www.sharexxx.net - free books & magazines
436_XSS_FM.qxd 4/20/07 1:18 PM Page ii
www.syngress.com
Syngress is committed to publishing high-quality books for IT Professionals and deliv-
ering those books in media and formats that fit the demands of our customers. We are
also committed to extending the utility of the book you purchase via additional mate-
rials available from our Web site.
SOLUTIONS WEB SITE
To register your book, visit www.syngress.com/solutions. Once registered, you can access
our Web pages. There you may find an assortment of value-
added features such as free e-books related to the topic of this book, URLs of related
Web sites, FAQs from the book, corrections, and any updates from the author(s).
ULTIMATE CDs
Our Ultimate CD product line offers our readers budget-conscious compilations of some
of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to
extend your reference library on key topics pertaining to your area of expertise,
including Cisco Engineering, Microsoft Windows System Administration, CyberCrime
Investigation, Open Source Security, and Firewall Configuration, to name a few.
DOWNLOADABLE E-BOOKS
For readers who can’t wait for hard copy, we offer most of our titles in downloadable
Adobe PDF form. These e-books are often available weeks before hard copies, and are
priced affordably.
SYNGRESS OUTLET
Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt
books at significant savings.
SITE LICENSING
Syngress has a well-established program for site licensing our e-books onto servers in
corporations, educational institutions, and large organizations. Contact us at sales@
syngress.com for more information.
CUSTOM PUBLISHING
Many organizations welcome the ability to combine parts of multiple Syngress books, as

well as their own content, into a single volume for their own internal use. Contact us at
for more information.
Visit us at
439_PCI_FM.qxd 6/4/07 4:00 PM Page i
439_PCI_FM.qxd 6/4/07 4:00 PM Page ii
Tony Bradley Technical Editor
James D. Burton Jr.
Dr. Anton Chuvakin
Anatoly Elberg
Brian Freedman
David King
Scott Paladino
Paul Shcooping
Implementing Effective PCI Data
Security Standards
439_PCI_FM.qxd 6/4/07 4:00 PM Page iii
Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively
“Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS
and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or
consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or
limitation of liability for consequential or incidental damages, the above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working with
computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,”
and “Hack Proofing®,” are registered trademarks of Elsevier, Inc.“Syngress:The Definition of a Serious Security
Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of
Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective
companies.

KEY SERIAL NUMBER
001 HJIRTCV764
002 PO9873D5FG
003 829KM8NJH2
004 BAL923457U
005 CVPLQ6WQ23
006 VBP965T5T5
007 HJJJ863WD3E
008 2987GVTWMK
009 629MP5SDJT
010 IMWQ295T6T
PUBLISHED BY
Syngress Publishing, Inc.
Elsevier, Inc.
30 Corporate Drive
Burlington, MA 01803
PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance
Copyright © 2007 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as permitted
under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by
any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with
the exception that the program listings may be entered, stored, and executed in a computer system, but they may
not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN-13: 978-1-59749-165-5
Publisher: Amorette Pedersen Page Layout and Art: Patricia Lupien
Acquisitions Editor: Andrew Williams Copy Editor: Judy Eby
Technical Editor:Tony Bradley Indexer: Odessa&Cie
Cover Designer: Michael Kavish
For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and

