Table Of ContentPCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is now in its 18th year, and it is
continuing to dominate corporate security budgets and resources. If you accept, process, transmit,
or store payment card data branded by Visa, MasterCard, American Express, Discover, or JCB (or
their affiliates and partners), you must comply with this lengthy standard.
Personal data theft is at the top of the list of likely cybercrimes that modern-day corporations must
defend against. In particular, credit or debit card data is preferred by cybercriminals as they can find
ways to monetize it quickly from anywhere in the world. Is your payment processing secure and
compliant? The new Fifth Edition of PCI Compliance has been revised to follow the new PCI DSS
version 4.0, which is a complete overhaul to the standard. Also new to the Fifth Edition are: addi-
tional case studies and clear guidelines and instructions for maintaining PCI compliance globally,
including coverage of technologies such as Kubernetes, cloud, near-field communication, point-to-
point encryption, Mobile, Europay, MasterCard and Visa. This is the first book to address the recent
updates to PCI DSS, and the only book you will need during your PCI DSS journey. The real-world
scenarios and hands-on guidance will be extremely valuable, as well as the community of profes-
sionals you will join after buying this book.
Each chapter has how-to guidance to walk you through implementing concepts and real-world sce-
narios to help you grasp how PCI DSS will affect your daily operations. This book provides the
information that you need in order to understand the current PCI Data Security Standards and the
ecosystem that surrounds them, how to effectively implement security on network infrastructure in
order to be compliant with the credit card industry guidelines, and help you protect sensitive and
personally identifiable information. Our book puts security first as a way to enable compliance.
• Completely updated to follow the current PCI DSS, version 4.0
• Packed with tips to develop and implement an effective PCI DSS and cybersecurity strategy
• Includes coverage of new and emerging technologies such as Kubernetes, mobility, and
3D Secure 2.0
• Both authors have broad information security backgrounds, including extensive PCI DSS
experience
PCI Compliance
Understand and Implement Effective
PCI Data Security Standard Compliance
Fifth Edition
Dr. Branden R. Williams
James K. Adamson
Cover Image Credit: Shutterstock
Fifth Edition published 2023
by CRC Press
6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742
and by CRC Press
4 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN
CRC Press is an imprint of Taylor & Francis Group, LLC
© 2023 Branden R. Williams and James K. Adamson
Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume
responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted
to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission
to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us
know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or uti-
lized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopy-
ing, microfilming, and recording, or in any information storage or retrieval system, without written permission from the
publishers.
For permission to photocopy or use material electronically from this work, access www.copyright.com or contact the
Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. For works that are not
available on CCC please contact mpkbookspermissions@tandf.co.uk
Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for identifi-
cation and explanation without intent to infringe.
ISBN: 978-0-367-57002-6 (hbk)
ISBN: 978-0-367-57003-3 (pbk)
ISBN: 978-1-003-10030-0 (ebk)
DOI: 10.1201/9781003100300
Typeset in Times
by KnowledgeWorks Global Ltd.
Contents
Foreword ..........................................................................................................................................xv
Acknowledgments .........................................................................................................................xvii
Authors ............................................................................................................................................xix
Chapter 1 About PCI DSS and This Book ....................................................................................1
Who Should Read This Book? .....................................................................................3
How to Use the Book in Your Daily Job ......................................................................3
What This Book Is Not ................................................................................................4
Organization of the Book .............................................................................................4
Summary ......................................................................................................................4
Notes .............................................................................................................................6
Chapter 2 Introduction to Fraud, Identity Theft, and Related Regulatory Mandates ...................7
Summary ....................................................................................................................11
Notes ...........................................................................................................................12
Chapter 3 Why Is PCI Here? .......................................................................................................13
What Is PCI DSS and Who Must Comply? ...............................................................13
Electronic Card Payment Ecosystem .........................................................................15
Goal of PCI DSS ........................................................................................................16
Applicability of PCI DSS ...........................................................................................16
A Quick Note about Appendix A3 ........................................................................18
PCI DSS in Depth ......................................................................................................18
Compliance Deadlines ..........................................................................................18
Compliance and Validation ...................................................................................19
Something New, the Customized Approach .........................................................22
History of PCI DSS ...............................................................................................22
PCI Council ...........................................................................................................24
QSAs ......................................................................................................................25
Additional PCI SSC Qualifications .......................................................................26
PFIs ........................................................................................................................26
PCIPs .....................................................................................................................27
QIRs .......................................................................................................................27
ASVs ......................................................................................................................27
Quick Overview of PCI Requirements.......................................................................27
How Changes to PCI DSS Happen........................................................................30
What’s New in PCI DSS 4.0 .......................................................................................30
Customized Approach ...........................................................................................30
Extra Guidance ......................................................................................................30
New Countermeasures ...........................................................................................31
Skimmers and Web Content ..................................................................................31
Authenticated Vulnerability Scanning ..................................................................31
Inventory All the Things .......................................................................................31
Scope Reviews .......................................................................................................32
