Thông tin tài liệu
www.sharexxx.net - free books & magazines
436_XSS_FM.qxd 4/20/07 1:18 PM Page ii
www.syngress.com
Syngress is committed to publishing high-quality books for IT Professionals and deliv-
ering those books in media and formats that fit the demands of our customers. We are
also committed to extending the utility of the book you purchase via additional mate-
rials available from our Web site.
SOLUTIONS WEB SITE
To register your book, visit www.syngress.com/solutions. Once registered, you can access
our solutions@syngress.com Web pages. There you may find an assortment of value-
added features such as free e-books related to the topic of this book, URLs of related
Web sites, FAQs from the book, corrections, and any updates from the author(s).
ULTIMATE CDs
Our Ultimate CD product line offers our readers budget-conscious compilations of some
of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to
extend your reference library on key topics pertaining to your area of expertise,
including Cisco Engineering, Microsoft Windows System Administration, CyberCrime
Investigation, Open Source Security, and Firewall Configuration, to name a few.
DOWNLOADABLE E-BOOKS
For readers who can’t wait for hard copy, we offer most of our titles in downloadable
Adobe PDF form. These e-books are often available weeks before hard copies, and are
priced affordably.
SYNGRESS OUTLET
Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt
books at significant savings.
SITE LICENSING
Syngress has a well-established program for site licensing our e-books onto servers in
corporations, educational institutions, and large organizations. Contact us at sales@
syngress.com for more information.
CUSTOM PUBLISHING
Many organizations welcome the ability to combine parts of multiple Syngress books, as
well as their own content, into a single volume for their own internal use. Contact us at
sales@syngress.com for more information.
Visit us at
439_PCI_FM.qxd 6/4/07 4:00 PM Page i
439_PCI_FM.qxd 6/4/07 4:00 PM Page ii
Tony Bradley Technical Editor
James D. Burton Jr.
Dr. Anton Chuvakin
Anatoly Elberg
Brian Freedman
David King
Scott Paladino
Paul Shcooping
Implementing Effective PCI Data
Security Standards
439_PCI_FM.qxd 6/4/07 4:00 PM Page iii
Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively
“Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS
and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or
consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or
limitation of liability for consequential or incidental damages, the above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working with
computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,”
and “Hack Proofing®,” are registered trademarks of Elsevier, Inc.“Syngress:The Definition of a Serious Security
Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of
Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective
companies.
KEY SERIAL NUMBER
001 HJIRTCV764
002 PO9873D5FG
003 829KM8NJH2
004 BAL923457U
005 CVPLQ6WQ23
006 VBP965T5T5
007 HJJJ863WD3E
008 2987GVTWMK
009 629MP5SDJT
010 IMWQ295T6T
PUBLISHED BY
Syngress Publishing, Inc.
Elsevier, Inc.
30 Corporate Drive
Burlington, MA 01803
PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance
Copyright © 2007 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as permitted
under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by
any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with
the exception that the program listings may be entered, stored, and executed in a computer system, but they may
not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN-13: 978-1-59749-165-5
Publisher: Amorette Pedersen Page Layout and Art: Patricia Lupien
Acquisitions Editor: Andrew Williams Copy Editor: Judy Eby
Technical Editor:Tony Bradley Indexer: Odessa&Cie
Cover Designer: Michael Kavish
For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and
Rights, at Syngress Publishing; email m.peder
sen@elsevier.com.
439_PCI_FM.qxd 6/4/07 4:00 PM Page iv
v
Technical Editor
Tony Bradley (CISSP-ISSAP) is the Guide for the Internet/Network
Security site on About.com, a part of The New York Times Company. He
has written for a variety of other Web sites and publications, including
BizTech Magazine, PC World, SearchSecurity.com, WindowsNetworking.com,
Smart Computing magazine, and Information Security magazine. Currently a
Security Consultant with BT INS in Houston,TX,Tony performs a wide
range of information security tasks and functions.Tony has driven security
policies and technologies for antivirus and incident response for Fortune 500
companies, and he has been network administrator and technical support for
smaller companies.
Tony is a CISSP (Certified Information Systems Security Professional)
and ISSAP (Information Systems Security Architecture Professional). He is
Microsoft Certified as an MCSE (Microsoft Certified Systems Engineer)
and MCSA (Microsoft Certified Systems Administrator) in Windows 2000
and an MCP (Microsoft Certified Professional) in Windows NT.Tony is
recognized by Microsoft as an MVP (Most Valuable Professional) in
Windows security.
