Appendix 4 – Further Useful Information – PCI DSS: A Practical Guide to implementing and maintaining compliance, Third Edition

APPENDIX 4 – FURTHER USEFUL INFORMATION

In the process of compiling this guide, I reviewed and investigated many different entities that could potentially help you with your PCI compliance programme. Notwithstanding the useful and imperative information you will gain from your chosen QSA and/or ASV (lists available from www.pcisecuritystandards.org/); it may be worth you investigating some of the products available from these entities, as they may help you in your quest to gain PCI compliance.

www.itgovernance.co.uk/pci_dss.aspx

IT Governance Ltd, the publishers of this book, also maintain a comprehensive collection of PCI DSS resources, as well as a one-stop-shop for everything to do with governance, risk management, compliance and information security. Products and services include information, advice, books, tools, training and consultancy.

www.itil.org.uk

ITIL (the IT Infrastructure Library) is essentially a series of documents that are used to aid the implementation of a lifecycle framework for IT service management. This customisable framework defines how service management is applied within an entity. It also aligned with the international Standard, ISO20000. I would personally recommend anyone who wants to ensure they understand IT and its relationship with the business would benefit from learning about ITIL.

www.fsa.gov.uk

The FSA is responsible for the regulation of the UK financial system, with the FSA register being a public record of financial services firms, individuals and other bodies which fall under its jurisdiction. The FSA has been given a wide range of rule-making, investigatory and enforcement powers in order to meet its statutory objectives.

www.sec.gov

The mission of the US Securities and Exchange Commission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation. This is similar to the role of the UK’s FSA and therefore some regulation ideas are discussed between these entities.

www.ftc.gov

The US Federal Trade Commission deals with issues that touch the economic life of every American. It is the only federal agency with both consumer protection and competition jurisdiction in broad sectors of the economy. The FTC pursues vigorous and effective law enforcement; advances consumers’ interests by sharing its expertise with federal and state legislatures and US and international government agencies; develops policy and research tools through hearings, workshops, and conferences; and creates practical and plain-language educational programmes for consumers and businesses in a global market place with constantly changing technologies. This site has some really useful reports, well worth exploring and keeping an eye on, as much of what affects our cousins in the States usually affects us.

www.gartner.com

Gartner Research is an independent, insightful, and instantly applicable resource for tens of thousands of technology professionals on a daily basis. Despite this, it can be rather costly to download some of their excellent and useful reports, so choose carefully.

www.forrester.com

Forrester Research, Inc. is an independent technology and market research entity that provides pragmatic and forward-thinking advice to global leaders in business and technology. For more than 24 years, Forrester has been making leaders successful every day through its proprietary research, consulting, events, and peer-to-peer executive programmes. The good thing about Forrester is that it offers a money back guarantee and some of the information is available free to download.

www.fbi.gov

This site has extremely valuable and credible reports to help you. The FBI’s mission is to help protect you, your communities, and your businesses from the most dangerous threats facing the USA – from international and domestic terrorists to spies on US soil … from cyber villains to corrupt government officials … from mobsters to violent gangs … from child predators to serial killers. You can learn more about the FBI’s work with law enforcement and intelligence partners across the country and around the globe.

www.sans.org/

SANS is the most trusted and by far the largest source for information security training, certification and research in the world. They offer renowned computer, software and network security training, certification through their GIAC affiliate, free resources for research and global incident response, in-depth training in computer security, firewall protection, hacking, intrusion Detection, CISSP CBK and much more.

www.theregister.co.uk

The Register is a useful website full of bite size IT related information; it can be used to simply supplement any information you wish to present to help you build your business case for PCI compliance.

www.nist.gov

Founded in 1901, NIST is a non-regulatory federal agency within the US Department of Commerce. NIST’s mission is to promote US innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

Now for some product supporting information. Although throughout this guide I have tried to avoid the referral towards certain vendors, sometime it is inevitable. Therefore, listed below are some of the vendor and product entities that could specifically help you in your PCI deliberations.