In Place With Remediation ....................................................................................32
v
vi Contents
PCI DSS and Risk ......................................................................................................32
Benefits of Compliance ..............................................................................................34
Case Study ..................................................................................................................34
The Case of the Developing Security Program .....................................................34
The Case of the Confusing Validation Requirements ...........................................35
Summary ....................................................................................................................36
Notes ...........................................................................................................................36
Chapter 4 Determining and Reducing Your PCI Scope .............................................................37
The Basics of PCI DSS Scoping ................................................................................37
Connected-To Systems ..........................................................................................41
The “Gotchas” of PCI Scope ......................................................................................42
Scope Reduction Tips .................................................................................................44
Planning Your PCI Project .........................................................................................46
Case Study ..................................................................................................................48
The Case of the Leaky Data ..................................................................................48
The Case of the Entrenched Enterprise .................................................................49
Summary ....................................................................................................................50
Notes ...........................................................................................................................50
Chapter 5 Building and Maintaining a Secure Network ............................................................51
Which PCI DSS Requirements Are in This Domain? ...............................................52
Establish NSC Configuration Standards ...............................................................52
Denying Traffic from Untrusted Networks and Hosts ......................................54
Restricting Connections ....................................................................................55
Host or Network-Based Security Controls........................................................56
Micro-Segmentation .........................................................................................57
Other Considerations for Requirement 1 ..........................................................57
The Oddball Requirement 11.5 .........................................................................57
Requirement 2: Defaults and Other Security Parameters ................................59
Develop Configuration Standards .....................................................................59
Default Passwords .............................................................................................60
Simple Network Management Protocol Defaults .............................................60
Delete Unnecessary Accounts ..........................................................................60
Implement Single Purpose Servers ...................................................................61
Configure System Security Parameters ............................................................61
Encrypt Non-Console Administrative Access ..................................................62
What Else Can You Do to Be Secure? .......................................................................63
Tools and Best Practices .............................................................................................63
Common Mistakes and Pitfalls ..................................................................................64
Egress Filtering ......................................................................................................64
Documentation ......................................................................................................64
System Defaults .....................................................................................................65
Case Study ..................................................................................................................65
The Case of the Small, Flat Store Network ...........................................................65
The Case of the Large, Flat Corporate Network ...................................................66
The Case of the Do Over .......................................................................................67
Summary ....................................................................................................................67
Contents vii
Chapter 6 Strong Access Controls ..............................................................................................69
Which PCI DSS Requirements Are in This Domain? ...............................................69
Principles of Access Control .................................................................................69
Confidentiality ..................................................................................................70
Integrity ............................................................................................................70
Availability .......................................................................................................70
Requirement 7: How Much Access Should a User Have? .....................................71
Databases and Requirement 7.2.6 .....................................................................72
Requirement 8: Authentication Basics ..................................................................73
Identification, Authentication, and Requirements
8.2.4–8.2.8 and 8.3.1–8.3.9 ...........................................................................74
Locking Users Out: Requirements 8.2.8 and 8.3.4 ...........................................75
Things Paired With Usernames ........................................................................76
Rendering Passwords Unreadable in Transit and Storage ................................76
Password Design for PCI DSS: Requirements 8.3.5–8.3.9 and 8.3.11 .............77
MFA and Requirements 8.4–8.5 ......................................................................79
A Brief Word on System Accounts and Requirement 8.6 ................................79
OAuth, OIDC, SSH Keys, and SSH Certs, OH MY! .......................................80
Educating Users ................................................................................................81
Windows and PCI Compliance .............................................................................82
Windows File Access Control ..........................................................................82
Finding Inactive Accounts in Active Directory ................................................84
Enforcing Password Requirements in Windows on Standalone Computers ....84
Enabling Password Protected Screen Savers on Standalone Windows
Computers .....................................................................................................85
Setting File Permissions on Standalone Windows Computers .........................85
POSIX (UNIX/Linux Systems) Access Control ...................................................85
Linux Enforce Password Complexity Requirements ........................................86
Cisco and PCI Requirements .................................................................................87
Cisco Enforce Session Timeout .............................................................................87
Encrypt Cisco Passwords ..................................................................................87
Setting Up SSH in a Cisco Environment ..........................................................87
Requirement 9: Physical Security .........................................................................87
Handling Visitors: Requirement 9.3 .................................................................88
Media and Physical Data Entry Points: Requirements 9.4 ...............................89
