedersen Page Layout and Art: Patricia Lupien Acquisitions Editor: Andrew Williams Copy Editor: Judy Eby Technical Editor:Tony Bradley Indexer: Odessa&Cie Cover Designer: Michael Kavish For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email m.peder sen@elsevier.com. 439_PCI_FM.qxd 6/4/07 4:00 PM Page iv v Technical Editor Tony Bradley (CISSP-ISSAP) is the Guide for the Internet/Network Security site on About.com, a part of The New York Times Company. He has written for a variety of other Web sites and publications, including BizTech Magazine, PC World, SearchSecurity.com, WindowsNetworking.com, Smart Computing magazine, and Information Security magazine. Currently a Security Consultant with BT INS in Houston,TX,Tony performs a wide range of information security tasks and functions.Tony has driven security policies and technologies for antivirus and incident response for Fortune 500 companies, and he has been network administrator and technical support for smaller companies. Tony is a CISSP (Certified Information Systems Security Professional) and ISSAP (Information Systems Security Architecture Professional). He is Microsoft Certified as an MCSE (Microsoft Certified Systems Engineer) and MCSA (Microsoft Certified Systems Administrator) in Windows 2000 and an MCP (Microsoft Certified Professional) in Windows NT.Tony is recognized by Microsoft as an MVP (Most Valuable Professional) in Windows security. On his About.com site,Tony has on average over 600,000 page views per month and over 30,000 subscribers to his weekly newsletter. He created a 10-part Computer Security 101 Class that has had thousands of partici- pants since its creation and continues to gain popularity through word of mouth. In addition to his Web site and magazine contributions,Tony was also author of Essential Computer Security: Everyone’s Guide to E-mail, Internet, and Wireless Security (ISBN: 1597491144), coauthor of Hacker’s Challenge 3 (ISBN: 0072263040) and a contributing author to Winternals: Defragmentation, Recovery, and Administration Field Guide (ISBN: 1597490792), Combating Spyware in the Enterprise (ISBN: 1597490644) Syngress Force 2006 Emerging Threat Analysis: From Mischief to Malicious (ISBN: 1597490563), and Botnets:The Killer Web Applications (ISBN: 1597491357). 439_PCI_FM.qxd 6/4/07 4:00 PM Page v vi Taking a book from a concept and a vision to a finished, hard copy product is not an easy task. I want to thank Amy Pedersen of Syngress for staying on top of myself and the rest of the writers to keep the project on track.Amy had to put in some extra effort to juggle and replace authors as the project progressed, and her efforts are greatly appreciated. I also want to thank all of the contributing authors. Everyone has day jobs and personal lives and making a commitment to contribute to a book is often a challenge. This work is dedicated to my family. My wife Nicki, and my children Jordan, Dalton, Paige,Teegan, Ethan, Noah and Addison, as well as my in- laws have always been very proud and supportive of my efforts. Without their backing, I would not have the successes that I have had. Acknowledgements Dedication 439_PCI_FM.qxd 6/4/07 4:00 PM Page vi vii James D. Burton Jr., CISSP, CISA, CISM, GSNA, is a Sr. I.T. Security Professional with over 12 years in the field. He is a well-known subject matter expert in the areas of IT security, information assurance and IT audit, and has worked as a consultant, trainer, and an adjunct professor. He has worked on projects or trained for major companies and organizations including Citibank, Global Healthcare Exchange, Idea Integration, Agilent Technologies, Northrop Grumman, SRS Technologies, Secure Banking Services, IP3, Inc. and the U.S. Marine Corps. He was an adjunct professor for Colorado Technical University, where he taught courses on foundations of security and security management at the bachelor and master level. James has an M.S. in Computer Science from Colorado Technical University (2002). He was also a contributing author to Cisco Security Professional’s Guide to Secure Intrusion Detection Systems (Syngress, 2003). James is currently working with Secure Banking Services performing IT audit services to the financial industry and is a trainer for IP3, Inc. Dr. Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Director of Product Management with LogLogic, a log management and intelligence company, he is involved with defining and executing on a product vision and strategy, driving the product roadmap, conducting research as well as assisting key customers with their LogLogic implementa- tions. He was previously a Chief Security Strategist with a security infor- mation management company.A frequent conference speaker, he also represents the company at various security meetings and standards organiza- tions. He is an author of a book “Security Warrior” and a contributor to Know Your Enemy II, Information Security Management Handbook, and Hacker’s Challenge 3. Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs.Aton would like to thank Jason Chan for his help reviewing my chapters’ contents. Finally, Anton would like to dedicate his book chapters to his lovely wife, Olga. Contributors 439_PCI_FM.qxd 6/4/07 4:00 PM Page vii viii Anatoly Elberg, QSA, CISSP, has over 10 years of experience and is an accomplished security professional. His focus includes IT governance, regu- latory compliance, and risk management. Anatoly has implemented strategic information security management programs for large technology, financial, retail, and telecommunications companies. Currently he is a Principal Consultant and a regional security practice lead at BT INS. Anatoly has been working with Visa’s Cardholder Information Security Program (CISP) requirements since 2004, and is certified by the PCI Security Standards Council as a Qualified Security Assessor (QSA). In addition, Anatoly holds the