Kindle电子书价格: ¥376.03





“PCI Compliance: The Definitive Guide (English Edition)”,作者:[Abhay Bhargav]

PCI Compliance: The Definitive Guide (English Edition) 1第一 版本, Kindle电子书

显示所有 格式和版本 隐藏其他格式和版本
全新品最低价 非全新品最低价



Abhay Bhargav is the founder and chief technical officer of the we45 Group, a Bangalore based information security solutions company. He has extensive experience with information security and compliance, having performed security assessments for many enterprises in various domains, such as banking, software development, retail, telecom, and legal. He is a qualified security assessor (QSA) for the payment-card industry and has led several security assessments for payment-card industry compliance. He is also the coauthor of Secure Java for Web Application Development, published by CRC Press. Abhay is a specialist in Web-application security with broad experience in vulnerability assessment and penetration testing, and he has served as a consultant for a wide array of enterprises and governmental/quasi-governmental entities. He was recently awarded the prestigious SANS Certified GIAC Web Application Penetration Tester certification. He has been interviewed by leading media outlets for his expertise on information security, particularly application security. Links to the interviews are available here and here. Abhay is a regular speaker at industry events. He was a featured speaker at the JavaOne Conference in September 2010 at the Moscone Center in San Francisco. He also regularly speaks at OWASP (Open Web Application Security Project) conferences around the world, notably in New York at the world's largest application security conference, the OWASP AppSec Conference, in September 2008. He has also spoken at various other conferences and seminars, such as the PCI summit in Mumbai in December 2008. He is a regular speaker at industry events such as the Business Technology Summit and events organized by the Confederation of Indian Industry (CII). He has also delivered several talks to government entities and their stakeholders on information security and application security. He is also a trainer in information security and has led several public workshops on PCI, PA-DSS, and risk assessment. Abhay is well versed in risk assessment and risk management, with rich consulting experience in the OCTAVE (R) Risk Assessment and NIST SP 800-30 methodologies. His expertise also extends to providing solutions on information security based on the ISO-27001, HIPAA, SOX, GLBA, and other security-compliance standards. Previously, Abhay was the leader of application security and PCI compliance at SISA Information Security Pvt Ltd. Prior to that, he was involved in implementing enterprise IT solutions for various verticals, including manufacturing and retail. He has developed various business applications in Java and proprietary object-oriented program languages such as TDL. He has also written various articles on application security and security compliance. Apart from his professional interests, Abhay is also a trained Carnatic classical flutist and has delivered several concerts. He is also a theater enthusiast and playwright with an English comedy play to his writing credits. He blogs actively and maintains a security blog and a personal blog. He also writes a weekly article on computer education in a leading Kannada daily newspaper for the rural youth. --此文字指其他 kindle_edition 版本。


Payment-Card Industry: An Evolution The Development of a System: The Coming of the Credit Card The Need for Credit: A Historical Perspective Credit in the Mesopotamian Civilization Credit in the Era of Coins and Metal Bullion (800 BC to AD 600) The Rise of Virtual Money Transactions (AD 600 to AD 1500) The Reemergence of Coins and Precious Metal Currency (1500-1971) The Rise of Debt (1971 Onwards) The Need for Credit The Credit Card: A Means to Address the Need for Credit The History of the Credit Card The First Credit Cards The Development of a Credit Card Industry Debit Cards and Automated Teller Machines The Coming of the Debit Card The Automated Teller Machine E-Commerce and Online Payments The Future of Payments Trends for the Future of Payments Mobile Payments Contactless Payments Chip and PIN Cards Summary Card Anatomy: The Essentials Payment Cards: Types of Cards Payment Card with Magnetic Stripe Magnetic Stripe Cards: A Brief History Magnetic Stripe Coercivity Magnetic Stripe: A Primer