PCI DSS v4.0 in Practice Play Book & TOOLKIT – PDF

Table of Contents
Foreword 5
Acronyms and Abbreviations 8
Table of Contents 10
List of Figures 13
Chapter 1: The Stakes of Payment Security and the Road to v4.0 2
Why payment data is a target 2
The economics of a breach 3
What PCI DSS is, and what it is not 4
The road to v4.0 and v4.0.1 4
How this book is organized 6
Conclusion 7
Chapter 2: Inside the Standard: Six Goals, Twelve Requirements, Two Approaches 9
The structure: six goals, twelve requirements 9
Account data: what you protect, and what you must never keep 12
Who must comply, and how it is validated 13
Two approaches: defined and customized 13
Reading a requirement correctly 15
Conclusion 16
Chapter 3: Scoping the Cardholder Data Environment 17
What is in scope 17
Mapping the data flow 18
Segmentation: the lever that shrinks scope 19
Scope-reducing technologies 20
Keeping scope honest 21
Conclusion 21
Chapter 4: Build and Maintain a Secure Network and Systems (Requirements 1–2) 24
The threat these requirements answer 24
Requirement 1 – Install and maintain network security controls 25
Requirement 2 – Apply secure configurations to all system components 26
Putting it together 27
Chapter 5: Protect Account Data (Requirements 3–4) 30
The threat these requirements answer 30
Requirement 3 – Protect stored account data 31
Requirement 4 – Protect cardholder data in transit 32
Chapter 6: Maintain a Vulnerability Management Program (Requirements 5–6) 36
The threat these requirements answer 36
Requirement 5 – Protect against malicious software 37
Requirement 6 – Develop and maintain secure systems and software 37
Chapter 7: Implement Strong Access Control Measures (Requirements 7–9) 42
The threat these requirements answer 42
Requirement 7 – Least privilege and need-to-know 42
Requirement 8 – Identify and authenticate 43
Requirement 9 – Restrict physical access 44
Chapter 8: Regularly Monitor and Test Networks (Requirements 10–11) 47
The threat these requirements answer 47
Requirement 10 – Log and monitor all access 48
Requirement 11 – Test security regularly 49
Chapter 9: Maintain an Information Security Policy (Requirement 12) 52
The threat this requirement answers 52
What Requirement 12 expects 52
The continuous-compliance mindset 54
Chapter 10: From Gap Analysis to Go-Live: An Implementation Roadmap 57
Phase 1 u2014 Scope and discover 57
Phase 2 u2014 Assess the gaps 58
Phase 3 u2014 Remediate and build 59
Phase 4 u2014 Validate and attest 60
Phase 5 u2014 Sustain as business as usual 60
Chapter 11: Assessment, Validation, and Working with a QSA 63
Merchant levels 63
Self-Assessment Questionnaires 65
The formal assessment and its artifacts 66
Working well with an assessor 66
Chapter 12: Challenges, Real-World Use Cases, and the Future of Payment Security 69
Recurring challenges and how to meet them 69
Use Case 1 u2014 Mid-sized e-commerce retailer 70
Use Case 2 u2014 SaaS payment service provider 71
Use Case 3 u2014 Small brick-and-mortar merchant 72
A note for the Gulf region 73
The future of payment security 73
Conclusion: Compliance as a Practice, Not an Event 76
Appendix A: PCI DSS v4.0.1 Compliance Checklist 77
Appendix B: Cross-Framework Control Mapping 79
Appendix C: Practical Templates 81
Glossary 82
References 84
Topic Finder 86
About the Author 87