Rights, at Syngress Publishing; email m.peder

439_PCI_FM.qxd 6/4/07 4:00 PM Page iv
v
Technical Editor
Tony Bradley (CISSP-ISSAP) is the Guide for the Internet/Network
Security site on About.com, a part of The New York Times Company. He
has written for a variety of other Web sites and publications, including
BizTech Magazine, PC World, SearchSecurity.com, WindowsNetworking.com,
Smart Computing magazine, and Information Security magazine. Currently a
Security Consultant with BT INS in Houston,TX,Tony performs a wide
range of information security tasks and functions.Tony has driven security
policies and technologies for antivirus and incident response for Fortune 500
companies, and he has been network administrator and technical support for
smaller companies.
Tony is a CISSP (Certified Information Systems Security Professional)
and ISSAP (Information Systems Security Architecture Professional). He is
Microsoft Certified as an MCSE (Microsoft Certified Systems Engineer)
and MCSA (Microsoft Certified Systems Administrator) in Windows 2000
and an MCP (Microsoft Certified Professional) in Windows NT.Tony is
recognized by Microsoft as an MVP (Most Valuable Professional) in
Windows security.
On his About.com site,Tony has on average over 600,000 page views
per month and over 30,000 subscribers to his weekly newsletter. He created
a 10-part Computer Security 101 Class that has had thousands of partici-
pants since its creation and continues to gain popularity through word of
mouth. In addition to his Web site and magazine contributions,Tony was
also author of Essential Computer Security: Everyone’s Guide to E-mail, Internet,
and Wireless Security (ISBN: 1597491144), coauthor of Hacker’s Challenge 3
(ISBN: 0072263040) and a contributing author to Winternals:

Defragmentation, Recovery, and Administration Field Guide (ISBN: 1597490792),
Combating Spyware in the Enterprise (ISBN: 1597490644) Syngress Force 2006
Emerging Threat Analysis: From Mischief to Malicious (ISBN: 1597490563), and
Botnets:The Killer Web Applications (ISBN: 1597491357).
439_PCI_FM.qxd 6/4/07 4:00 PM Page v
vi
Taking a book from a concept and a vision to a finished, hard copy product
is not an easy task. I want to thank Amy Pedersen of Syngress for staying on
top of myself and the rest of the writers to keep the project on track.Amy
had to put in some extra effort to juggle and replace authors as the project
progressed, and her efforts are greatly appreciated. I also want to thank all of
the contributing authors. Everyone has day jobs and personal lives and
making a commitment to contribute to a book is often a challenge.
This work is dedicated to my family. My wife Nicki, and my children
Jordan, Dalton, Paige,Teegan, Ethan, Noah and Addison, as well as my in-
laws have always been very proud and supportive of my efforts. Without
their backing, I would not have the successes that I have had.
Acknowledgements
Dedication
439_PCI_FM.qxd 6/4/07 4:00 PM Page vi
vii
James D. Burton Jr., CISSP, CISA, CISM, GSNA, is a Sr. I.T. Security
Professional with over 12 years in the field. He is a well-known subject
matter expert in the areas of IT security, information assurance and IT
audit, and has worked as a consultant, trainer, and an adjunct professor. He
has worked on projects or trained for major companies and organizations
including Citibank, Global Healthcare Exchange, Idea Integration, Agilent
Technologies, Northrop Grumman, SRS Technologies, Secure Banking
Services, IP3, Inc. and the U.S. Marine Corps. He was an adjunct professor
for Colorado Technical University, where he taught courses on foundations

of security and security management at the bachelor and master level. James
has an M.S. in Computer Science from Colorado Technical University
(2002). He was also a contributing author to Cisco Security Professional’s
Guide to Secure Intrusion Detection Systems (Syngress, 2003). James is currently
working with Secure Banking Services performing IT audit services to the
financial industry and is a trainer for IP3, Inc.
Dr. Anton Chuvakin, GCIA, GCIH, GCFA ()
is a recognized security expert and book author. In his current role as a
Director of Product Management with LogLogic, a log management and
intelligence company, he is involved with defining and executing on a
product vision and strategy, driving the product roadmap, conducting
research as well as assisting key customers with their LogLogic implementa-
tions. He was previously a Chief Security Strategist with a security infor-
mation management company.A frequent conference speaker, he also
represents the company at various security meetings and standards organiza-
tions. He is an author of a book “Security Warrior” and a contributor to
Know Your Enemy II, Information Security Management Handbook, and Hacker’s
Challenge 3. Anton also published numerous papers on a broad range of
security subjects. In his spare time he maintains his security portal
and several blogs.Aton would like to thank
Jason Chan for his help reviewing my chapters’ contents. Finally, Anton
would like to dedicate his book chapters to his lovely wife, Olga.
Contributors
439_PCI_FM.qxd 6/4/07 4:00 PM Page vii
viii
Anatoly Elberg, QSA, CISSP, has over 10 years of experience and is an
accomplished security professional. His focus includes IT governance, regu-
latory compliance, and risk management. Anatoly has implemented strategic
information security management programs for large technology, financial,
retail, and telecommunications companies. Currently he is a Principal

