HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 61 guests and 1 member online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Compliance, Regulations & Standardsarrow Free eBook - PCI For Dummies by Qualys
EH-Net
May 22, 2013, 02:43:00 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1] 2   Go Down
« previous next »
  Print  
Author Topic: Free eBook - PCI For Dummies by Qualys  (Read 18161 times)
0 Members and 1 Guest are viewing this topic.
don
Editor-In-Chief
Administrator
Hero Member
*****
Online Online

Posts: 4165


Editor-In-Chief


View Profile WWW
« on: August 19, 2009, 08:19:54 PM »
Got a copy of this at Black Hat. If you're new to PCI, this is a great free resource. Granted you have to fill out their form, but there are worse fates.

Quote

Download this Free Book: Get the Facts on PCI Compliance and Learn How to Comply with the PCI Data Security Standard

Complying with the PCI Data Security Standard may seem like a daunting task for merchants. This book is a quick guide to understanding how to protect cardholder data and comply with the requirements of PCI - from surveying the standard's requirements to detailing steps for verifying compliance.

PCI Compliance for Dummies arms you with the facts, in plain English, and shows you how to achieve PCI Compliance. In this book you will discover:

- What the Payment Card Industry Data Security Standard (PCI DSS) is all about
- The 12 Requirements of the PCI Standard
- How to comply with PCI
- 10 Best-Practices for PCI Compliance
- How QualysGuard PCI simplifies PCI compliance


Get it here:
http://www.qualys.com/forms/ebook/pcifordummies/

Don
Logged
CISSP, MCSE, CSTA, Security+ SME
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #1 on: August 19, 2009, 09:57:40 PM »
Well the Qualsys folks are already spamming me, so this is a win / win situation for me.   I was always curious about who is doing PCI audits outside of the big five consulting companies.   
Logged
~~~~~~~~~~~~~~
Ketchup
UNIX
Hero Member
*****
Offline Offline

Posts: 1235


View Profile
« Reply #2 on: August 20, 2009, 12:12:10 AM »
Just curious, but who are the big five consulting companies?

Thanks Don for the Link, sounds interesting. Smiley
Logged
ethicalhack3r
Full Member
***
Offline Offline

Posts: 139


View Profile WWW
« Reply #3 on: August 20, 2009, 02:35:45 AM »
Thanks for the link. Will have a read when I have some spare time.
Logged
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #4 on: August 20, 2009, 07:33:25 AM »
Awesec, I have always that they were Andersen Consulting, Delloitte, KPMG, Price Waterhouse Cooper, and Ernst & Young.   They are the ones doing most of the audits out there.   I was told that only they can actually certify you as PCI compliant.   I am not even sure what that means.   
Logged
~~~~~~~~~~~~~~
Ketchup
BillV
Hero Member
*****
Offline Offline

Posts: 1892


View Profile WWW
« Reply #5 on: August 20, 2009, 08:39:48 AM »
Quote from: Ketchup on August 20, 2009, 07:33:25 AM
Awesec, I have always that they were Andersen Consulting, Delloitte, KPMG, Price Waterhouse Cooper, and Ernst & Young.   They are the ones doing most of the audits out there.   I was told that only they can actually certify you as PCI compliant.   I am not even sure what that means.   

