.

Free eBook - PCI For Dummies by Qualys

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Aug 19, 2009 8:19 pm

Free eBook - PCI For Dummies by Qualys

Got a copy of this at Black Hat. If you're new to PCI, this is a great free resource. Granted you have to fill out their form, but there are worse fates.


Download this Free Book: Get the Facts on PCI Compliance and Learn How to Comply with the PCI Data Security Standard

Complying with the PCI Data Security Standard may seem like a daunting task for merchants. This book is a quick guide to understanding how to protect cardholder data and comply with the requirements of PCI - from surveying the standard's requirements to detailing steps for verifying compliance.

PCI Compliance for Dummies arms you with the facts, in plain English, and shows you how to achieve PCI Compliance. In this book you will discover:

- What the Payment Card Industry Data Security Standard (PCI DSS) is all about
- The 12 Requirements of the PCI Standard
- How to comply with PCI
- 10 Best-Practices for PCI Compliance
- How QualysGuard PCI simplifies PCI compliance



Get it here:
http://www.qualys.com/forms/ebook/pcifordummies/

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Aug 19, 2009 9:57 pm

Re: Free eBook - PCI For Dummies by Qualys

Well the Qualsys folks are already spamming me, so this is a win / win situation for me.  I was always curious about who is doing PCI audits outside of the big five consulting companies. 
~~~~~~~~~~~~~~
Ketchup
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Thu Aug 20, 2009 12:12 am

Re: Free eBook - PCI For Dummies by Qualys

Just curious, but who are the big five consulting companies?

Thanks Don for the Link, sounds interesting. :)
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Thu Aug 20, 2009 2:35 am

Re: Free eBook - PCI For Dummies by Qualys

Thanks for the link. Will have a read when I have some spare time.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Aug 20, 2009 7:33 am

Re: Free eBook - PCI For Dummies by Qualys

Awesec, I have always that they were Andersen Consulting, Delloitte, KPMG, Price Waterhouse Cooper, and Ernst & Young.  They are the ones doing most of the audits out there.  I was told that only they can actually certify you as PCI compliant.  I am not even sure what that means. 
~~~~~~~~~~~~~~
Ketchup
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Thu Aug 20, 2009 8:39 am

Re: Free eBook - PCI For Dummies by Qualys

Ketchup wrote:Awesec, I have always that they were Andersen Consulting, Delloitte, KPMG, Price Waterhouse Cooper, and Ernst & Young.   They are the ones doing most of the audits out there.   I was told that only they can actually certify you as PCI compliant.   I am not even sure what that means.   


Shouldn't any QSA be able to certify someone as PCI compliant? Isn't that the point of the program? Why else would someone spend $25K (last I checked) to get the QSA qualification?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Aug 20, 2009 9:01 am

Re: Free eBook - PCI For Dummies by Qualys

Bill, I have no idea.  I  was hoping to get a straight answer to that question, but I have been told conflicting stories.  I am going to read that PCI for Dummies book :)
~~~~~~~~~~~~~~
Ketchup
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Thu Aug 20, 2009 9:10 am

Re: Free eBook - PCI For Dummies by Qualys

Haha, oh well. Let me know what you find out - if it mentions it in that book (or I may just sign-up and grab a copy). It's been a while since I looked into PCI ASV/QSA stuff, but for the costs involved I figured that was the point.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Thu Aug 20, 2009 10:51 am

Re: Free eBook - PCI For Dummies by Qualys

Thanks Ketchup, didn't hear of all of them.

$25K sounds a little much for a certification. :O
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Thu Aug 20, 2009 11:00 am

Re: Free eBook - PCI For Dummies by Qualys

awesec wrote:$25K sounds a little much for a certification. :O


Yeah, but if those wanting to be PCI compliant are required to be scanned by an ASV or analyzed by a QSA, then it makes sense as to why the prices are high (as you could certainly charge quite a bit for your services). Again, I haven't looked at PCI stuff in over a year, but that was the case last I had checked.
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Thu Aug 20, 2009 3:24 pm

Re: Free eBook - PCI For Dummies by Qualys

PCI... HIPA... ohhh how I hate you all.  I worked on a POS system earlier this month, they were full of viruses... running built in admin for all users... surfing the web.  I tried to encourage them to work on thier security, by mentioning some of the highlights out of PCI etc.  The whole... "if you are playing with my credit card, for gods sake don't have the system be the same one you check your yahoo mail and gossip sites on.  It'sa smoothy bar.  Hot girls, not hot on security though.  Meh.  Either way, yeah I guess it would be an interesting cert to get for testing for compliance etc.  Interesting if you can get a business to pay for it that is.  Heh.
"Bad.. Good?  I'm the guy with the gun"
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Aug 20, 2009 3:44 pm

Re: Free eBook - PCI For Dummies by Qualys

g00d_4sh, I've been looking into this.  It seems like it's not that difficult to become a QSA.  There is a crap load of paperwork it seems, for the company.  You have to go through training, which is not expensive $1200, and pay a fee.

https://www.pcisecuritystandards.org/qsa_asv/become_qsa.shtml
~~~~~~~~~~~~~~
Ketchup
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Thu Aug 20, 2009 3:56 pm

Re: Free eBook - PCI For Dummies by Qualys

Nice link/info Ketchup.  :)  Thanks for the info.
"Bad.. Good?  I'm the guy with the gun"
<<

jakinne

Newbie
Newbie

Posts: 13

Joined: Thu Aug 20, 2009 1:09 pm

Post Thu Aug 20, 2009 6:16 pm

Re: Free eBook - PCI For Dummies by Qualys

Aside from the $1250 fee for the exam, there is a 5yr. infosec experience requirement (or a CISSP/CISM/CISA).

Many of you may not have to worry about this, but what about those of us that don't have that 5yrs. of resume experience?

This also applies to qualifying for certs like the CISSP and others...but doesn't the X years of experience seem kind of arbitrary?  If you have the knowledge necessary to pass the exam, plus the endorsement, what does the time get you?

What are others experiences in this regard?

Thanks,
Justin
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Aug 20, 2009 6:33 pm

Re: Free eBook - PCI For Dummies by Qualys

Justin,

Most of us that have an interest in security are closer than you realize to the minimum number of years of experience required to sit for these exams.  It's really how you structure you resume.  For example, if you are currently employed as Network Administrator, chances are you are responsible for at least some of Operations security, such as keeping servers patched, AntiVirus deployed, etc.  When you put all this together, you are closer than you think to the number of years required.  Remember, it's not experience in all domains of security, it's one or more. 

When you sit for these exams, you have to structure your resume in such a way that it emphasizes your security experience.  In the CISSP sense, actually indicate that you are responsible for a particular area of security on your resume. 

Regarding the PCI experience requirement, I actually think it should be more than 5 years.  As many of us have seen there are a ton of auditors out there who are not worth a dime.  I don't mean to sound pompous, but passing an exam just demonstrates that you can take tests.  Experience counts more than anything in my opinion.  Would you really want someone who simply passed an exam looking after your credit card information?  Don't get me wrong, the CISSP test is not easy, but in my opinion it doesn't prove that you can tell <insert retailer here> how to store financial and personal data. 
~~~~~~~~~~~~~~
Ketchup
Next

Return to Compliance, Regulations &amp; Standards

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software