Consultant and a regional security practice lead at BT INS. Anatoly has
been working with Visa’s Cardholder Information Security Program (CISP)
requirements since 2004, and is certified by the PCI Security Standards
Council as a Qualified Security Assessor (QSA). In addition, Anatoly holds
the CISSP, MCSE, CHSP, NSA IAM, and NSA IEM certifications. He has
a bachelors degree from the University of Texas at Austin, and is a member
of the Information Systems Auditing and Controls Association (ISACA).
Brian Freedman (CISSP, MCSE, CCEA, CCNA) is the Director of
Infrastructure Services and Security with Benefitfocus. Benefitfocus is the
leader in software and services for the healthcare benefits market headquar-
tered in Charleston, South Carolina. Brian manages the Infrastructure that
runs the applications Benefitfocus creates.As Benefitfocus has grown Brian
has also taken on the role of the compliance officer for the organization
where he has lead compliance efforts for both the Payment Card Industry
Data Security Standards and HIPAA. His specialties include Cisco net-
working, voice over IP and security, Microsoft Windows Servers, Microsoft
Exchange, Data Center Design and Maintenance, and HIPAA and PCI DSS
compliance efforts.
Brian holds a bachelor’s degree from the University of Miami, and cur-
rently resides in Charleston, SC with his wife Starr, and children Myles,
Max, and Sybil.
David King (CISSP) is the CEO of Remote Checkup, Inc. He has
worked with credit card industry security standards since 2004. As the IT
directory of an e-commerce company he helped them comply with these
standards. Since then he built a company from the ground up that has
become a PCI approved scanning vendor. He currently consults with com-
panies to help them meet PCI requirements using open source solutions
whenever possible. Leveraging his background in system administration and
coding, he also helps companies develop custom solutions that help them
439_PCI_FM.qxd 6/4/07 4:00 PM Page viii

ix
bridge gaps in compliance. David has taught courses in system administra-
tion, networking, and security at a local college. He holds a bachelor’s
degree in computer science from Brigham Young University and currently
lives in American Fork, UT with his family, Megan and Sabrina.
Scott Paladino (CISSP) is a security architect with EDS (www.eds.com),
a leading global technology services company. He is the Engineering
Organization Leader at EDS supporting identity, access, and other security
solutions across a variety of industries.
Paul Schooping (CISSP) is a Security Engineer for a leading global tech-
nology services company. He currently participates in the design, imple-
mentation and support of global security and privacy solutions. Paul’s
background includes experience as the Global Antivirus and Vulnerability
Manager for a Fortune 500 Company and the development of an enterprise
Emergency Security Response Team. His specialties include Antivirus, vul-
nerability assessment, reverse engineering of malware, and encryption tech-
nologies. Paul holds a bachelors degree in psychology and formerly served
in multiple youth ministry positions. He currently resides in Rochester, NY
with his wife Margaret, and two daughters – Rachel and Rebecca.
439_PCI_FM.qxd 6/4/07 4:00 PM Page ix
439_PCI_FM.qxd 6/4/07 4:00 PM Page x
xi
Contents
Chapter 1 About PCI and This Book . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Who Should Read This Book? . . . . . . . . . . . . . . . . . . . .2
Organization of the Book . . . . . . . . . . . . . . . . . . . . . . . .3
Solutions In This Chapter . . . . . . . . . . . . . . . . . . . . . .3
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . .3