On his About.com site,Tony has on average over 600,000 page views
per month and over 30,000 subscribers to his weekly newsletter. He created
a 10-part Computer Security 101 Class that has had thousands of partici-
pants since its creation and continues to gain popularity through word of
mouth. In addition to his Web site and magazine contributions,Tony was
also author of Essential Computer Security: Everyone’s Guide to E-mail, Internet,
and Wireless Security (ISBN: 1597491144), coauthor of Hacker’s Challenge 3
(ISBN: 0072263040) and a contributing author to Winternals:
Defragmentation, Recovery, and Administration Field Guide (ISBN: 1597490792),
Combating Spyware in the Enterprise (ISBN: 1597490644) Syngress Force 2006
Emerging Threat Analysis: From Mischief to Malicious (ISBN: 1597490563), and
Botnets:The Killer Web Applications (ISBN: 1597491357).
439_PCI_FM.qxd 6/4/07 4:00 PM Page v
vi
Taking a book from a concept and a vision to a finished, hard copy product
is not an easy task. I want to thank Amy Pedersen of Syngress for staying on
top of myself and the rest of the writers to keep the project on track.Amy
had to put in some extra effort to juggle and replace authors as the project
progressed, and her efforts are greatly appreciated. I also want to thank all of
the contributing authors. Everyone has day jobs and personal lives and
making a commitment to contribute to a book is often a challenge.
This work is dedicated to my family. My wife Nicki, and my children
Jordan, Dalton, Paige,Teegan, Ethan, Noah and Addison, as well as my in-
laws have always been very proud and supportive of my efforts. Without
their backing, I would not have the successes that I have had.
Acknowledgements
Dedication
439_PCI_FM.qxd 6/4/07 4:00 PM Page vi
vii
James D. Burton Jr., CISSP, CISA, CISM, GSNA, is a Sr. I.T. Security
Professional with over 12 years in the field. He is a well-known subject
matter expert in the areas of IT security, information assurance and IT
audit, and has worked as a consultant, trainer, and an adjunct professor. He
has worked on projects or trained for major companies and organizations
including Citibank, Global Healthcare Exchange, Idea Integration, Agilent
Technologies, Northrop Grumman, SRS Technologies, Secure Banking
Services, IP3, Inc. and the U.S. Marine Corps. He was an adjunct professor
for Colorado Technical University, where he taught courses on foundations
of security and security management at the bachelor and master level. James
has an M.S. in Computer Science from Colorado Technical University
(2002). He was also a contributing author to Cisco Security Professional’s
Guide to Secure Intrusion Detection Systems (Syngress, 2003). James is currently
working with Secure Banking Services performing IT audit services to the
financial industry and is a trainer for IP3, Inc.
Dr. Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org)
is a recognized security expert and book author. In his current role as a
Director of Product Management with LogLogic, a log management and
intelligence company, he is involved with defining and executing on a
product vision and strategy, driving the product roadmap, conducting
research as well as assisting key customers with their LogLogic implementa-
tions. He was previously a Chief Security Strategist with a security infor-
mation management company.A frequent conference speaker, he also
represents the company at various security meetings and standards organiza-
tions. He is an author of a book “Security Warrior” and a contributor to
Know Your Enemy II, Information Security Management Handbook, and Hacker’s
Challenge 3. Anton also published numerous papers on a broad range of
security subjects. In his spare time he maintains his security portal
http://www.info-secure.org and several blogs.Aton would like to thank
Jason Chan for his help reviewing my chapters’ contents. Finally, Anton
would like to dedicate his book chapters to his lovely wife, Olga.
Contributors
439_PCI_FM.qxd 6/4/07 4:00 PM Page vii
viii
Anatoly Elberg, QSA, CISSP, has over 10 years of experience and is an
accomplished security professional. His focus includes IT governance, regu-
latory compliance, and risk management. Anatoly has implemented strategic
information security management programs for large technology, financial,
retail, and telecommunications companies. Currently he is a Principal
Consultant and a regional security practice lead at BT INS. Anatoly has
been working with Visa’s Cardholder Information Security Program (CISP)
requirements since 2004, and is certified by the PCI Security Standards
Council as a Qualified Security Assessor (QSA). In addition, Anatoly holds
the CISSP, MCSE, CHSP, NSA IAM, and NSA IEM certifications. He has
a bachelors degree from the University of Texas at Austin, and is a member
of the Information Systems Auditing and Controls Association (ISACA).
Brian Freedman (CISSP, MCSE, CCEA, CCNA) is the Director of
Infrastructure Services and Security with Benefitfocus. Benefitfocus is the
leader in software and services for the healthcare benefits market headquar-
tered in Charleston, South Carolina. Brian manages the Infrastructure that
runs the applications Benefitfocus creates.As Benefitfocus has grown Brian
has also taken on the role of the compliance officer for the organization
where he has lead compliance efforts for both the Payment Card Industry
Data Security Standards and HIPAA. His specialties include Cisco net-
working, voice over IP and security, Microsoft Windows Servers, Microsoft
Exchange, Data Center Design and Maintenance, and HIPAA and PCI DSS
compliance efforts.