CISSP, MCSE, CHSP, NSA IAM, and NSA IEM certifications. He has a bachelors degree from the University of Texas at Austin, and is a member of the Information Systems Auditing and Controls Association (ISACA). Brian Freedman (CISSP, MCSE, CCEA, CCNA) is the Director of Infrastructure Services and Security with Benefitfocus. Benefitfocus is the leader in software and services for the healthcare benefits market headquar- tered in Charleston, South Carolina. Brian manages the Infrastructure that runs the applications Benefitfocus creates.As Benefitfocus has grown Brian has also taken on the role of the compliance officer for the organization where he has lead compliance efforts for both the Payment Card Industry Data Security Standards and HIPAA. His specialties include Cisco net- working, voice over IP and security, Microsoft Windows Servers, Microsoft Exchange, Data Center Design and Maintenance, and HIPAA and PCI DSS compliance efforts. Brian holds a bachelor’s degree from the University of Miami, and cur- rently resides in Charleston, SC with his wife Starr, and children Myles, Max, and Sybil. David King (CISSP) is the CEO of Remote Checkup, Inc. He has worked with credit card industry security standards since 2004. As the IT directory of an e-commerce company he helped them comply with these standards. Since then he built a company from the ground up that has become a PCI approved scanning vendor. He currently consults with com- panies to help them meet PCI requirements using open source solutions whenever possible. Leveraging his background in system administration and coding, he also helps companies develop custom solutions that help them 439_PCI_FM.qxd 6/4/07 4:00 PM Page viii [...]... that we start at the beginning What is PCI? PCI is not a regulation.The term PCI stands for Payment Card Industry What people are referring to when they say PCI is actually the PCI Data Security Standard (DSS), currently at version 1.1 However, to make things easy, we will continue to use the term PCI to identify the industry regulation Who Must Comply With the PCI? In general, any company that stores,... training and periodic reviews, as well as how to conduct a self-audit to ensure continued compliance www.syngress.com 439 _PCI_ 01.qxd 6/4/07 4:02 PM Page 6 439 _PCI_ 02.qxd 6/4/07 4:03 PM Page 7 Chapter 2 Introduction to Fraud, ID Theft, and Regulatory Mandates By Tony Bradley, CISSP-ISSAP, Microsoft MVP-Windows Security BT INS Security Consultant 7 439 _PCI_ 02.qxd 8 6/4/07 4:03 PM Page 8 Chapter 2 • Introduction... non -compliance ■ Chapter 4: Building and Maintaining a Secure Network The first step in protecting any kind of data, and for PCI DSS compliance, is to have a secure network in the first place.This chapter discusses the basic components of a secure network and lays the foundation for building the rest of your PCI DSS compliance ■ Chapter 5: Protect Cardholder Data This chapter explains how to protect data. .. transacting money This book will explain the PCI DSS guidelines to you However, it will do so in a broader, more holistic approach.The goal of this book is to not only teach you the PCI DSS requirements, but to help you understand how the PCI DSS requirements fit into an organization’s network security framework, and how to effectively implement network security controls so that you can be both compliant... processes credit card transactions, stores credit card data, or in any other way touches personal or sensitive data associated with credit card payment processing, is affected by the PCI DSS Virtually all businesses, no matter how big or how small, need to understand the scope of the PCI DSS and how to implement network security that is compliant with the PCI guidelines, or face penalties or the possibility... PCI and This Book • Chapter 1 3 implement compliance. This book is more of a strategic business guide to help executive management understand the implications of PCI DSS and what it takes to be compliant This book is for the Information Technology (IT) managers and company executives who need to understand how the PCI DSS apply to them.This book is for the small- and medium-size business that doesn’t have... Triad 68 PCI Requirement 3: Protect Stored Cardholder Data 69 Encryption Methods for Data at Rest 69 File- or Folder-level Encryption 70 439 _PCI_ TOC.qxd 6/4/07 4:01 PM Page xiii Contents xiii Full Disk Encryption 71 Implications 72 Database (Column-level) Encryption 73 Overview... Multi-factor Authentication 129 Passwords 129 PCI Compliant Passwords 131 Educating Users 131 Authorization 133 PCI and Access Control 134 Processes for PCI Compliance 135 Configuring Systems to Enforce PCI Compliance 138 439 _PCI_ TOC.qxd... 10 How to Plan a Project to Meet Compliance 205 Introduction 206 Justifying a Business Case for Compliance 206 Figuring Out If You Need to Comply 207 Compliance Overlap 207 The Level of Compliance 209 What is the Cost for Non -compliance? 210 Penalties for Non -compliance 210 Bringing... need to grasp the concepts of PCI DSS and how to implement an effective security framework that is compliant.This book is intended as an introduction to PCI, but with a deeper and more technical understanding of how to put it into action Organization of the Book Each chapter of the book is designed to provide you the information you need to know in a way that you can easily understand and apply.To aid . Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance Copyright © 2007 by Elsevier, Inc. All rights. Chuvakin Anatoly Elberg Brian Freedman David King Scott Paladino Paul Shcooping Implementing Effective PCI Data Security Standards 439 _PCI_ FM.qxd 6/4/07 4:00 PM Page iii Elsevier, Inc., the author(s), and. LogLogic implementa- tions. He was previously a Chief Security Strategist with a security infor- mation management company.A frequent conference speaker, he also represents the company at various security