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . .4
Chapter Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Chapter 2 Introduction to Fraud, ID
Theft, and Regulatory Mandates . . . . . . . . . . . . . . . . . . . . 7
Chapter 3 Why PCI Is Important . . . . . . . . . . . . . . . . . . . . 11
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
What is PCI? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Who Must Comply With the PCI? . . . . . . . . . . . . . . . .12
Dates to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Compliance Process . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Roots of PCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
More about PCI Co . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Approved Assessor and Scanner Companies . . . . . . . . . .22
Qualified Security Assessors . . . . . . . . . . . . . . . . . . . . . .23
Overview of PCI Requirements . . . . . . . . . . . . . . . . . . . . .23
Risks and Consequences . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Benefits of Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .31
Chapter 4 Building & Maintaining a Secure Network . . . 33
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Installing and Maintaining a Firewall Configuration . . . . . . .35
Firewall Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Packet-filtering Firewalls . . . . . . . . . . . . . . . . . . . . . .35
Proxy Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
439_PCI_TOC.qxd 6/4/07 4:01 PM Page xi
xii Contents
Stateful Inspection Firewalls . . . . . . . . . . . . . . . . . . .38
Firewall Architectures . . . . . . . . . . . . . . . . . . . . . . . . . .39

Dual-Homed Host . . . . . . . . . . . . . . . . . . . . . . . . . .39
Screened Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Screened Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Dual Firewall Configuration . . . . . . . . . . . . . . . . . . .42
PCI DSS Requirements . . . . . . . . . . . . . . . . . . . . . . . .43
Establish Firewall Configuration Standards . . . . . . . . .43
Build Secure Firewall Configurations . . . . . . . . . . . . .45
Choosing an Intrusion Detection
or Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . .48
Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . .49
Intrusion Prevention Systems . . . . . . . . . . . . . . . . . . . . .52
Antivirus Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Gateway Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Desktop and Server Protection . . . . . . . . . . . . . . . . . . .53
System Defaults and Other Security Parameters . . . . . . . . . .54
Default Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
SNMP Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Delete Unnecessary Accounts . . . . . . . . . . . . . . . . . . . .56
Wireless Considerations . . . . . . . . . . . . . . . . . . . . . . . . .57
Develop Configuration Standards . . . . . . . . . . . . . . . . . .58
Implement Single Purpose Servers . . . . . . . . . . . . . .59
Configure System Security Parameters . . . . . . . . . . . .59
Disable and Remove Unnecessary
Services, Protocols and Functionality . . . . . . . . . . . . .60
Encrypt Non-console Administrative Access . . . . . . . .60
Hosting Providers Must Protect Hosted Environment 61
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .65
Chapter 5 Protect Cardholder Data . . . . . . . . . . . . . . . . . . 67

