PCI Compliance - Anton Chuvakin, Branden R. Williams

PCI Compliance (eBook)

Understand and Implement Effective PCI Data Security Standard Compliance

Anton Chuvakin, Branden R. Williams (Autoren)

eBook Download: PDF | EPUB

2014 | 4. Auflage
386 Seiten
Elsevier Science (Verlag)
978-0-12-801651-0 (ISBN)

Identity theft and other confidential information theft have now topped the charts as the leading cybercrime. In particular, credit card data is preferred by cybercriminals. Is your payment processing secure and compliant? The new Fourth Edition of PCI Compliance has been revised to follow the new PCI DSS standard version 3.0, which is the official version beginning in January 2014. Also new to the Fourth Edition: additional case studies and clear guidelines and instructions for maintaining PCI compliance globally, including coverage of technologies such as NFC, P2PE, CNP/Mobile, and EMV. This is the first book to address the recent updates to PCI DSS. The real-world scenarios and hands-on guidance are also new approaches to this topic. All-new case studies and fraud studies have been added to the Fourth Edition. Each chapter has how-to guidance to walk you through implementing concepts, and real-world scenarios to help you relate to the information and better grasp how it impacts your data. This book provides the information that you need in order to understand the current PCI Data Security standards and how to effectively implement security on network infrastructure in order to be compliant with the credit card industry guidelines, and help you protect sensitive and personally-identifiable information. - Completely updated to follow the most current PCI DSS standard, version 3.0 - Packed with help to develop and implement an effective strategy to keep infrastructure compliant and secure - Includes coverage of new and emerging technologies such as NFC, P2PE, CNP/Mobile, and EMV - Both authors have broad information security backgrounds, including extensive PCI DSS experience

Branden R. Williams (CISSP, CISM, CPISA, CPISM) leads an information security practice in a Global Security Consulting group at a major security firm in Flower Mound, TX and teaches in the NSA Certified Information Assurance program at the University of Dallas's Graduate School of Management. Branden has been involved in information technology since 1994, and focused on information security since 1996. He started consulting on payment security in 2004, assessing companies against the Visa CISP and Mastercard SDP programs. He has a Bachelors of Business Administration in Marketing from the University of Texas, Arlington, and a Masters of Business Administration in Supply Chain Management and Market Logistics from the University of Dallas.Branden publishes a monthly column in the ISSA Journal entitled 'Herding Cats,' and authors a blog at http://www.brandenwilliams.com/.

Chapter 2

Introduction to fraud, data theft, and related regulatory mandates

Abstract

This chapter explains cybercrime and regulations, and provides a brief look at payment card fraud, cybercrime, ID theft, and other topics around PCI DSS.

Keywords

Fraud

Identity Theft

Regulatory Compliance

Cybercrime

Credit card fraud, identity theft, and broader personal data theft are problems that plague our information-dependent society and predate the age of the Internet. Ironically, things such as automated processing of financial data that make your life easier and more convenient also make crime easier and more convenient. Moreover, the Internet allowed crime that only happened on a small scale to grow and spread globally, and the Internet’s scalability turned electronic-based crimes into a global concern.

Some crime was automated and changed from rare to widespread, for example, Nigerian e-mail or UK Lottery scams. Gone are the days where criminals need to be in the same location, country, or even continent to scam you out of your hard-earned cash. Nigerian e-mail scams started many years ago and are profitable for the scammers. They send out millions of e-mails claiming to be a relative of a Nigerian dignitary with frozen assets and want you to transfer the money for them. You give them your bank account information and/or send them “seed money” to get things moving and end up with nothing. UK Lottery scams aren’t much different with the same basic constructs to get you a cash prize.

Criminals have gone high-tech and have discovered that there is a significant amount of money to be made with very little risk. Hacking a company database or orchestrating a phishing attack while sitting in your pajamas and eating Extreme Doritos in the living room of your house has much more appeal than physically robbing banks or convenience stores. The advancement of automated exploit kits such as Metasploit has made couch-hacking more effective for even the slightly knowledgeable. Add to that the lower risk of a confrontation with firearms and electronic crime becomes even more attractive! Depending on the company being targeted, the sophistication of the attack, and sheer luck, sometimes the high-tech crime may also be significantly more lucrative than traditional armed robbery. Sadly, cross-border prosecution issues significantly fuel a cybercriminal’s activity. When a criminal physically robs a convenience store, he is probably caught on tape and there are witnesses. In addition, law enforcement will mobilize quickly to find and catch the criminal so he may be brought to justice. Cybercriminals have a couple of things working in their favor, the first of which is their ability to commit crime without ever stepping into the physical location of their victim(s). Couple that with lagging cybersecurity laws in most countries and the limited ability for the victim’s law enforcement bodies to prosecute outside their borders and you have an idea on why cybercrime is on the rise. In addition, the whole ecosystem of criminal outsourcing now allows other criminals to only focus on the activities they do best, such as creating malicious software or conducting crime through botnets.

Malicious software (malware) and cybercriminals are not the only threat. Sadly, the very companies and organizations that are entrusted with sensitive information are often to blame because of a lack of adequate controls to protect sensitive information. In some companies information security is treated with apathy; in others, a lack of effective controls enables an insider to commit fraud. Consumers and businesses are faced with a wide variety of threats to their data and personal information on any given day.