on Data Sets Chip and PIN Cards Payment Cards: An Anatomy Payment Card: External Visage (Front) The Card Issuer's Logo The Payment Brand Logo and Hologram The Card Number (PAN) The Expiration Date The Cardholder's Name Payment Card: External Visage (Back) The Magnetic Stripe Signature Strip The CVV Service Disclaimer Bank Address and Contact Details Customer Service Information Data Sets: Payment Card Track 1 Data Track 2 Data Track 3 Data Payment Card: Terminology The Payment Card Processing Cycle Merchants Acquirers Payment Networks Issuers Processors Other Service Providers Independent Sales Organizations Payment Card Transactions Card-Present Transaction Card-Not-Present Transactions Open-Loop Payment Systems Closed-Loop Payment Systems Summary Security and the Payment-Card Industry A Brief History of Credit Card Fraud A Brief History of Significant Card Data Breaches The CardSystems Breach The TJ-Maxx Card Breach The Heartland Payment Systems Breach The Sony Playstation Network Breach Cardholder Security Programs Card Brand Cardholder Security Programs The Formation of the PCI-DSS and PCI-SSC Structure of the PCI Standards The PCI Assessment Environment PCI-QSAs and PCI-QSACs The PCI ASV (Approved Scanning Vendor) The PCI Internal Security Assessor The PCI Special-Interest Groups Payment Application Compliance PCI's PA-DSS PA-QSA and PA-QSAC Summary Payment Card Industry Data Security Standard (PCI-DSS) Brief History of the PCI-DSS PCI Compliance Levels: Payment Brands Payment Brand Compliance Programs and PCI-DSS Compliance Levels and Compliance Requirements Visa Merchant and Service Provider Validation Levels MasterCard Merchant and Service Provider Validation Levels American Express Merchant and Service Provider Compliance Validation Levels Compliance Validation Levels: Identification and Implementation PCI-DSS: Applicability Applicability of PCI Compliance and Interplay with Compliance Validation Requirements Merchant Organizations Service Providers: Processors Service Providers: Everybody Else Cloud Service Providers PCI: Attestation, Assessment, and Certification The Role of a PCI-QSA The PCI-DSS Requirements Compensatory Controls Documentation: The Report on Compliance Documentation: The Attestation of Compliance Summary The Payment Application Data Security Standard (PA-DSS) History and Overview of the PA-DSS The Need for Payment Application Validation for PCI A Brief History of the PA-DSS Primer on the PA-DSS Standard The PA-DSS Requirements PA-DSS Validation The PA-DSS Validation Process The Differences in PCI-DSS and PA-DSS Validation Technical Testing and Validation for the PA-DSS Role of a PA-QSA PA-DSS Documentation The PA-DSS Report on Validation The PA-DSS Implementation Guide The PA-DSS Attestation of Validation The PA-DSS Vendor Release Agreement PA-DSS Application Revalidation Annual Revalidation Changes to Payment Applications No-Impact Change Low-Impact Change High-Impact Change Change-Impact Documentation No-Impact Change-Impact Documentation Low-Impact Change-Impact Documentation High-Impact Change-Impact Documentation Summary Enterprise Approach to PCI Compliance Industry Verticals and PCI Compliance PCI Approaches for Different Industry Verticals Basic Business Function Cardholder Information Touch Points The Organization Itself Merchants Service Providers Issuing TPPs Acquiring TPPs Banks Other Service Providers Enterprise Challenges: PCI Compliance Information Overload: A Perspective Knowledge of the Team Management Impetus Budgetary Constraints Technical Constraints Good Practices: To Get PCI Compliant PCI Taskforce Create a Defined Scope Don't Focus on PCI Compliance Understand Risk-Always Pick the Right QSA Good Practices for Application Vendors: PA-DSS Security from Incipiency Document, Document, Document Scope Out Summary Scoping for PCI Compliance Scoping for PCI Compliance: A Primer The Cardholder-Data Environment (CDE) Defining the Cardholder-Data Environment Cardholder-Data Flow Cardholder-Data Matrix ATM Card Processing: Acquiring Card-Issuing Function POS Billing and Merchant Acquisition Fraud-Management Services Cardholder Customer Service Management Identifying Cardholder Data The Role of the PCI-QSA in the CDE Tips for Scope Reduction Why Reduce Scope? Network Segmentation Scoping Out E-Commerce Applications Tokenization and Other Data-Protection Techniques System Components in the PCI Scope Network and Network Components