PCI Resources
A structured approach to the PCI standards
logo-v1a.jpg

Volume 1 - A business case for the PCI DSS

  • Book Series
    • Book Series Introduction
    • Book Series Acknowledgments
  • Volume 1 - A business case for the PCI DSS
    • 1.1 Volume Intro
    • 1.2 Why PCI DSS?
      • 1.2.1 The value of card information
      • 1.2.2 The costs of PCI DSS
    • 1.3 How We Got Here - An Oversimplified History of the Payment Card Industry (PCI)
      • 1.3.1 Credit in ancient times?
      • 1.3.2 Development of the financial industry in the USA
      • 1.3.3 The credit card era
      • 1.3.4 Credit card and the internet - or the automated fraud era
      • 1.3.5 Government Reaction to Accounting Scandals and Industry Reaction
    • 1.4 Who should care about the PCI DSS?
      • 1.4.1 The payment card model
      • 1.4.2 Anatomy of payment card transactions
      • 1.4.3 Clearing and Settlement
    • 1.5 So what exactly is PCI DSS?
      • 1.5.1 PCI DSS and the PCI SSC
      • 1.5.2 Defining the PCI DSS?
      • 1.5.3 PCI DSS at a high-level
    • 1.6 How should PCI DSS compliance be addressed?
      • 1.6.1 Fort Knox or the 'castle' metaphor
    • 1.7 Demonstrating PCI DSS compliance
      • 1.7.1 RoC vs SAQ (and AoC)
      • 1.7.2 Merchant Compliance
      • 1.7.3 Service Provider Compliance
      • 1.7.4 Other compliance - issuers, acquirers
    • 1.8 Where do we go from here? The evolution of the PCI DSS standard
      • 1.8.1 Early versions 1.0, 1.1, 1.2 and 1.2.1
      • 1.8.2 Version 2.0
      • 1.8.3 Version 3.0 and 3.1
      • 1.8.4 PCI DSS Designated Entities Supplemental Validation (DESV)
      • 1.8.5 PCI DSS 3.2
    • 1.9 Where do we go from here? Learning from failures
      • 1.9.1 The Verizon 2015 Data Breach Investigation Report
        • 1.9.1.1 Who is performing these attacks?
        • 1.9.1.2 Incident Analysis
        • 1.9.1.3 Top issues reported in the DBIR
        • 1.9.1.4 Breach Costs (Impact)
        • 1.9.1.5 Solutions
      • 1.9.2 The Verizon 2015 PCI Compliance Report
    • 1.10 Where do we go from here? My recommendations
      • 1.10.1 Porter's 5 forces
      • 1.10.2 Porter's 5 forces impact on issues and changes
      • 1.10.3 Issues and Recommendation Analysis
      • 1.10.4 Issues of Governance
      • 1.10.5 Reduction in Scope and Data Retention
      • 1.10.6 Defense in depth
      • 1.10.7 Vulnerability Management
      • 1.10.8 Access control
      • 1.10.9 People Issues
      • 1.10.10 Process Issues
      • 1.10.11 Summary of recommended changes
    • 1.11 Parting thoughts
  • Figures List
    • Figure 1 - The PCI Payment Model
    • Figure 2 - Rendering of a chip-card
    • Figure 3 - Payment Card transaction authorization
    • Figure 4 - Payment clearing
    • Figure 5 - Payment settlement
    • Figure 6 - London tower structure in 1597
    • Figure 7 - Castle vs. Network
    • Figure 8 - Summary of PCI DSS versions over time
    • Figure 9 - Attacker Approach
    • Figure 10 - 2016 Verizon DBIR "Birth and rebirth of a data breach"
    • Figure 11 - Porter 5 Forces
  • Tables List
    • Table 1 - PCI DSS High Level Overview
    • Table 2 - Merchant SAQ description
    • Table 3 - Determining Visa merchant levels
    • Table 4 - Verizon Recommended Key SANS Critical security controls with PCI DSS mapping
  • PCI DSS Glossary
    • PCI DSS Glossary