Protecting the Point of Interaction: Requirement 9.5 .......................................90
What Else Can You Do to Be Secure? .......................................................................91
Tools and Best Practices .............................................................................................93
Random Password for Users ..................................................................................93
Common Mistakes and Pitfalls ..................................................................................93
Poor Documentation ..............................................................................................94
Legacy Systems .....................................................................................................94
Cloud and PaaS......................................................................................................94
Physical Access Monitoring ..................................................................................94
Case Study ..................................................................................................................94
The Case of the Stolen Database ...........................................................................94
The Case of the Loose Permissions.......................................................................95
Summary ....................................................................................................................96
Note ...........................................................................................................................96
viii Contents
Chapter 7 Protecting Cardholder Data ........................................................................................97
What Is Data Protection and Why Is It Needed? .......................................................97
The Confidentiality, Integrity, and Availability Triad ...........................................98
Requirements Addressed in This Chapter .................................................................98
Requirement 3: Protect Stored Account Data ............................................................99
Requirement 3 Walk-Through ..................................................................................100
Encryption Methods for Data at Rest ..................................................................104
File- or Folder-Level Encryption ....................................................................105
Full-Disk Encryption ......................................................................................105
Database (Table-, Column-, or Field-Level) Encryption ................................106
PCI and Key Management ...................................................................................108
What Else Can You Do to Be Secure? .....................................................................109
Requirement 4 Walk-Through ..................................................................................110
Transport Layer Security .....................................................................................110
IPsec Virtual Private Networks ...........................................................................111
Miscellaneous Card Transmission Rules ............................................................112
Requirement 12 Walk-Through ................................................................................112
How to Become Compliant and Secure ...................................................................114
Step 1: Identify Business Processes With Card Data ..........................................115
Step 2: Shrink the Scope .....................................................................................115
Step 3: Identify Where Data Is Stored .................................................................115
Step 4: Determine What to Do About Your Data ................................................115
Step 5: Determine Who Needs Access ................................................................116
Step 6: Develop and Document Policies ..............................................................116
Common Mistakes and Pitfalls ................................................................................116
Case Study ................................................................................................................118
The Case of the Leaky Data ................................................................................118
The Case of the Satellite Location ......................................................................118
Summary ..................................................................................................................119
Notes .........................................................................................................................119
Chapter 8 Using Wireless Networking .....................................................................................121
What Is Wireless Network Security? .......................................................................122
Where Is Wireless Network Security in PCI DSS?..................................................123
Requirements 1, 11, and 12: Documentation .......................................................124
Actual Security of Wireless Devices: Requirements 2, 4, and 9 .........................125
Logging and Wireless Networks: Requirement 10.3.3 ........................................127
Testing for Unauthorized Wireless: Requirement 11.2 ........................................127
Quarterly Sweeps or Wireless IDS/IPS: How to Choose ...............................128
Why Do We Need Wireless Network Security? ......................................................129
Other Wireless Technologies ...............................................................................129
Tools and Best Practices ...........................................................................................130
Common Mistakes and Pitfalls ................................................................................131
Case Study ................................................................................................................132
The Case of the Untethered Laptop .....................................................................132
The Case of the Expansion Plan ..........................................................................133
The Case of the Double Secret Wireless Network ..............................................134
The Case of the Detached POS ......................................................................134
Summary ..................................................................................................................135
Note .........................................................................................................................135
Contents ix
Chapter 9 Vulnerability Management ....................................................................................137
PCI DSS Requirements Covered ..............................................................................138
Vulnerability Management in PCI ...........................................................................138
Stages of Vulnerability Management Process .....................................................139
Policy Definition .............................................................................................139
Data Acquisition .............................................................................................140
Prioritization ...................................................................................................140
Mitigation........................................................................................................141
Requirement 5 Walk-Through ..................................................................................142
What to Do to Be Secure and Compliant? ..........................................................143
Requirement 6 Walk-Through ..................................................................................144
Public-Facing Web Application Protection .........................................................146
Web Application Scanning (WAS) ......................................................................146
Web Application Firewalls (WAFs) .....................................................................148
Payment Pages .....................................................................................................148