Servers and OS Components Applications Summary Requirement 1: Build and Maintain a Secure Network Network Security: A Primer Network Security Architecture: Enterprise Network Architecture: Scoping Out Benefits of Scoping Out with Network Segmentation Common Resources Technology: Network Segmentation Network Security Requirements for PCI The Network Security Documentation Requirement 1.1: Firewall and Router Configuration Standards PCI Assessor's Notes: Requirement 1.1 Network Components: Firewalls, Routers, and Other Network Components Firewall and Router Specifications and Configurations The Demilitarized Zone (DMZ) PCI Requirements Relating to the DMZ The Role of Managed Services Summary Requirement 2: Vendor-Supplied Defaults, System Passwords, and Security Parameters Vendor-Supplied Default Passwords Configuration Standards and Vendor-Supplied Default Passwords and Security Parameters Requirement 2.1: Change Vendor-Supplied Default Passwords Requirement 2.2: Configuration Standards for System Components Requirement 2.2.1: One Primary Function per Server Insecure Protocols and Services Requirements 2.2.3 and 2.2.4 Security Parameters: To Prevent Misuse Nonconsole Administrative Access Wireless Security Consideration: Vendor-Supplied Defaults PA-DSS: Application Requirements for Vendor-Supplied Defaults and Security Parameters Payment Application Vendor-Supplied Defaults Requirement 3.1b of the PA-DSS Requirement 5.1.3 of the PA-DSS Secure Network Implementation: Payment Applications Requirement 5.4 of the PA-DSS Requirement 8.1 of the PA-DSS Requirement 6 of the PA-DSS: Wireless Security Requirements Summary Requirement 3: Protect Stored Cardholder Data Storage, Retention, and Destruction of Stored Cardholder Data Do You Really Need to Store Cardholder Data? Policies and Procedures around Storage of Cardholder Data Requirement 3.2: Sensitive Authentication Data at Rest Authentication Parameters: Concept Overview CVV/CVC/CAV1&2 PIN Verification Value (PVV) and PIN Offset PIN/PIN Block Authentication Parameters Issuers and Storage of Sensitive Authentication Data Requirement 3.2: Assessment Notes Display of the Card PAN Requirement 3.4: Rendering the PAN Unreadable wherever Stored An Overview of Techniques to Render the PAN Unreadable Use of One-Way Hashing One-Way Hashing Algorithms and Security Considerations Use of Truncation Use of Tokenization Use of Strong Cryptography Rendering the PAN Unreadable Everywhere It Is Stored Cryptography: Terminology and Concept Review Cryptosystem Key and Keyspace Initialization Vector Symmetric and Asymmetric Cryptography Block Ciphers and Stream Ciphers Block Cipher Modes of Encryption Electronic Code Book Cipher Block Chaining Cipher Feedback Output Feedback Counter Requirements 3.5 and 3.6: Key Security and Key Management Key-Management Considerations: Enterprises Key-Management Practices for Banks and Acquiring and Issuing TPPs Hardware Security Module (HSM) Local Master Key Zone-Control Master Keys PIN Working Keys PIN Verification Key Message Authentication Keys Card Verification Keys Derived Unique Key per Transaction (DUKPT) Principles of Encryption and Key Management for Protecting the Stored PAN Secure Key Generation Single-Purpose Cryptographic Keys Secure Key Storage Secure Key Distribution and Exchange Cryptoperiod and Key Changes Dual-Key Management for Manual Cryptography Summary Requirement 4: Securing Cardholder Information in Transit Requirement 4.1: Secure Transmission of Cardholder Information Over Open, Public Networks Open, Public Networks: A PCI Viewpoint Secure Protocols HTTPS with SSL/TLS Secure Shell (SSH) IPSec VPN Requirement 4.1.1: WiFi Security Practices for Cardholder Data Transmissions Requirement 4.2: Unprotected PANs over End-User Messaging Technologies Summary Requirement 5: Use and Regularly Update Antivirus Software Requirement 5.1: Use of Antivirus Programs to Protect Commonly Affected Systems Antivirus Deployment within the PCI Environment (CDE) Requirement 5.2: Managing the Antivirus Application Managing and Monitoring the Antivirus Application for PCI Compliance Commercial Applications: Antivirus Requirements Summary Requirement 6: Develop and Maintain Secure Systems Requirement 6.1: Patch-Management Practices for PCI Compliance Patch Management for PCI Compliance Approaches to Patching and Patch Management Change-Management Process of System Patch Deployment Risk-Based Approach to Patch