Protecting Cardholder Data . . . . . . . . . . . . . . . . . . . . . . . . .68
The CIA Triad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
PCI Requirement 3: Protect Stored Cardholder Data . . . . . .69
Encryption Methods for Data at Rest . . . . . . . . . . . . . .69
File- or Folder-level Encryption . . . . . . . . . . . . . . . .70
439_PCI_TOC.qxd 6/4/07 4:01 PM Page xii
Contents xiii
Full Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . .71
Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Database (Column-level) Encryption . . . . . . . . . . . . .73
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Other Encryption Method Considerations . . . . . . . . .75
PCI Requirement 4—Encrypt Transmission of
Cardholder Data Across Open, Public Networks . . . . . . . . .76
Requirement 4.1—Cryptography and Protocols . . . . . . .76
SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Securing Wireless Networks
Transmitting Cardholder Data . . . . . . . . . . . . . . . . . .78
Defining WiFi . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Using Compensating Controls . . . . . . . . . . . . . . . . . . . . . . .80
Compensating Controls for Requirement 3.4 . . . . . . . . .81
Provide Additional Segmentation/
Abstraction (e.g., at the Network Layer) . . . . . . . . . .82
Provide Ability to Restrict
Access to Cardholder Data or Databases . . . . . . . . . .82
Restrict Logical Access to the Database . . . . . . . . . . .83
Prevent/Detect Common
Application or Database Attacks . . . . . . . . . . . . . . . .84
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Mapping Out a Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Step 1—Identify and Classify Information . . . . . . . . . . .85
Step 2—Identify Where the Sensitive Data is Located . . .86
Step 3—Determine Who and What Needs Access . . . . .86
Step 4—Develop Policies Based
On What You Have Identified . . . . . . . . . . . . . . . . . . . .86
The Absolute Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Keep Cardholder Storage to a Minimum . . . . . . . . . . . .87
Do Not Store Sensitive
Authentication Data Subsequent to Authorization . . . . .87
Mask the PAN When Displayed . . . . . . . . . . . . . . . . . . .87
Render PAN (at Minimum)
Unreadable Anywhere it is Stored . . . . . . . . . . . . . . . . .88
Protect Encryption Keys Used for Encryption of
Cardholder Data Against Both Disclosure and Misuse . . .88
439_PCI_TOC.qxd 6/4/07 4:01 PM Page xiii
xiv Contents
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .91
Chapter 6 Logging Access & Events Chapter . . . . . . . . . . 93
Introduction to Logging . . . . . . . . . . . . . . . . . . . . . . . . . .94
Tools and Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
PCI Relevance of Logs . . . . . . . . . . . . . . . . . . . . . . . . .97
Logging in PCI Requirement 10 . . . . . . . . . . . . . . . . . . . . .98
Are You Owned . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Logging in PCI – All Other Requirements . . . . . . . . . . . .104
Tools for Logging in PCI . . . . . . . . . . . . . . . . . . . . . . . . .110
Alerts – Used For Real-time
Monitoring of In-scope Servers . . . . . . . . . . . . . . . .117
Reports– Used for Daily

Review of Pre-analyzed Data . . . . . . . . . . . . . . . . .118
Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .123
Chapter 7 Strong Access Control. . . . . . . . . . . . . . . . . . . 125
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Principles of Access Control . . . . . . . . . . . . . . . . . . . . . . .126
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
How Much Access Should a User Should Have . . . . . .127
Authentication and Authorization . . . . . . . . . . . . . . . . . . .128
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Multi-factor Authentication . . . . . . . . . . . . . . . . . . .129
Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
PCI Compliant Passwords . . . . . . . . . . . . . . . . . . . .131
Educating Users . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
PCI and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . .134
Processes for PCI Compliance . . . . . . . . . . . . . . . . . .135
Configuring Systems to Enforce PCI Compliance . . . . . . .138
439_PCI_TOC.qxd 6/4/07 4:01 PM Page xiv
Contents xv
Windows and PCI Compliance . . . . . . . . . . . . . . . . . .140
Windows File Access Control . . . . . . . . . . . . . . . . .140
Creating a New Group Policy Object . . . . . . . . . . .142
Enforcing a PCI Compliant
Password Policy in Windows Active Directory . . . . .142
Configuring Account Lockout in Active Directory . .144