Change Management ...........................................................................................149
Software Supply Chain Attacks ..........................................................................150
Requirement 11 Walk-Through ................................................................................150
External Vulnerability Scanning With ASV ............................................................151
What Is an ASV? .................................................................................................151
Considerations When Picking an ASV ...............................................................151
How ASV Scanning Works .................................................................................155
Operationalizing ASV Scanning .........................................................................155
What Should You Expect From an ASV? ...........................................................156
Internal Vulnerability Scanning ...............................................................................157
Penetration Testing ..............................................................................................158
Common PCI Vulnerability Management Mistakes ................................................159
Case Study ................................................................................................................160
PCI at a Retail Chain ...........................................................................................160
PCI at an E-Commerce Site ................................................................................161
Summary ..................................................................................................................161
Chapter 10 Logging Events and Monitoring the Cardholder Data Environment .......................163
PCI Requirements Covered ......................................................................................164
Why Logging and Monitoring in PCI DSS? ............................................................164
Logging and Monitoring in Depth ...........................................................................165
PCI Relevance of Logs .............................................................................................167
Logging in PCI Requirement 10 ..............................................................................168
Monitoring Data and Log for Security Issues ..........................................................170
Logging and Monitoring in PCI—All Other Requirements ....................................173
PCI Dss Logging Policies and Procedures ...............................................................176
Building an Initial Baseline Manually ................................................................178
Guidance for Identifying “Known Bad” Messages .............................................178
Main Workflow: Daily Log Review ...............................................................179
Exception Investigation and Analysis..................................................................179
Validation of Log Review ....................................................................................181
PCI Compliance Evidence Package ....................................................................181
Periodic Operational Task Summary ..................................................................182
Daily Tasks ..........................................................................................................182
Tools for Logging in PCI ..........................................................................................182
x Contents
Other Monitoring Tools ............................................................................................186
Intrusion Detection and Prevention ..........................................................................186
Integrity Monitoring .................................................................................................190
Common Mistakes and Pitfalls ................................................................................191
Case Study ................................................................................................................191
The Case of the Risky Risk-Based Approach .....................................................191
The Case of Tweaking to Comply .......................................................................192
Summary ..................................................................................................................193
Chapter 11 Cloud and Virtualization ..........................................................................................195
Cloud Basics .............................................................................................................195
What Is the Cloud? ..............................................................................................196
Cloud Badness ................................................................................................196
Cloud Changes Everything! But Does It? ............................................................197
Cloud Challenges and You ..................................................................................198
PCI Cloud Examples ................................................................................................199
So, Can I Use Cloud Resources in PCI DSS Environments? ...................................200
Containers and Kubernetes ......................................................................................201
More Cloud for Better Security and Compliance? ..............................................202
Maintaining and Assessing PCI DSS in the Cloud ..................................................203
Enter the Matrix ..................................................................................................203
Tools and Best Practices ...........................................................................................204
Summary ..................................................................................................................205
Notes .........................................................................................................................205
Chapter 12 Mobile ......................................................................................................................207
Where Is Mobility Addressed in PCI DSS 4.0? .......................................................207
What Guidance Is Available? ...................................................................................208
Deploying the Technology Safely ............................................................................209
Case Study ................................................................................................................210
The Case of the Summer Festival........................................................................210
Summary ..................................................................................................................210
Chapter 13 PCI for the Small Business .......................................................................................211
The Risks of Credit Card Acceptance ......................................................................211
New Business Considerations ..................................................................................213
Your POS Is Like My POS! .....................................................................................214
A Basic Scheme for SMB Hardening .......................................................................215
Case Study ................................................................................................................216
The Case of the Outsourcing Decision ................................................................216
Summary ..................................................................................................................217
Chapter 14 PCI DSS for the Service Provider ............................................................................219
The Definition of a Service Provider .......................................................................219
Why Do Service Providers Have More Requirements? ...........................................220
Variation on a Theme, or What Service Providers Should Care About? .................220
Service-Provider-Specific Requirements .................................................................220
Protect Account Data...........................................................................................220
