PCI Resources
A structured approach to the PCI standards
logo-v1a.jpg

PCI DSS Book Volume 1 - A business case for the PCI DSS

Table of Contents

Book Series

    Book Series Introduction
    Book Series Acknowledgments

Volume 1 - A business case for the PCI DSS

    1.1 Volume Intro
    1.2 Why PCI DSS?
        1.2.1 The value of card information
        1.2.2 The costs of PCI DSS
    1.3 How We Got Here - An Oversimplified History of the Payment Card Industry (PCI)
        1.3.1 Credit in ancient times?
        1.3.2 Development of the financial industry in the USA
        1.3.3 The credit card era
        1.3.4 Credit card and the internet - or the automated fraud era
        1.3.5 Government Reaction to Accounting Scandals and Industry Reaction
    1.4 Who should care about the PCI DSS?
        1.4.1 The payment card model
        1.4.2 Anatomy of payment card transactions
        1.4.3 Clearing and Settlement
    1.5 So what exactly is PCI DSS?
        1.5.1 PCI DSS and the PCI SSC
        1.5.2 Defining the PCI DSS?
        1.5.3 PCI DSS at a high-level
    1.6 How should PCI DSS compliance be addressed?
        1.6.1 Fort Knox or the 'castle' metaphor
    1.7 Demonstrating PCI DSS compliance
        1.7.1 RoC vs SAQ (and AoC)
        1.7.2 Merchant Compliance
        1.7.3 Service Provider Compliance
        1.7.4 Other compliance - issuers, acquirers
    1.8 Where do we go from here? The evolution of the PCI DSS standard
        1.8.1 Early versions 1.0, 1.1, 1.2 and 1.2.1
        1.8.2 Version 2.0
        1.8.3 Version 3.0 and 3.1
        1.8.4 PCI DSS Designated Entities Supplemental Validation (DESV)
        1.8.5 PCI DSS 3.2
    1.9 Where do we go from here? Learning from failures
        1.9.1 The Verizon 2015 Data Breach Investigation Report
            1.9.1.1 Who is performing these attacks?
            1.9.1.2 Incident Analysis
            1.9.1.3 Top issues reported in the DBIR
            1.9.1.4 Breach Costs (Impact)
            1.9.1.5 Solutions
        1.9.2 The Verizon 2015 PCI Compliance Report
    1.10 Where do we go from here? My recommendations
        1.10.1 Porter's 5 forces
        1.10.2 Porter's 5 forces impact on issues and changes
        1.10.3 Issues and Recommendation Analysis
        1.10.4 Issues of Governance
        1.10.5 Reduction in Scope and Data Retention
        1.10.6 Defense in depth
        1.10.7 Vulnerability Management
        1.10.8 Access control
        1.10.9 People Issues
        1.10.10 Process Issues
        1.10.11 Summary of recommended changes
    1.11 Parting thoughts

Figures List

    Figure 1 - The PCI Payment Model
    Figure 2 - Rendering of a chip-card
    Figure 3 - Payment Card transaction authorization
    Figure 4 - Payment clearing
    Figure 5 - Payment settlement
    Figure 6 - London tower structure in 1597
    Figure 7 - Castle vs. Network
    Figure 8 - Summary of PCI DSS versions over time
    Figure 9 - Attacker Approach
    Figure 10 - 2016 Verizon DBIR "Birth and rebirth of a data breach"
    Figure 11 - Porter 5 Forces

Tables List

    Table 1 - PCI DSS High Level Overview
    Table 2 - Merchant SAQ description
    Table 3 - Determining Visa merchant levels
    Table 4 - Verizon Recommended Key SANS Critical security controls with PCI DSS mapping

PCI DSS Glossary

    PCI DSS Glossary