Setting Session Timeout and Password-
protected Screen Savers in Active Directory . . . . . . .145
Setting File Permissions Using GPOs . . . . . . . . . . . .147
Finding Inactive Accounts in Active Directory . . . . .149
Enforcing Password Requirements
in Window on Standalone Computers . . . . . . . . . .150
Enabling Password Protected
Screen Savers on Standalone Windows Computers . .152
Setting File Permissions
on Standalone Windows Computers . . . . . . . . . . . .153
POSIX (UNIX/Linux-like Systems) Access Control . . .154
Linux Enforce Password Complexity Requirements . . .156
Cisco and PCI Requirements . . . . . . . . . . . . . . . . . . .156
CISCO Enforce Session Timeout . . . . . . . . . . . . . .157
Encrypt Cisco Passwords . . . . . . . . . . . . . . . . . . . . .157
Database Access and PCI Requirements . . . . . . . . . . . .157
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Visitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Physical Security and Media . . . . . . . . . . . . . . . . . . . .159
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .162
Chapter 8 Vulnerability Management. . . . . . . . . . . . . . . 165
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Vulnerability Management in PCI . . . . . . . . . . . . . . . . . . .167
Requirement 5 Walkthrough . . . . . . . . . . . . . . . . . . . . . . .171
Requirement 6 Walkthrough . . . . . . . . . . . . . . . . . . . . . . .172
Requirement 11 Walkthrough . . . . . . . . . . . . . . . . . . . . . .176
Common PCI Vulnerability Management Mistakes . . . . . .179
Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180

PCI at a Retail Chain . . . . . . . . . . . . . . . . . . . . . . . . .180
439_PCI_TOC.qxd 6/4/07 4:01 PM Page xv
xvi Contents
PCI at an E-commerce Site . . . . . . . . . . . . . . . . . . . . .182
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .184
Chapter 9 Monitoring and Testing . . . . . . . . . . . . . . . . . 185
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Monitoring Your PCI DSS Environment . . . . . . . . . . . . . .186
Establishing Your Monitoring Infrastructure . . . . . . . . .187
Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Identity Management . . . . . . . . . . . . . . . . . . . . . . .189
Event Management Storage . . . . . . . . . . . . . . . . . . .190
Determining What You Need to Monitor . . . . . . . . . . .192
Applications Services . . . . . . . . . . . . . . . . . . . . . . .192
Infrastructure Components . . . . . . . . . . . . . . . . . . .193
Determining How You Need to Monitor . . . . . . . . . . .195
Deciding Which Tools Will Help You Best . . . . . . . . . .197
Auditing Network and Data Access . . . . . . . . . . . . . . . . . .198
Searching Your Logs . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Testing Your Monitoring Systems and Processes . . . . . . . . .199
Network Access Testing . . . . . . . . . . . . . . . . . . . . . . . .199
Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Intrusion Detection and Prevention . . . . . . . . . . . . . . .200
Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . .200
Intrusion Prevention . . . . . . . . . . . . . . . . . . . . . . . .200
Integrity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . .201
What are You Monitoring? . . . . . . . . . . . . . . . . . . .201
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .203
Chapter 10 How to Plan a Project to Meet Compliance 205
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Justifying a Business Case for Compliance . . . . . . . . . . . . .206
Figuring Out If You Need to Comply . . . . . . . . . . . . .207
Compliance Overlap . . . . . . . . . . . . . . . . . . . . . . .207
The Level of Compliance . . . . . . . . . . . . . . . . . . . . . .209
What is the Cost for Non-compliance? . . . . . . . . . . . .210
Penalties for Non-compliance . . . . . . . . . . . . . . . .210
Bringing All the Players to the Table . . . . . . . . . . . . . . . . .211
439_PCI_TOC.qxd 6/4/07 4:01 PM Page xvi
Contents xvii
Obtaining Corporate Sponsorship . . . . . . . . . . . . . . . .211
Forming Your Compliance Team . . . . . . . . . . . . . . . . .212
Roles and Responsibilities of Your Team . . . . . . . . .212
Getting Results Fast . . . . . . . . . . . . . . . . . . . . . . . . . .213
Helping to Budget Time and Resources . . . . . . . . . . . . . . .214
Setting Expectations . . . . . . . . . . . . . . . . . . . . . . . . . .214
Management’s Expectations . . . . . . . . . . . . . . . . . . .215
Establishing Goals and Milestones . . . . . . . . . . . . . . . .215
Having Status Meetings . . . . . . . . . . . . . . . . . . . . . . . .217
How to Inform/Train Staff on Issues . . . . . . . . . . . . . . . . .217
Training Your Compliance Team . . . . . . . . . . . . . . . . . .217
Training the Company on Compliance . . . . . . . . . . . .218
Setting Up the Corporate
Compliance Training Program . . . . . . . . . . . . . . . . .218
Where to Start:The First Steps . . . . . . . . . . . . . . . . . . . . .220
The Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Step 1: Obtain Corporate Sponsorship . . . . . . . . . . .220
Step 2: Identify and Establish Your Team . . . . . . . . . .221

