PCI Resources
A structured approach to the PCI standards
logo-v1a.jpg

PCI DSS Book Volume 3 - Building a PCI DSS Information Security Program

Table of Contents

Book Series

    Book Series Introduction
    Book Series Acknowledgments

Volume 3 - Building a PCI DSS Information Security Program

    3.1 Volume Introduction
    3.2 The High-Level PCI DSS requirements
    3.3 Building a PCI DSS Information Security Program
        3.3.1 Where you come from matters
        3.3.2 Information Security Programs are meant to address Risks
        3.3.3 Information Security Frameworks
    3.4 The PCI DSS Information Security Program Structure
        3.4.1 Recapping the PCI DSS data elements
        3.4.2 Data Classification
        3.4.3 Examples of data classification
    3.5 Governance
        3.5.1 Responsibilities for the program
        3.5.2 It's all about risk
            3.5.2.1 Risk Assessment: Identifies critical assets, threats, and vulnerabilities
            3.5.2.2 Risk Assessment: Results in a formal, documented analysis of risk
        3.5.3 (Information Security) Policies (Requirement 12)
    3.6 Documenting usage of card information
    3.7 - The body of the program
        3.7.1 - Requirement 1 Firewall - Isolating the Cardholder Data Environment (CDE)
            3.7.1.1 Internet-facing systems in the DMZ
            3.7.1.2 Wireless
            3.7.1.3 Firewall Configuration Standards
            3.7.1.4 Changes to the CDE
            3.7.1.5 Remote Access - Workstations, Desktops, Laptops
        3.7.2 Requirement 2 - Hardening
        3.7.3 Requirement 3 - Storage of Cardholder Data
            3.7.3.1 Encryption of Stored Data
        3.7.4 Requirement 4 - Transmission of Cardholder Data
            3.7.4.1 - Encryption of Stored Data
        3.7.5 Requirement 5 - Antivirus / Antimalware
        3.7.6 Requirement 6 - Vulnerabilities, Patching, Change Control and Software and Web Development
            3.7.6.1 Vulnerability Management
            3.7.6.2 Change control
            3.7.6.3 Software Development Requirements
        3.7.7 Requirement 7 - Need-to-know
        3.7.8 Requirement 8 - Authentication
            3.7.8.1 User Identificaion and Accounts (ensuring traceability)
        3.7.9 - Requirement 9 - Physical security
            3.7.9.1 Visitors
            3.7.9.2 Media Management
            3.7.9.3 Protection of Point-of-Sale (POS) and other payment devices
        3.7.10 - Requirement 10 - Logging & Monitoring (audit trails)
        3.7.11 - Requirement 11 - Testing
            3.7.11.1 Testing wireless networks
            3.7.11.2 Vulnerability testing
            3.7.11.3 Penetration testing
            3.7.11.4 Other detective controls
    3.8 Other Requirements
        3.8.1 Third-party service providers (TPSP)
        3.8.2 Shared service providers requirements
        3.8.3 Incident Management
    3.9 Addressing compliance gaps – prioritization
    3.10 Compensating Controls
    3.11 Total Cost of Ownership (TCO) and Return-on-Investment (ROI)
    3.12 Mapping to and Missing ISO 27002 controls
        3.12.1 ISO/IEC 27000 Series
        3.12.2 ISO/IEC 27002 Overview
        3.12.3 ISO/IEC 27002:2013 and PCI DSS 3.1 high-level controls
        3.12.4 ISO/IEC 27002:2013 mapping to PCI DSS 3.1
            3.12.4.1 ISO/IEC 27002:2013 Domain 5 - Information security policies
            3.12.4.2 ISO/IEC 27002:2013 Domain 6 - Organization of information
            3.12.4.3 ISO/IEC 27002:2013 Domain 7 - Human resource security
            3.12.4.4 ISO/IEC 27002:2013 Domain 8 - Asset management
            3.12.4.5 ISO/IEC 27002:2013 Domain 9 - Access control
            3.12.4.6 ISO/IEC 27002:2013 Domain 10 - Cryptography
            3.12.4.7 ISO/IEC 27002:2013 Domain 11 - Physical and environmental security
            3.12.4.8 ISO/IEC 27002:2013 Domain 12 - Operations security
            3.12.4.9 ISO/IEC 27002:2013 Domain 13 - Communications security
            3.12.4.10 ISO/IEC 27002:2013 Domain 14 - System acquisition, development and maintenance
            3.12.4.11 ISO/IEC 27002:2013 Domain 15 - Supplier relationships
            3.12.4.12 ISO/IEC 27002:2013 Domain 16 - Information security incident management
            3.12.4.13 ISO/IEC 27002:2013 Domain 17 - Information security aspects of business continuity management
            3.12.4.14 ISO/IEC 27002:2013 Domain 18 - Compliance
            3.12.4.15 PCI DSS 3.1 requirements partially or not covered by ISO/IEC 27002:2013
    3.13 A primer on encryption
        3.13.1 What is encryption?
        3.13.2 Encryption basics
        3.13.3 Ciphers, cryptographic algorithms
            3.13.3.1 Symmetric cryptography
            3.13.3.2 Asymmetric cryptography
            3.13.3.3 Hashing functions
    3.13.4 Usage of cryptographic primitives
        3.13.4.1 Usage: secure storage of passwords
        3.13.4.2 Usage: Transmitted (or Stored) Data - example OpenPGP
        3.13.4.3 Usage: Digital Signatures - OpenPGP
        3.13.4.4 Usage: Sent Data - HTTPS (SSL/TLS)
    3.13.5 Secure Ciphers (Algorithms)
    3.13.6 Summary Table

Figures List

    Figure 1 - Rendering of Credit Card (Front)
    Figure 2 - Rendering of Credit Card (Back)
    Figure 3 - Sample business process diagram
    Figure 4 - Sample cardholder dataflow diagram
    Figure 5 - Sample high-level network diagram (store chain)
    Figure 6 - Sample detailed network diagram (individual store)
    Figure 7 - Screenshot of Prioritized Approach document
    Figure 8 - Verizon 2015 PCI Compliance Report Appendix C
    Figure 9 - The lock icon on https://www.google.com on Chrome and Firefox under a Mac
    Figure 10 - Basic Symmetric Encryption Process
    Figure 11 - Asymmetric cryptography
    Figure 12 - Hashing functions
    Figure 13 - Password storage and validation
    Figure 14 - Diagram of salted hash process
    Figure 15 - PGP encryption and decryption processes
    Figure 16 - Digital Signatures using PGP
    Figure 17 - SSL/TLS certificate errors in Chrome and Firefox
    Figure 18 - HTTPS handshake
    Figure 19 - Certificate chaining

Tables List

    Table 1 - PCI DSS High Level Overview
    Table 2 - PCI DSS data
    Table 3 - Example of business justification of firewall rules (requirement 1.1.6)
    Table 4 - OWASP Overall Risk Severity Rating from Likelihood and Impact Factors
    Table 5 - PCI DSS Prioritized Approach Milestones
    Table 6 - Compensating Controls Documentation Requirements
    Table 7 - Example of different hash values for 'password'
    Table 8 - Summary of cryptographic primitives

PCI DSS Glossary

    PCI DSS Glossary