Book Review: PCI Compliance

| January 4, 2010

Review by Joel Dubin, CISSP

The Payment Card Industry Data Security Standard (PCI DSS) has taken it on the chin recently.  With several high profile breaches of credit card numbers, some critics of the industry standard have said it either isn’t strong enough, or should be abolished altogether.  But as Dr. Anton Chuvakin and Branden Williams correctly point out in the second edition of their book, PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance, PCI is here to stay.

This is no ordinary field manual to the PCI standard.  It isn’t a book, for example, that a PCI auditor, called a Qualified Security Assessor (QSA), would have open on their lap as a reference while working with a client.  Instead it carefully weaves together PCI, which is considered compliance, with IT security.  In fact, it also discusses PCI in the universe of other regulatory compliance standards, like SOX and HIPAA, which also give IT managers plenty of headaches.

The book correctly notes that compliance isn’t the same as security, a common misconception of PCI critics, but that it is part of a sound IT security program covering both bases, compliance and security, and not narrowly focused on PCI, but other standards, as well.  That’s good news for IT managers suffering from compliance fatigue and looking for a single path to handle not just security but all the other regulations they face.  PCI might not be a cure-all, but the IT security it requires can go a long way toward that single path.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Book Reviews}

Chapter 1, About PCI and This Book, neatly defines PCI with an explanation of the role of QSAs, PCI auditors so named by the PCI Security Standards Council (SSC), which also certifies them.  It also explains the intent of the book is to approach PCI from the viewpoint of both IT security, as well as, the QSA in the field, something Chuvakin and Williams do effectively throughout the book.  The chapter ends with a review of the organization of the book, which is in itself interesting.

Rather than recite each PCI requirement in order, the book goes through a logical sequence of security procedures – firewalls, access controls and protecting stored cardholder data (PCI Requirements 1, 3, 4 and 12) – and maps them back to particular PCI requirements.  Each chapter has case studies, “Tools and Best Practices” and “Common Mistakes and Pitfalls.”

Chapter 2, Introduction to Fraud, ID Theft, and Regulatory Mandates, explains the purpose of PCI and why cardholder data is such a hot item with hackers.   Here again it weaves together the theme of security and compliance, which is emphasized throughout the book.  "There is nothing extraordinary or magical about the PCI DSS requirements.  The guidelines spelled out are all, essentially, common sense security practices that any organization should follow without being told."

The book continues with background on PCI, including its history in Chapter 3, Why Is PCI Here?  Here the authors accurately describe the various players in credit card processing, the scope of PCI and its applicability, including the four merchant levels.  These are all items that can be unclear not only to companies undergoing PCI audits, but to new QSAs, which the book does a good job of clarifying.  This is also where PCI Compliance enumerates all of the standard’s twelve requirements in one place.   The reader is referred, wisely so, to the SSC’s web site at http://www.pcisecuritystandards.org, for getting the actual standard verbatim.

Interestingly, the authors acknowledge the power of acquirers in the PCI universe, which every QSA and merchant eventually discovers.  The reader is told in The Case of the Confusing Validation Requirements that “As always, when in doubt, ask your acquirer what is expected of you.  Your mileage may vary when it comes to some of these intricate rules.” 

The meat of each PCI requirement, complete with tools and case studies is covered exhaustively in Chapters 4 through 9.  Here Chuvakin and Williams, not only experienced QSAs themselves but also well known IT security professionals, go through the daily grind of a QSA both onsite and back in the office drafting the Report on Compliance.

PCI Compliance hits every pain point in PCI from encryption and storage of cardholder data to application security (the infamous Requirement 6), scanning (the equally loved Requirement 11) and wireless security, which spans Requirements 2, 4 and 9 and has its own chapter, Chapter 7, Using Wireless Networking.

Since storage of cardholder data is such a big part of PCI, the authors have a six-step recommendation for dealing with the issue in a section appropriately titled How to Become Compliant and Secure in Chapter 6, Protecting Cardholder Data.  One of the points recommends shrinking scope, a common dodge used to wash away PCI by removing cardholder data from portions of networks and systems.

The case study of the fictional car rental agency, Jones’s Junker Jubilee, isn’t farfetched and is a real-life scenario a QSA could easily walk into.  The agency prohibits wireless devices on its company network, but somehow a hacker posing as a flower deliveryman manages to install one in the office anyway.  And employees thought it was part of the jumble of computer equipment already installed on site.  Chuvakin and Williams recommend a wireless IDS or IPS, per requirement 11.1 to remedy the situation.

The minefield of Requirement 6 about application security is well covered with details about OWASP and the NVD, which many shops in scope for PCI that develop their own software sometimes overlook.  The debate over Web Application Firewalls (WAF) for complying with Requirement 6.6 is also touched upon.

Chapters 8 and 9 nicely cover details about PCI required scanning, both internal and external, another sticky point for many companies.  How to select an Approved Scanning Vendor (ASV), as in SSC-approved, is also well covered here.

The remainder of the book, Chapters 10 through 15, depart from the standard itself and discuss how to work with QSAs (Chapter 11, aptly titled Don’t Fear the Assessor), the business case for PCI and how to manage a PCI project, compensating controls, legal frameworks, what to do after the QSA leaves and some common myths about PCI.

In summary, this is an excellent PCI reference, because it covers not only each of the standard’s requirements in depth, but also the business and soft side of compliance.  It’s a well-rounded reference that doesn’t just stick to technical details but is something a non-technical business manager would find handy, if they’re about to be assigned to oversee their company’s PCI audit.  Whether you’re on the side being reviewed or the auditor yourself, PCI Compliance should be on your bookshelf.


Joel Dubin, CISSP is both a QSA and PA-QSA for Trustwave in Chicago.  He has conducted PA-DSS assessments in both the US and Latin America.   He is the author of The Little Black Book of Computer Security, Second Edition, and of numerous articles on IT security and compliance. Check out his blog, The IT Security Guy at http://www.theitsecurityguy.com.

Category: Book Reviews

Comments are closed.