Step 3: Determine your PCI Merchant Level . . . . . .221
Step 4: Complete the PCI
DSS Self-assessment Questionnaire . . . . . . . . . . . . .222
Step 5: Get an External Network
Scan from an Approved Scanning Vendor . . . . . . . . .222
Step 6: Get Validation from a
Qualified Security Assessor . . . . . . . . . . . . . . . . . . .223
Step 7: Perform a Gap Analysis . . . . . . . . . . . . . . . .223
Step 8: Create PCI DSS Compliance Plan . . . . . . . .224
Step 9: Prepare for Annual
Audit of Compliance Validation . . . . . . . . . . . . . . .224
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .229
Chapter 11 Responsibilities . . . . . . . . . . . . . . . . . . . . . . . 233
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Whose Responsibility Is It? . . . . . . . . . . . . . . . . . . . . . . . .234
CEO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
439_PCI_TOC.qxd 6/4/07 4:01 PM Page xvii
xviii Contents
CISO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
CIO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
Security and System Administrators . . . . . . . . . . . . . . .239
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . .239
Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Incident Response Team . . . . . . . . . . . . . . . . . . . . . . .241
Incident Response Plan . . . . . . . . . . . . . . . . . . . . . . . .241
Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Liabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .251
Chapter 12 Planning to Fail Your First Audit . . . . . . . . . 255
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Remember,Auditors Are There to Help You . . . . . . . . . . .256
Dealing With Auditor’s Mistakes . . . . . . . . . . . . . . . . . . . .258
Planning for Remediation . . . . . . . . . . . . . . . . . . . . . . . . .260
Planning For Your Retest . . . . . . . . . . . . . . . . . . . . . . . . .267
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .269
Chapter 13 You’re Compliant, Now What . . . . . . . . . . . 271
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Security is a PROCESS, Not an Event . . . . . . . . . . . . . . . .272
Plan for Periodic Review and Training, Don’t Stop Now! . .273
PCI Self-Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Requirement 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
1.1 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .276
1.2 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .277
1.2 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .277
1.3 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .278
1.3 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .279
1.4 Policy Check . . . . . . . . . . . . . . . . . . . . . . . . . .279
1.4 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .279
1.5 Policy Check . . . . . . . . . . . . . . . . . . . . . . . . . .280
1.5 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .280
439_PCI_TOC.qxd 6/4/07 4:01 PM Page xviii
Contents xix
Requirement 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

2.1 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .280
2.1 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .280
2.2 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .281
2.2 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .281
2.3 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .282
2.3 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .282
2.4 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .282
2.4 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .282
Requirement 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
3.1 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .283
3.1 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .283
3.2 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .284
3.2 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .284
3.3 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .288
3.3 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .288
3.4 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .288
3.4 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .288
3.5 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .289
3.5 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .289
3.6 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .289
3.6 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .290
Requirement 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
4.1 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .290
4.1 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .291
4.2 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .292
4.2 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .292
Requirement 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
5.1 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .292
5.1 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .292
5.2 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .292

