PCI Resources
A structured approach to the PCI standards

Volume 4 - Hypothetical Case Studies

 
  • Book Series
    • Book Series Introduction
    • Book Series Acknowledgments
  • Volume 4 - Hypothetical Case Studies
    • 4.1 Volume Introduction
      • 4.1.1 Assumptions
    • 4.2 - Jane's journey - Step 1 - A small side business
      • 4.2.1 Jane’s Flower Attic (JFA)
        • 4.2.2 Applying SAQ-B-IP using a cellular network connection to the payment device
        • 4.2.2.1 JFA Information Security Policy (simplified example)
    • 4.3 - Step 2 - Jane’s Flower Boutique (JFB)
      • 4.3.1 JFB firewall standard
    • 4.4 Step 3 - Jane’s Flower Chain (JFC)
      • 4.4.1 Network level controls
      • 4.4.2 Identification and Authentication controls
      • 4.4.3 Physical security controls
      • 4.4.4 System level controls
      • 4.4.5 Application level controls
      • 4.4.6 Logging and Monitoring
      • 4.4.7 Testing
      • 4.4.8 Governance, Policies, Procedures
      • 4.4.9 Incident Response
    • 4.5 - Step 4 - Jane's Flower Emporium (JFE)
      • 4.5.1 JFE Organizational Structure
      • 4.5.2 Best-practice in information security governance - Information security separate from IT
      • 4.5.3 Payment transaction
      • 4.5.4 Card present payments in stores and at delivery
      • 4.5.5 Customer Service and MOTO transactions
      • 4.5.6 eCommerce
      • 4.5.7 The Information Security Program (based on ISO 27002)
    • 4.6 Appendix - An introduction to the Merchant Self-Assessment Questionnaire (SAQ) selection process
      • 4.6.1 eCommerce SAQs
        • 4.6.1.1 SAQ-A
        • 4.6.1.2 SAQ-A-EP
      • 4.6.2 Physical payment devices
      • 4.6.3 Computer based payment applications
    • 4.7 Appendix - PCI DSS Scope Diagram Guidance v.1.0 for PCI DSS 3.2
      • 4.7.1 PCI DSS Scope Diagram Guidance Introduction
      • 4.7.2 Preamble
      • 4.7.3 Scope diagram requirements
      • 4.7.4 Updates and validation of the consistency of the diagrams
      • 4.7.5 Legends and color coding
      • 4.7.6 Sample diagrams
        • 4.7.6.1 Sample High-Level Diagram
        • 4.7.6.2 Sample Detailed Network Diagram
        • 4.7.6.3 Sample Data-Flow Diagram
      • 4.7.7 Complex cases
      • 4.7.7.1 Authentication, Authorization and Auditing
      • 4.7.7.2 Composite network segmentation cases