Free eBook - PCI For Dummies by Qualys

[don]

Got a copy of this at Black Hat. If you're new to PCI, this is a great free resource. Granted you have to fill out their form, but there are worse fates.

Download this Free Book: Get the Facts on PCI Compliance and Learn How to Comply with the PCI Data Security Standard

Complying with the PCI Data Security Standard may seem like a daunting task for merchants. This book is a quick guide to understanding how to protect cardholder data and comply with the requirements of PCI - from surveying the standard's requirements to detailing steps for verifying compliance.

PCI Compliance for Dummies arms you with the facts, in plain English, and shows you how to achieve PCI Compliance. In this book you will discover:

- What the Payment Card Industry Data Security Standard (PCI DSS) is all about
- The 12 Requirements of the PCI Standard
- How to comply with PCI
- 10 Best-Practices for PCI Compliance
- How QualysGuard PCI simplifies PCI compliance

Get it here:
http://www.qualys.com/forms/ebook/pcifordummies/

Don

[Ketchup]

Well the Qualsys folks are already spamming me, so this is a win / win situation for me.   I was always curious about who is doing PCI audits outside of the big five consulting companies.   

[UNIX]

Just curious, but who are the big five consulting companies?

Thanks Don for the Link, sounds interesting.

[ethicalhack3r]

Thanks for the link. Will have a read when I have some spare time.

[Ketchup]

Awesec, I have always that they were Andersen Consulting, Delloitte, KPMG, Price Waterhouse Cooper, and Ernst & Young.   They are the ones doing most of the audits out there.   I was told that only they can actually certify you as PCI compliant.   I am not even sure what that means.   

[BillV]

Awesec, I have always that they were Andersen Consulting, Delloitte, KPMG, Price Waterhouse Cooper, and Ernst & Young.   They are the ones doing most of the audits out there.   I was told that only they can actually certify you as PCI compliant.   I am not even sure what that means.   

Shouldn't any QSA be able to certify someone as PCI compliant? Isn't that the point of the program? Why else would someone spend $25K (last I checked) to get the QSA qualification?

[Ketchup]

Bill, I have no idea.  I  was hoping to get a straight answer to that question, but I have been told conflicting stories.   I am going to read that PCI for Dummies book

[BillV]

Haha, oh well. Let me know what you find out - if it mentions it in that book (or I may just sign-up and grab a copy). It's been a while since I looked into PCI ASV/QSA stuff, but for the costs involved I figured that was the point.

[UNIX]

Thanks Ketchup, didn't hear of all of them.

$25K sounds a little much for a certification. :O

[BillV]

$25K sounds a little much for a certification. :O

Yeah, but if those wanting to be PCI compliant are required to be scanned by an ASV or analyzed by a QSA, then it makes sense as to why the prices are high (as you could certainly charge quite a bit for your services). Again, I haven't looked at PCI stuff in over a year, but that was the case last I had checked.

[g00d_4sh]

PCI... HIPA... ohhh how I hate you all.  I worked on a POS system earlier this month, they were full of viruses... running built in admin for all users... surfing the web.  I tried to encourage them to work on thier security, by mentioning some of the highlights out of PCI etc.  The whole... "if you are playing with my credit card, for gods sake don't have the system be the same one you check your yahoo mail and gossip sites on.  It'sa smoothy bar.  Hot girls, not hot on security though.  Meh.  Either way, yeah I guess it would be an interesting cert to get for testing for compliance etc.  Interesting if you can get a business to pay for it that is.  Heh.

[Ketchup]

g00d_4sh, I've been looking into this.   It seems like it's not that difficult to become a QSA.   There is a crap load of paperwork it seems, for the company.   You have to go through training, which is not expensive $1200, and pay a fee.

https://www.pcisecuritystandards.org/qsa_asv/become_qsa.shtml

[g00d_4sh]

Nice link/info Ketchup.    Thanks for the info.

[jakinne]

Aside from the $1250 fee for the exam, there is a 5yr. infosec experience requirement (or a CISSP/CISM/CISA).

Many of you may not have to worry about this, but what about those of us that don't have that 5yrs. of resume experience?

This also applies to qualifying for certs like the CISSP and others...but doesn't the X years of experience seem kind of arbitrary?  If you have the knowledge necessary to pass the exam, plus the endorsement, what does the time get you?

What are others experiences in this regard?

Thanks,
Justin

[Ketchup]

Justin,

Most of us that have an interest in security are closer than you realize to the minimum number of years of experience required to sit for these exams.  It's really how you structure you resume.   For example, if you are currently employed as Network Administrator, chances are you are responsible for at least some of Operations security, such as keeping servers patched, AntiVirus deployed, etc.  When you put all this together, you are closer than you think to the number of years required.  Remember, it's not experience in all domains of security, it's one or more.   

When you sit for these exams, you have to structure your resume in such a way that it emphasizes your security experience.  In the CISSP sense, actually indicate that you are responsible for a particular area of security on your resume. 

Regarding the PCI experience requirement, I actually think it should be more than 5 years.   As many of us have seen there are a ton of auditors out there who are not worth a dime.   I don't mean to sound pompous, but passing an exam just demonstrates that you can take tests.   Experience counts more than anything in my opinion.  Would you really want someone who simply passed an exam looking after your credit card information?  Don't get me wrong, the CISSP test is not easy, but in my opinion it doesn't prove that you can tell <insert retailer here> how to store financial and personal data.