Spyware, phishing attacks, drive-by downloads, and botnets are all computer attacks that are on the rise and pose a significant threat to corporate and home users as they connect to the Internet from their computers. However, those threats pale in comparison with the amount of personally identifiable information and sensitive data available to be compromised due to carelessness or negligence by individuals and corporations.

Tools

Did you know that the Privacy Rights Clearinghouse has tracked all reported breaches since the ChoicePoint breach on February 15, 2005 (as well as including additional breaches disclosed prior)? To see all these breaches with an explanation and amount of records lost, point your browser at www.privacyrights.org/data-breach.

DatalossDB at http://datalossdb.org/ is another useful site for tracking the impact of data breaches. Despite its name, most of the recorded and analyzed data “loss” incidents are really data theft and abuse incidents. DatalossDB crew does an awesome job of tracking all publicly reported incidents and digs out the details on them.

As of today, over a 500 million various personal information records have been lost or stolen. Every year since the ChoicePoint breach, we’ve seen major companies fall victim to Payment Card Industry (PCI)-related security breaches. DSW Retail in 2005, The U.S. Department of Veteran’s Affairs in 2006 (and in later years), The TJX Companies in 2007, Hannaford Brothers in 2008, Heartland Payment Systems in 2009, Albrecht Discount in 2010, Sony in 2011, KT Corporation in 2012, and the various retailers in 2013–2014 that have reported breaches including Target and Nieman Marcus continue to demonstrate both the poor state of security and increasing sophistication and numbers of the bad guys (as more and more countries have growing populations on the Internet) who want this data and know how to profit from it.

In an “Information is King” era, when more consumers are using computers and the Internet to conduct business and make purchases, taking the proper steps to secure and protect personally identifiable information and other sensitive data has never been more important. It is bad for companies, individuals, and the economy at large if consumer confidence is eroded by having personal information exposed or compromised. Credit card brands are definitely not the only entities suffering from such possible loss of confidence.

Note

Take a step back from the text for a minute and adjust your mindset to think of yourself as a general consumer, Internet user, or citizen—not as a security or payment professional. What data do you hold dear? Think through the following list of scenarios:

What data or information about me can be considered sensitive and should not be disclosed, be corrupted, or be made permanently or temporarily unavailable? Think of a broad range of types of information—from a rare photo to your bank account number, medical history, or information about anything you’ve done that you are not proud of.

Think whether this information exists in any electronic form, on your computers or anywhere else? Is that picture on your “private” Facebook page—an oxymoron if there ever was one—or present in an e-mail spool somewhere?

Next, think whether this information exists on some system connected to the Internet (possibly indexed by a helpful engine). Sadly, the answer today would be “yes” for almost all (!!!) information people consider sensitive. For example:

Credit card information—check

Bank account information—check

Personal financial records—check

Tax records—check

Legal proceedings—check

Sensitive personal files—check

Health records—check.

Think what will happen if this information is seen, modified, or deleted by other people. Will it be an annoyance, a real problem, or a disaster for you? What if it’s just on a decommissioned hard drive that fell of the back of a truck?

Now, think about what protects that information from harm. Admittedly, in many cases, you don’t know for sure. We can assure you that sometimes your assumption that the information is secure will be just that—an assumption—with no basis.

Going through this list helps you not only understand data security rationally but also feel it in your “gut.”

Information technologists are affected by a number of laws and regulations designed to coax businesses into addressing their security problems. Depending on what industry a company serves, they may fall under Sarbanes–Oxley (SOX), the Gramm–Leach–Bliley Act of 1999, the Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act, and other regulatory mandates that we mentioned in the very beginning of Chapter 1. Maybe this confusing hodgepodge of alphabet soup—and that is without European and other regional mandates and regulations—makes for a tough job understanding how to comply with all these measures, as many organizations still fail to enforce adequate security. The Unified Compliance Framework that can be found at www.unifiedcompliance.com tracks hundreds of IT-relevant regulations, and many commercially available e-Governance Risk and Compliance (eGRC) tools such as RSA’s Archer or IBM’s OpenPages can help build, manage, and reference a common control set to cover all of these...

Erscheint lt. Verlag	7.11.2014
Sprache	englisch
Themenwelt	Informatik ► Netzwerke ► Sicherheit / Firewall
	Informatik ► Office Programme ► Outlook
	Mathematik / Informatik ► Mathematik ► Angewandte Mathematik
	Wirtschaft ► Betriebswirtschaft / Management ► Unternehmensführung / Management
ISBN-10	0-12-801651-5 / 0128016515
ISBN-13	978-0-12-801651-0 / 9780128016510

Haben Sie eine Frage zum Produkt?

PDF (Adobe DRM)
Größe: 5,0 MB

Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM

Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.

Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine Adobe-ID und die Software Adobe Digital Editions (kostenlos). Von der Benutzung der OverDrive Media Console raten wir Ihnen ab. Erfahrungsgemäß treten hier gehäuft Probleme mit dem Adobe DRM auf.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine Adobe-ID sowie eine kostenlose App.
Geräteliste und zusätzliche Hinweise

Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.

EPUB (Adobe DRM)
Größe: 4,5 MB

Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.

Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.

Print-Ausgabe

Buch | Softcover

CHF 95,95