Brian holds a bachelor’s degree from the University of Miami, and cur-
rently resides in Charleston, SC with his wife Starr, and children Myles,
Max, and Sybil.
David King (CISSP) is the CEO of Remote Checkup, Inc. He has
worked with credit card industry security standards since 2004. As the IT
directory of an e-commerce company he helped them comply with these
standards. Since then he built a company from the ground up that has
become a PCI approved scanning vendor. He currently consults with com-
panies to help them meet PCI requirements using open source solutions
whenever possible. Leveraging his background in system administration and
coding, he also helps companies develop custom solutions that help them
439_PCI_FM.qxd 6/4/07 4:00 PM Page viii
[...]... that we start at the beginning What is PCI? PCI is not a regulation.The term PCI stands for Payment Card Industry What people are referring to when they say PCI is actually the PCI Data Security Standard (DSS), currently at version 1.1 However, to make things easy, we will continue to use the term PCI to identify the industry regulation Who Must Comply With the PCI? In general, any company that stores,... training and periodic reviews, as well as how to conduct a self-audit to ensure continued compliance www.syngress.com 439 _PCI_ 01.qxd 6/4/07 4:02 PM Page 6 439 _PCI_ 02.qxd 6/4/07 4:03 PM Page 7 Chapter 2 Introduction to Fraud, ID Theft, and Regulatory Mandates By Tony Bradley, CISSP-ISSAP, Microsoft MVP-Windows Security BT INS Security Consultant 7 439 _PCI_ 02.qxd 8 6/4/07 4:03 PM Page 8 Chapter 2 • Introduction... non -compliance ■ Chapter 4: Building and Maintaining a Secure Network The first step in protecting any kind of data, and for PCI DSS compliance, is to have a secure network in the first place.This chapter discusses the basic components of a secure network and lays the foundation for building the rest of your PCI DSS compliance ■ Chapter 5: Protect Cardholder Data This chapter explains how to protect data. .. transacting money This book will explain the PCI DSS guidelines to you However, it will do so in a broader, more holistic approach.The goal of this book is to not only teach you the PCI DSS requirements, but to help you understand how the PCI DSS requirements fit into an organization’s network security framework, and how to effectively implement network security controls so that you can be both compliant... processes credit card transactions, stores credit card data, or in any other way touches personal or sensitive data associated with credit card payment processing, is affected by the PCI DSS Virtually all businesses, no matter how big or how small, need to understand the scope of the PCI DSS and how to implement network security that is compliant with the PCI guidelines, or face penalties or the possibility... PCI and This Book • Chapter 1 3 implement compliance. This book is more of a strategic business guide to help executive management understand the implications of PCI DSS and what it takes to be compliant This book is for the Information Technology (IT) managers and company executives who need to understand how the PCI DSS apply to them.This book is for the small- and medium-size business that doesn’t have... Triad 68 PCI Requirement 3: Protect Stored Cardholder Data 69 Encryption Methods for Data at Rest 69 File- or Folder-level Encryption 70 439 _PCI_ TOC.qxd 6/4/07 4:01 PM Page xiii Contents xiii Full Disk Encryption 71 Implications 72 Database (Column-level) Encryption 73 Overview... Multi-factor Authentication 129 Passwords 129 PCI Compliant Passwords 131 Educating Users 131 Authorization 133 PCI and Access Control 134 Processes for PCI Compliance 135 Configuring Systems to Enforce PCI Compliance 138 439 _PCI_ TOC.qxd... 10 How to Plan a Project to Meet Compliance 205 Introduction 206 Justifying a Business Case for Compliance 206 Figuring Out If You Need to Comply 207 Compliance Overlap 207 The Level of Compliance 209 What is the Cost for Non -compliance? 210 Penalties for Non -compliance 210 Bringing... need to grasp the concepts of PCI DSS and how to implement an effective security framework that is compliant.This book is intended as an introduction to PCI, but with a deeper and more technical understanding of how to put it into action Organization of the Book Each chapter of the book is designed to provide you the information you need to know in a way that you can easily understand and apply.To aid . Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance Copyright © 2007 by Elsevier, Inc. All rights. Chuvakin Anatoly Elberg Brian Freedman David King Scott Paladino Paul Shcooping Implementing Effective PCI Data Security Standards 439 _PCI_ FM.qxd 6/4/07 4:00 PM Page iii Elsevier, Inc., the author(s), and. LogLogic implementa- tions. He was previously a Chief Security Strategist with a security infor- mation management company.A frequent conference speaker, he also represents the company at various security
Ngày đăng: 25/03/2014, 11:56
Xem thêm: pci compliance - understand & implement effective pci data security standard compliance