Management Assessor's Notes for Verifying Patch-Management Practices Requirement 6.2: Vulnerability-Management Practices for PCI Compliance Secure Application Development Practices for PCI-DSS and PA-DSS Requirement 6.3: Secure SDLC for Application Development The Risk-Assessment Approach to Secure SDLC Requirement 6.3.1: Removal of Default User Accounts, IDs, and Passwords Requirement 6.3.2: Custom Code Review for Security Requirement 6.4: Application Change Management and Change Control Requirement 6.4.5: Change-Management Document and the Essentials of Change Control and Change Management Requirements 6.4.2 and 6.4.3: Separation of Production, Development, and Test Environments Requirement 6.4.3: Use of Live PANs for Testing Requirement 6.4.4: Removal of Test Data in Production Requirement 6.5: Secure Coding Guidelines for Applications Secure Coding Guidelines: References and Best Practices Requirement 6.5.1: Secure Coding to Address Injection Flaws SQL Injection XPath Injection LDAP Injection Command Injection Requirement 6.5.2: Secure Coding to Address Buffer Overflows Requirement 6.5.3: Secure Coding to Address Cryptographic Flaws Cryptography Essentials Requirement 6.5.4: Secure Coding to Address Insecure Transmissions The SSL/TLS Handshake Process Implementation Best Practices for Secure Transmission: Web Applications Requirement 6.5.5: Secure Coding to Address Improper Error Handling Requirement 6.5.6: Remediation Measures to Address High-Severity Vulnerabilities Requirement 6.5.7: Secure Coding to Address Cross-Site Scripting Reflected XSS Persistent XSS Requirement 6.5.8: Secure Coding to Address Flawed Access Control Session Hijacking Cross-Site Request Forgery Session Fixation Forceful Browsing Requirement 6.5.9: Secure Coding to Address Cross-Site Request Forgery Ongoing Vulnerability-Management Practices for Web Applications Web-Application Vulnerability Assessments Usage of a Web-Application Firewall Summary Requirement 7: Restrict Access to Cardholder Data by Business Need to Know Requirement 7.1: Restrict Access to Systems with Cardholder Data Access Restrictions across the PCI Environment The Principle of Least Privilege Documentation of Approval: Access Privileges Automated Access-Control System Summary Requirement 8: Access-Control Requirements for PCI Environments Unique IDs for Users: PCI Environment Requirement 8.1: Assign Unique IDs to Users in PCI Environment Factors of Authentication The Three Factors of Authentication Supplementing User IDs Something You Know: Knowledge Factors Something You Are: Physical Factors Something You Have: Physical Token Parameters Two-Factor Authentication: Remote Access Protection of Passwords: Transmission and Storage Protection of Passwords in Transit Protection of Passwords at Rest Authentication Management for PCI Environments Access-Control Procedure Requirement 8.5.1: Control of Operations on Access Control Requirement 8.5.2: Verification of User Identity (Password Resets) Requirement 8.5.3: Unique Password Value and First-Use Change Requirement 8.5.4 and 8.5.5: Revocation and Removal of User Access Rights Requirement 8.5.4: Revocation of User Access Rights Immediately after User Separation Requirement 8.5.5: Disabling User Accounts within 90 Days Requirement 8.5.6: Vendor Account Access Management Requirement 8.5.8: Prohibit Shared, Group, or Generic Accounts Requirements 8.5.9-8.5.15: Password Management for PCI Environments Database Access Requirements for PCI Environments Requirement 8.5.16: Database Authentication Requirements PA-DSS Requirements for Authentication Requirement 8 of PCI and Requirement 3 of the PA-DSS Summary Requirement 9: Restrict Physical Access to Cardholder Data Requirement 9.1: Physical Access Controls for the PCI Environment Requirement 9.1.1: Use of Cameras and/or Access-Control Mechanisms Requirement 9.1.2 and 9.1.3: Restrict Physical Access to Network Components The Dangers of Visitor Network Access Protection Strategies for Visitor Network Access Requirement 9.1.3: Physical Protection for Network Devices Requirements 9.2, 9.3, and 9.4: Employee and Visitor Access Visitor-Management Procedure Visitor Access and Employee Access Distinctions Granting Visitor Access Visitor Access Privileges and Restrictions Revocation of Visitor and Employee Access Access to Badge System/Physical Access-Control System Visitor Distinction Visitor Access Records Requirements 9.5-9.10: Media Management