5.2 Hands-on Assessments . . . . . . . . . . . . . . . . . . . .292
Requirement 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
6.1 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .293
6.1 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .293
6.2 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .293
6.2 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .293
439_PCI_TOC.qxd 6/4/07 4:01 PM Page xix
xx Contents
6.3 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .293
6.3 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .294
6.4 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .295
6.4 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .295
6.5 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .295
6.5 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .296
6.6 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .296
6.6 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .296
Requirement 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
7.1 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .296
7.1 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .296
7.2 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .297
7.2 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .297
Requirement 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
8.1 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .297
8.1 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .297
8.2 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .298
8.2 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .298
8.3 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .298
8.3 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .298
8.4 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .298
8.4 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .298

8.5 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .299
8.5 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .300
Requirement 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
9.1 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .301
9.1 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .301
9.2 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .302
9.2 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .302
9.3 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .302
9.3 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .302
9.4 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .302
9.4 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .303
9.5 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .303
9.5 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .303
9.6 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .303
9.6 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .303
439_PCI_TOC.qxd 6/4/07 4:01 PM Page xx
Contents xxi
9.7 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .303
9.7 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .303
9.8 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .304
9.8 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .304
9.9 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . . .304
9.9 Hands-on Assessment . . . . . . . . . . . . . . . . . . . .304
9.10 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .304
9.10 Hands-on Assessment . . . . . . . . . . . . . . . . . . .304
Requirement 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
10.1 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .305
10.1 Hands-on Assessment . . . . . . . . . . . . . . . . . . .305
10.2 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .305
10.2 Hands-on Assessment . . . . . . . . . . . . . . . . . . .305

10.3 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .305
10.3 Hands-on Assessment . . . . . . . . . . . . . . . . . . .306
10.4 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .306
10.4 Hands-on Assessment . . . . . . . . . . . . . . . . . . .306
10.5 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .306
10.5 Hands-on Assessment . . . . . . . . . . . . . . . . . . .307
10.6 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .307
10.6 Hands-on Assessment . . . . . . . . . . . . . . . . . . .307
10.7 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .307
10.7 Hands-on Assessment . . . . . . . . . . . . . . . . . . .307
Requirement 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
11. 1 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . .308
11.1 Hands-on Assessment . . . . . . . . . . . . . . . . . . .308
11.2 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .308
11.2 Hands-on Assessment . . . . . . . . . . . . . . . . . . .308
11.3 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .309
11.3 Hands-on Assessment . . . . . . . . . . . . . . . . . . .309
11.4 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .309
11.4 Hands-on Assessment . . . . . . . . . . . . . . . . . . .309
11.5 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .309
11.5 Hands-on Assessment . . . . . . . . . . . . . . . . . . .309
Requirement 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310
12.1 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .310
12.1 Hands-on Assessment . . . . . . . . . . . . . . . . . . .310
439_PCI_TOC.qxd 6/4/07 4:01 PM Page xxi
xxii Contents
12.2 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .310
12.2 Hands-on Assessment . . . . . . . . . . . . . . . . . . .310
12.3 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .310
12.3 Hands-on Assessment . . . . . . . . . . . . . . . . . . .311

12.4 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .312
12.4 Hands-on Assessment . . . . . . . . . . . . . . . . . . .312
12.5 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .312
12.5 Hands-on Assessment . . . . . . . . . . . . . . . . . . .312
12.6 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .312
12.6 Hands-on Assessment . . . . . . . . . . . . . . . . . . .312
12.7 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .313
12.7 Hands-on Assessment . . . . . . . . . . . . . . . . . . .313
12.8 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .313
12.8 Hands-on Assessment . . . . . . . . . . . . . . . . . . .313
12.9 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . . .313
12.9 Hands-on Assessment . . . . . . . . . . . . . . . . . . .313
12.10 Policy Checks . . . . . . . . . . . . . . . . . . . . . . . .314
12.10 Hands-on Assessment . . . . . . . . . . . . . . . . . .314
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .316
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
439_PCI_TOC.qxd 6/4/07 4:01 PM Page xxii
1
About PCI
and This Book
Chapter 1
439_PCI_01.qxd 6/4/07 4:02 PM Page 1