PCI DSS 3.1

PCI DSS 3.1

The Standard That Killed SSL

Branden R. Williams

James K. Adamson, Technical Editor

AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO

SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO

Syngress is an imprint of Elsevier

Syngress is an imprint of Elsevier

225 Wyman Street, Waltham, MA 02451, USA

Copyright r 2016 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

ISBN: 978-0-12-804627-2

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the Library of Congress

For Information on all Syngress publications visit our website at http://store.elsevier.com/

“Welcome! Welcome! Kids of all ages! Step right up! The show is about to begin!”

Those words of a circus barker come to mind when thinking of someone new being introduced to the Payment Card Industry Data Security Standard (PCI DSS). Much like a spectator at the circus they’re bewildered, unclear what exactly is going on or where to turn. Similar to a circus there is a great deal going on as well as a lot of noise when it comes to the PCI DSS, from the standard’s governing body the PCI SSC to all of the supporting organizations, vendors, conferences, bloggers, etc.

It’s been 11 years since the PCI DSS was created in 2004, and now, seven versions later, the most current version 3.1 was released in April 2015. While the standard was introduced as a compilation of best practices and policies to provide a baseline standard for the protection of cardholder data, the adaptation and evolution of the standard has been quite dynamic and has been included in state-level law in the United States including Washington in 2009^[1] and Nevada in 2010.^[2]

Luckily for all of us we have Dr Branden Williams and Dr Anton Chuvakin! As ‘circus masters’, they have come together to highlight the main ‘attractions’ and give insight into the standards, limitations, what scope is and can be, observations on different interpretations and implementations, and make the visits from a Payment Card Industry Qualified Security Assessor (PCI QSA) a bit less intimidating.

With over 15 years of experience in Information Security as a consultant to a C-Level executive, I have seen the challenges created by applying PCI DSS from all sides. For the past six years I have been a Managing Partner for the Enterprise Services segment of Urbane Security, a boutique consultancy of which my division specializes in complex implementations of the PCI DSS. From highly technical

viii Foreword

and large-scale organizations to mid-sized organizations with limited resources, the challenges of meeting the intents of some of the PCI DSS controls are felt by all. Whenever I have a challenge and need to brainstorm, my first calls are to Branden or Anton as I find their thoughts align with our organization’s pragmatic approach. This book is with me at all times (thank you iPad) and is a recommended reading for all of our clients who are tasked with PCI DSS compliance. This is the most approachable, accurate, and easy-to-digest guide to understanding the PCI DSS.

Erin ‘@SecBarbie’ Jacobs

Former CIO and CSO brings more than 15 years of consulting and c-level management experience to Urbane Security and manages the company’s compliance and strategic advisory delivery teams. She and her team work with all levels of an organization to identify business goals and IT challenges and then, through specially tailored services, aligns them with the best solutions to help them securely drive their business forward. Through her work, Erin has established several industry best practices and has presented these at numerous high-profile security conferences. She is also passionate about fostering collaboration between the CSOs and practitioners who oversee day-to-day security challenges with the security research community at large to help them learn from each other and ultimately improve our industry.

No matter the size of the project, publishing is never done in a vacuum. I’d like to thank my Acquisitions Editor, Chris Katsaropoulos for bringing the idea of this addendum to me. And also for dealing with my incessant requests for project updates.

I’d like to thank James Adamson, the technical editor for this book. His feedback was critical to the final product.

As always, thank you to my wife and family for encouraging me to follow my dreams and make my own dent in the universe.

And a special thanks to all of you who continue to support my efforts by buying my books, contributing to my blog, and keeping the conversation interesting when we tackle these complex and controversial topics. I’d like to think that my stance is malleable when I learn new things. A virtual high-five to you all (and a real one soon!).

Until next time!

Branden