This is a test
- 58 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
PCI DSS: A pocket guide, sixth edition
Book details
Book preview
Table of contents
Citations
About This Book
An ideal introduction to PCI DSS v3.2.1
All businesses that accept payment cards are prey for criminal hackers trying to steal financial information and commit identity fraud. The PCI DSS (Payment Card Industry Data Security Standard) exists to ensure that businesses process credit and debit card payments in a way that effectively protects cardholder data.
All organisations that accept, store, transmit or process cardholder data must comply with the Standard; failure to do so can have serious consequences and expensive repercussions. These range from customer desertion and brand damage to significant financial penalties and operating restrictions imposed by their acquiring bank.
Covering PCI DSS v3.2.1, this handy pocket guide provides all the information you need to consider as you approach the Standard. It is also an ideal training resource for those in your organisation involved with payment card processing. Topics include:
- An overview of PCI DSS v3.2.1
- How to comply with the requirements of the Standard
- Maintaining compliance
- The PCI SAQ (self-assessment questionnaire)
- The PCI DSS and ISO 27001
- Procedures and qualifications
- An overview of the PA-DSS (Payment Application Data Security Standard)
- PTS (PIN Transaction Security)
- Software-based PIN entry
Buy your copy of this quick-reference guide to PCI DSS v3.2.1 today!
About the authors
Alan Calder is a leading author on IT governance and information security issues. He is the CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd.
Alan is an acknowledged international cyber security guru. He is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.
Geraint Williams is the CISO for the GRC International Group of companies, and a knowledgeable and experienced senior information security consultant and former PCI QSA, with a strong technical background and experience in the PCI DSS and security testing.
Geraint has provided consultancy on implementing the PCI DSS, and has conducted audits for a wide range of merchants and service providers as well as penetration testing and vulnerability assessments for clients. He has broad technical knowledge of security and IT infrastructure, including high-performance computing and Cloud computing. His certifications include CISSPĀ® and PCIP.
Frequently asked questions
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access PCI DSS: A pocket guide, sixth edition by Alan Calder, Geraint Williams in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
CHAPTER 1: WHAT IS THE PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)?
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the five founding payment brands of the PCI Security Standards Council (PCI SSC, at www.pcisecuritystandards.org): American Express, Discover Financial Services, JCB International, Mastercard and Visa.
The PCI DSS consists of a standardised, industry-wide set of requirements and processes for security management, policies, procedures, network architecture, software design and critical protective measures.
The requirements of the PCI DSS must be met by all organisations (merchants and service providers) that transmit, process or store payment card data, or directly or indirectly affect the security of cardholder data. If an organisation uses a third party to manage cardholder data, it has a responsibility to ensure that the third party is compliant with the PCI DSS.
The PCI DSS (sometimes referred to as a compliance standard) is not a law. It is a contractual obligation applied and enforced ā by means of fines or other restrictions ā directly by the payment providers themselves.
The currently applicable version of the PCI DSS, since May 2018, is version 3.2.1; subject to licence, it can be freely downloaded.3 It is published and controlled by the PCI SSC on behalf of its five founding members.
In June 2015, the PCI SSC introduced the concept of ādesignated entitiesā. These are high-risk entities that can be prescribed a set of supplemental validation requirements to demonstrate ongoing security efforts to protect payments.
The SSC also defines qualifications for Qualified Security Assessors (QSAs), Internal Security Assessors (ISAs), PCI Forensic Investigators (PFIs), PCI Professionals (PCIPs), Qualified Integrators and Resellers (QIRs) and Approved Scanning Vendors (ASVs). It trains, tests, certifies and runs quality assurance programmes for these certifications.
The PCI DSS is a set of 12 requirements that are imposed on merchants and other related parties. These requirements are described later in this pocket guide.
Key definitions4 and acronyms in the PCI DSS
Acquirer ā a bank that acquires merchants ā i.e. the bank with which you have your e-commerce bank account.
Payment brand ā Visa, Mastercard, American Express, Discover, JCB.
Merchant ā sells products to cardholders.
Service provider ā a business entity that is directly or indirectly involved in the processing, storage, transmission and switching of cardholder data. This includes companies that provide services to merchants, service providers, or members that control or could impact the security of cardholder data.
Service providers include:
ā¢Third-party processors (TPPs), which process payment card transactions (including payment gateways); and
ā¢Data storage entities (DSEs), which store or transmit payment card data.
Primary account number (PAN) ā the up-to-19-digit payment card number.