Shouldn't any QSA be able to certify someone as PCI compliant? Isn't that the point of the program? Why else would someone spend $25K (last I checked) to get the QSA qualification?
Logged
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #6 on: August 20, 2009, 09:01:24 AM »
Bill, I have no idea.  I  was hoping to get a straight answer to that question, but I have been told conflicting stories.   I am going to read that PCI for Dummies book Smiley
Logged
~~~~~~~~~~~~~~
Ketchup
BillV
Hero Member
*****
Offline Offline

Posts: 1892


View Profile WWW
« Reply #7 on: August 20, 2009, 09:10:16 AM »
Haha, oh well. Let me know what you find out - if it mentions it in that book (or I may just sign-up and grab a copy). It's been a while since I looked into PCI ASV/QSA stuff, but for the costs involved I figured that was the point.
Logged
UNIX
Hero Member
*****
Offline Offline

Posts: 1235


View Profile
« Reply #8 on: August 20, 2009, 10:51:16 AM »
Thanks Ketchup, didn't hear of all of them.

$25K sounds a little much for a certification. :O
Logged
BillV
Hero Member
*****
Offline Offline

Posts: 1892


View Profile WWW
« Reply #9 on: August 20, 2009, 11:00:50 AM »
Quote from: awesec on August 20, 2009, 10:51:16 AM
$25K sounds a little much for a certification. :O

Yeah, but if those wanting to be PCI compliant are required to be scanned by an ASV or analyzed by a QSA, then it makes sense as to why the prices are high (as you could certainly charge quite a bit for your services). Again, I haven't looked at PCI stuff in over a year, but that was the case last I had checked.
Logged
g00d_4sh
Sr. Member
****
Offline Offline

Posts: 394



View Profile
« Reply #10 on: August 20, 2009, 03:24:39 PM »
PCI... HIPA... ohhh how I hate you all.  I worked on a POS system earlier this month, they were full of viruses... running built in admin for all users... surfing the web.  I tried to encourage them to work on thier security, by mentioning some of the highlights out of PCI etc.  The whole... "if you are playing with my credit card, for gods sake don't have the system be the same one you check your yahoo mail and gossip sites on.  It'sa smoothy bar.  Hot girls, not hot on security though.  Meh.  Either way, yeah I guess it would be an interesting cert to get for testing for compliance etc.  Interesting if you can get a business to pay for it that is.  Heh.
Logged
"Bad.. Good?  I'm the guy with the gun"
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #11 on: August 20, 2009, 03:44:54 PM »
g00d_4sh, I've been looking into this.   It seems like it's not that difficult to become a QSA.   There is a crap load of paperwork it seems, for the company.   You have to go through training, which is not expensive $1200, and pay a fee.

https://www.pcisecuritystandards.org/qsa_asv/become_qsa.shtml
Logged
~~~~~~~~~~~~~~
Ketchup
g00d_4sh
Sr. Member
****
Offline Offline

Posts: 394



View Profile
« Reply #12 on: August 20, 2009, 03:56:45 PM »
Nice link/info Ketchup.  Smiley  Thanks for the info.
Logged
"Bad.. Good?  I'm the guy with the gun"
jakinne
Newbie
*
Offline Offline

Posts: 13


View Profile WWW
« Reply #13 on: August 20, 2009, 06:16:40 PM »
Aside from the $1250 fee for the exam, there is a 5yr. infosec experience requirement (or a CISSP/CISM/CISA).

Many of you may not have to worry about this, but what about those of us that don't have that 5yrs. of resume experience?

This also applies to qualifying for certs like the CISSP and others...but doesn't the X years of experience seem kind of arbitrary?  If you have the knowledge necessary to pass the exam, plus the endorsement, what does the time get you?

What are others experiences in this regard?

Thanks,
Justin
Logged
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #14 on: August 20, 2009, 06:33:30 PM »
Justin,

Most of us that have an interest in security are closer than you realize to the minimum number of years of experience required to sit for these exams.  It's really how you structure you resume.   For example, if you are currently employed as Network Administrator, chances are you are responsible for at least some of Operations security, such as keeping servers patched, AntiVirus deployed, etc.  When you put all this together, you are closer than you think to the number of years required.  Remember, it's not experience in all domains of security, it's one or more.   

When you sit for these exams, you have to structure your resume in such a way that it emphasizes your security experience.  In the CISSP sense, actually indicate that you are responsible for a particular area of security on your resume. 

Regarding the PCI experience requirement, I actually think it should be more than 5 years.   As many of us have seen there are a ton of auditors out there who are not worth a dime.   I don't mean to sound pompous, but passing an exam just demonstrates that you can take tests.   Experience counts more than anything in my opinion.  Would you really want someone who simply passed an exam looking after your credit card information?  Don't get me wrong, the CISSP test is not easy, but in my opinion it doesn't prove that you can tell <insert retailer here> how to store financial and personal data. 
Logged
~~~~~~~~~~~~~~
Ketchup
Pages: [1] 2   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.07 seconds with 24 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.