Review by Joel Dubin, CISSP

The Payment Card Industry Data Security Standard (PCI DSS) has taken it on the chin recently.  With several high profile breaches of credit card numbers, some critics of the industry standard have said it either isn’t strong enough, or should be abolished altogether.  But as Dr. Anton Chuvakin and Branden Williams correctly point out in the second edition of their book, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance, PCI is here to stay.

This is no ordinary field manual to the PCI standard.  It isn’t a book, for example, that a PCI auditor, called a Qualified Security Assessor (QSA), would have open on their lap as a reference while working with a client.  Instead it carefully weaves together PCI, which is considered compliance, with IT security.  In fact, it also discusses PCI in the universe of other regulatory compliance standards, like SOX and HIPAA, which also give IT managers plenty of headaches.
         
The book correctly notes that compliance isn’t the same as security, a common misconception of PCI critics, but that it is part of a sound IT security program covering both bases, compliance and security, and not narrowly focused on PCI, but other standards, as well.  That’s good news for IT managers suffering from compliance fatigue and looking for a single path to handle not just security but all the other regulations they face.  PCI might not be a cure-all, but the IT security it requires can go a long way toward that single path.