and Security Requirement 9.5: Physical Security-Off-Site Media Backup Location The Need for Off-Site Backup Security Controls: Off-Site Backup Requirements 9.9 and 9.10: Media Destruction Summary Requirement 10: Logging and Monitoring for the PCI Standards Audit Trails: PCI Requirements The Need for Audit Trails and Logs Challenges: Log Management Distributed Event Logs Volume of Log Entries Nonstandard Logging Practices Multiple Tools People Intensive Access-Control Link: Audit Trails Details: Audit Trail Capture Audit Logs: Details Individual Access to Cardholder Data Actions by Root or Administrative Users Access to Audit Trails Invalid Access Attempts Use of Identification and Authentication Mechanisms Initialization of Audit Logs Creation of System-Level Objects Audit-Trail Entries and Records User Identification Type of Event Date and Time Indication of Success or Failure Origination of Event Identification of Affected System, Resource, or Component Application Logging Best Practices The Importance of Time and Its Consistency Time Sync across IT Components Network Time Protocol for Time Synchronization Securing Audit Trails and Logs Business Need to Know: Logs and Audit Trails Securing Log Information Strong Access Control System Hardening Centralized Log Server File-Integrity Monitoring Log Monitoring, Review, and Retention Requirement 10.6: Log Review and Monitoring Requirement 10.7: Log Retention Summary Requirement 11: Security Testing for the PCI Environment Wireless Access Point: Testing Testing for Rogue/Unauthorized Wireless Access Points Wireless Network Scanning Physical Inspection Network Access Control Wireless IDS/IPS Deployment Internal and External Network Vulnerability Scanning Vulnerability Scanning: Concept Note Vulnerability Categorization Vulnerability Scanning: Methodology Internal and External Network Vulnerability Scanning Internal and External Vulnerability Scanning Network Vulnerability Scanning Scanning by PCI Approved Scanning Vendor (ASV) Internal and External Penetration Testing Fundamental Differences: Vulnerability Assessment and Penetration Testing Why Perform a Penetration Test? Network-Layer Penetration Tests Application-Layer Penetration Testing Deployment of Intrusion Detection/Prevention Devices or Applications Intrusion Detection/Prevention Systems: An Overview Signature Based Statistical-Based Anomaly Detection Stateful Protocol Analysis Detection PCI Requirement: Intrusion Detection/Prevention System File-Integrity Monitoring: Critical System Files and Configurations Attacks: Key System Files File-Integrity Monitoring: Critical System Files, Processes, and Content Files Summary Requirement 12: Information Security Policies and Practices for PCI Compliance Information Security Policy: PCI Requirements Security Policy Definition Risk Assessment: PCI Compliance A Question of Adequacy Risk Assessment: Process and Overview Annual Review: Policy and Risk-Management Framework Operational Security Procedures Security Focus Areas Acceptable Usage Policies and Procedures List of Acceptable Technologies, Applications, and Devices Explicit Approval for Technology Usage Inventory and Labeling Authentication for the Use of Technology Acceptable Usage Security Roles and Responsibilities Documentation: Roles and Responsibilities The Chief Information Security Officer Distribution of Policies and Procedures and Monitoring of Security Alerts User Management: Roles and Responsibilities People Security Practices Security Awareness Training and Monitoring Employee Background Verification Vendor Management and PCI Compliance Vendors: Data Sharing and Risk Management Incident Management and Incident Response Incident-Response Plans and Procedures Elements of Incident-Response Plan Incident-Response Success Factors Summary Beyond PCI Compliance Maintaining PCI Compliance: The Challenge The Challenge: The Dilemma Produced by Success The Information Problem The Technology Challenge Management Attitude Success Factors for Continuing PCI Compliance A Change of Attitude Deep Understanding of Risk and Its Application The CISO Summary Index --此文字指其他 kindle_edition 版本。


  • ASIN ‏ : ‎ B00L2EBDSG
  • 出版社 ‏ : ‎ Auerbach Publications; 第 1st 版 (2014年5月5日)
  • 出版日期 ‏ : ‎ 2014年5月5日
  • 语言 ‏ : ‎ 英语
  • 文件大小 ‏ : ‎ 26197 KB
  • 标准语音朗读 ‏ : ‎ 未启用
  • X-Ray ‏ : ‎ 未启用
  • 生词提示功能 ‏ : ‎ 未启用
  • 纸书页数 ‏ : ‎ 351页


5 星 (0%) 0%
4 星 (0%) 0%
3 星 (0%) 0%
2 星 (0%) 0%
1 星 (0%) 0%