Qualified Security Assessor (QSA) ā someone who is trained and certified to carry out PCI DSS compliance assessments.
Internal Security Assessor (ISA) ā someone who is trained and certified to conduct internal security assessments.
Approved Scanning Vendor (ASV) ā an organisation that is approved as competent to carry out the security scans required by the PCI DSS.
PCI Forensic Investigator (PFI) ā an individual trained and certified to investigate and contain information security breaches involving cardholder data.
3 www.pcisecuritystandards.org/document_library.
4 There is a formal English glossary available at www.pcisecuritystandards.org/document_library.
CHAPTER 2: RECENT CARDHOLDER BREACHES
E-commerce breaches
There have been a number of high-profile attacks by the threat group Magecart, including major breaches of British Airways and Ticketmaster UK. In both incidents, a script was used to intercept cardholdersā details as they entered them into a browser on the cardholdersā own machines.
ā¢In the British Airways breach, Magecart managed to get a modified script onto the web server and application itself.
ā¢In the case of Ticketmaster UK, Magecart managed to get a substitute script onto a service providerās server. The malicious script was then called from the Ticketmaster website and captured card details.
In the case of British Airways, server and application access controls should have prevented the script from being modified, and change detection should have recognised that the script had been changed. Ticketmaster, meanwhile, should have ensured that the service provider was PCI DSS compliant, as the script was being called from the web page that hosted payment entry.
Hospitality industry
Criminal hackers have for several years targeted the point-of-sale (POS) equipment used to take payments in order to steal cardholder data, breaching numerous restaurant and hotel chains.
ā¢Two million customer credit cards were stolen between May 2018 and March 2019 from more than 100 restaurants belonging to Earl Enterprises. The restaurants, which include Planet Hollywood, Buca di Beppo, and Earl of Sandwich, had their POS terminals infected with malware; the stolen credit card numbers were on sale less than a month later.
ā¢Malware was found on payment processing servers used at restaurants and bars in the InterContinental Hotels Group in 2017. Stolen data included cardholder names, card numbers, expiration dates and internal verification codes.
ā¢US coffee chain Caribou Coffee announced a security breach after it discovered unauthorised access to its POS systems between 28 August and 3 December 2018. 239 of its 603 stores were impacted ā amounting to roughly 40% of its sites.
In these cases, and many more, isolating the cardholder data environment (CDE) from the rest of the organisationās network and implementing strong access controls would have helped protect cardholder data.
CHAPTER 3: WHAT IS THE SCOPE OF THE PCI DSS?
The PCI DSS is applicable if you store, process or transmit cardholder data, or if you are responsible for third parties that store, process or transmit cardholder data. It also applies if you are involved with or can affect the security of the storage, processing or transmission of cardholder data. The cardholder data environment (CDE) is any network or environment that possesses cardholder data or sensitive authentication data. It does not apply to your organisation if primary account numbers (PANs) are not stored, processed or transmitted. The PCI DSS applies to any type of media on which card data may be held ā this includes not only hard disk drives, floppy disks, magnetic tape and back-up media, but also printed or handwritten credit and debit card receipts where the full card number is printed. These receipts are sometimes held by merchants as a paper record of the transaction and may be used for voucher recovery purposes or as evidence of the transaction if the acquirer issues a request for information (RFI). If the card number is recorded in full, the record is subject to the same security requirements as electronic copies...
Table of contents
- Cover
- Title
- Copyright
- Foreword
- About the Author
- Acknowledgements
- Contents
- Chapter 1: What is the Payment Card Industry Data Security Standard (PCI DSS)?
- Chapter 2: Recent cardholder breaches
- Chapter 3: What is the scope of the PCI DSS?
- Chapter 4: Compliance and compliance programmes
- Chapter 5: Consequences of a breach
- Chapter 6: How do you comply with the requirements of the Standard?
- Chapter 7: Maintaining compliance
- Chapter 8: PCI DSS ā the Standard
- Chapter 9: Aspects of PCI DSS compliance
- Chapter 10: The PCI Self-Assessment Questionnaire (SAQ)
- Chapter 11: Procedures and qualifications
- Chapter 12: The PCI DSS and ISO/IEC 27001
- Chapter 13: The Payment Application Data Security Standard (PA-DSS)
- Chapter 14: PIN Transaction Security (PTS)
- Chapter 15: Secure Software Standard
- Chapter 16: Software-based PIN entry on commercial off-the-shelf devices (COTS)
- Further reading