Foreword -- Preface -- About the Author -- Acknowledgements -- Contents -- Background -- What is PCI? -- Summary of changes to latest version of PCI DSS -- Top Ten myths about PCI -- Myth 1 - One vendor and product will make us compliant -- Myth 2 - Outsourcing card processing makes us compliant -- Myth 3 - PCI compliance is an IT project -- Myth 4 - PCI will make us secure -- Myth 5 - PCI is unreasonable -- it requires too much -- Myth 6 - PCI requires us to hire a Qualified Security Assessor -- Myth 7 - We don't take enough credit cards to be compliant -- Myth 8 - We completed a SAQ so we're compliant -- Myth 9 - PCI makes us store cardholder data -- Myth 10 - PCI is too hard -- Why PCI? -- What are the different types of threats (or vulnerabilities)? -- How does PCI compliance work? -- How is PCI compliance demonstrated? -- Validation requirements -- What is the role of the ASV? -- What is the role of the QSA? -- Getting started with PCI -- Other related PCI Standards to take into consideration -- Payment Application - Data Security Standard (PA-DSS) -- PCI PTS -- Compensating controls - Using what you already have in place -- A prioritised approach to compliance -- Milestone 1 -- Milestone 2 -- Milestone 3 -- Milestone 4 -- Milestone 5 -- Milestone 6 -- Some strategic thoughts -- Benefits of a combined approach to compliance -- The approach of this book -- Chapter 1: Step 1 - Establishing the PCI Project -- What is the project initiation workshop objective? -- What are the workshop deliverables? -- Chapter 2: Step 2 - Determine the Scope -- Scoping the PCI target environment -- The approach used to determine the exact scope -- Workshop objective: -- Chapter 3: Step 3 - Review the Information Security Policy -- Chapter 4: Step 4 - Conduct Gap Analysis -- Gap analysis objectives -- Gap analysis approach.

PCI gap analysis reporting and security improvement plan -- Chapter 5: Step 5 - Conduct Risk Analysis -- The goal of the risk management process -- The benefits of risk management -- The elements of the risk management process -- Risk step 1 - Scoping meeting (identify and record high-level risks) -- Task 1 - Risk (threat) identification -- Task 2 - Risk (threat) description -- Risk step 2 - Desktop study - analyse and prioritise risks -- Task 1 - Impact identification -- Task 2 - Vulnerability identification -- Task 3 - Likelihood determination -- Task 4 - Control analysis -- Task 5 - Risk register -- Risk step 3 - Conduct risk planning -- Decision -- Risk treatment -- Residual risk reporting -- Risk step 4 - Update risk register, monitor and track risks -- Monitor and tracking risks -- Risk control -- Risk step 5 - Prepare risk management report -- Risk step 6 - Debriefing meeting and presentation of the risk report -- Chapter 6: Step 6 - Establish the Baseline -- Build and maintain a secure network -- Task 1 (Requirement 1) - Install and maintain a firewall configuration to protect data -- Task 2 (Requirement 2) - Do not use vendor-supplied defaults for system passwords and other security parameters -- Protect cardholder data -- Task 3 (Requirement 3) - Protect stored cardholder data -- Task 4 (Requirement 4) - Encrypt transmission of cardholder data and sensitive information across public networks -- Maintain a vulnerability management programme -- Task 5 (Requirement 5) - Use and regularly update anti-virus software -- Task 6 (Requirement 6) - Develop and maintain secure systems and applications -- Implement strong access control measures -- Task 7 (Requirement 7) - Restrict access to cardholder data by business 'need-to know' -- Task 8 (Requirement 8) - Assign a unique ID to each person with computer access.

Task 9 (Requirement 9) - Restrict physical access to cardholder data -- Regularly monitor and test networks -- Task 10 (Requirement 10) - Track and monitor all access to network resources and cardholder data -- Task 11 (Requirement 11) - Regularly test security systems and processes -- Maintain an information security policy -- Task 12 (Requirement 12) - Maintain a policy that addresses information security for employees and contractors -- Chapter 7: Step 7 - Auditing -- Initiation of the audit (objectives and scope) -- What are the PCI auditing objectives? -- Auditing objectives -- Technical audit objectives -- Scope -- Auditor preparation -- Technical audit preparation -- Conduct the audit -- Task 1) Review the information security management system components -- Task 2) Review policy components -- Task 3) Review the process functions -- Task 4) Review the procedure components -- Task 5) Review the standards -- Task 6) Review the user management -- Task 7) Review the technical components -- Report the findings -- Audit reporting -- Audit deliverables -- Agree follow-up action and clearance of any findings -- Chapter 8: Step 8 - Remediation Planning -- Chapter 9: Step 9 - Maintaining and Demonstrating Compliance -- Validation requirements -- How to meet these requirements -- Using log management information for PCI compliance -- Regular monitoring and testing -- Arriving where you want to be: PCI compliant -- Demonstrating compliance - ROC -- Instructions and content for report on compliance -- Contact information and report date -- Executive summary -- Description of scope of work and approach taken -- Maintaining your PCI compliance -- Example compliance mapping for your current environment -- Future PCI compliance considerations -- Example compliance mapping for applications -- Payment Application Data Security Standard (PA-DSS) Application.

Application operating systems -- Example compliance mapping for POS -- Chapter 10: PCI DSS and ISO27001 -- PCI and ISO27001 - the comparisons -- Appendix 1 - Project Checklist -- Appendix 2 - PCI DSS Project Plan -- Appendix 3 - Bibliography and Sources -- Appendix 4 - Further Useful Information -- PCI DSS available resources -- The PCI self-assessment questionnaire (SAQ) -- Payment card industry self-assessment questionnaire (pdf) -- PCI DSS payment card industry self-assessment questionnaire (locked Word) -- PCI DSS security audit procedures (pdf) -- PCI DSS security audit procedures (locked Word) -- PCI DSS security scanning procedures -- PCI DSS validation requirements for qualified security assessors (QSAs) v 1.2. -- PCI qualified security assessor (QSA) agreement sample -- QSA feedback form -- PCI DSS validation requirements for approved Scanning vendors (ASVs) v 1.1 -- PCI ASV compliance test agreement sample ASV -- Feedback form -- PCI DSS technical and operational requirements for approved scanning vendors (ASVs) v 1.1 -- PCI DSS approved scanning vendors -- Appendix 5 - PCI DSS Mapping to ISO27001 -- ITG Resources -- Other Websites -- Pocket Guides -- Toolkits -- Best Practice Reports -- Training and Consultancy -- Newsletter.