www.itgovernance.co.uk/pci_dss.aspx

IT Governance provides a comprehensive range of information security books, tools and software, including a PCI DSS toolkit, a risk assessment tool and a full range of training and consultancy services.

www.ecora.com

Ecora’s automated software solutions discover an entity’s critical systems and collect configuration data – including security-related data such as credentials, permissions, access controls, and more in a centralised Configuration Management Database (CMDB). They also have a compliance tool (Auditor Pro 4.5), that appears to significantly help improve the efficiencies of your PCI compliance requirements.

www.loglogic.com

LogLogic™ provides the world’s leading enterprise-class platform for collecting, storing, reporting and alerting on 100 per cent of IT log data from virtually any device, operating system or application.

www.securityinnovation.com

Security Innovation is an authority on application security and a leading independent provider of risk assessment, risk mitigation and education services to mid-size and Fortune 500 entities.

www.tripwire.com

Tripwire is the recognised leader of configuration audit and control software. Tripwire Enterprise is the first to combine configuration change auditing with configuration assessment, helping IT entities automate compliance across the data centre.

www.qualys.com

Qualys, Inc., the leading provider of on demand vulnerability management and policy compliance solutions, helps entities of all sizes discover vulnerabilities, ensure regulatory compliance and prioritise remediation according to business risk.

www.ssh.com

Founded in 1995, SSH Communications Security is a world-leading provider of enterprise security solutions and end-to-end communications security, and the original developer of the Secure Shell protocol.

www.itcinstitute.com/

The IT Compliance Institute (ITCi) strives to be a global authority on the role of technology in business governance and regulatory compliance. Through comprehensive education, research, and analysis related to emerging government statutes and affected business and technology practices, they help entities overcome the challenges posed by today’s regulatory environment and find new ways to turn compliance efforts into capital opportunities.

PCI DSS available resources

In addition, the IT Governance website
(www.itgovernance.co.uk/pci_dss.aspx) is packed full of useful information and therefore you should download everything available and digest all this free information – before embarking on the PCI compliance project.

Information available includes:

Glossary – this document defines terms used in PCI DSS v2 and the other resources available to ASVs and QSAs.
The PCI self-assessment questionnaire (SAQ)

This is an important validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance to the PCI DSS. The currently posted version of the SAQ is based on the Payment Card Industry (PCI) Data Security Standard (DSS) v. January 2005, and it will be valid until the next version is released.

Payment card industry self-assessment questionnaire (pdf)

PCI DSS payment card industry self-assessment questionnaire (locked Word)

The security audit procedures document is designed for use by assessors conducting on-site reviews for merchants and service providers required to validate compliance with PCI DSS requirements. The requirements and audit procedures presented in this document are based on the PCI DSS.

PCI DSS security audit procedures (pdf)

PCI DSS security audit procedures (locked Word)

PCI security scanning procedures. The purpose and scope of the PCI DSS security Scan for merchants and service providers subject to scans to help validate compliance with the PCI DSS. ASVs also use this document to assist merchants and service providers in determining the scope of the PCI security scan.

PCI DSS security scanning procedures

PCI DSS validation requirements for qualified security assessors (QSAs) v 1.2.

To be recognised as a QSA by PCI SSC, QSAs must meet or exceed the requirements described in this document and execute the QSA agreement with PCI SSC attached to this document as Appendix A.

PCI qualified security assessor (QSA) agreement sample

QSA feedback form

PCI DSS validation requirements for approved Scanning vendors (ASVs) v 1.1

Recognition as an ASV by PCI SSC requires the ASV, its employees, and its scanning solution to meet or exceed the described requirements and execute the ‘PCI ASV compliance test agreement’ attached as Appendix A with PCI SSC. The entities that qualify are then identified on PCI SSC’s ASV list on PCI SSC’s website in accordance with the agreement.

PCI ASV compliance test agreement sample ASV

Feedback form

PCI DSS technical and operational requirements for
approved scanning vendors (ASVs) v 1.1

This document provides guidance and requirements applicable to ASVs in the framework of the PCI DSS and associated payment brand data protection programmes. Security scanning entities interested in providing scan services as part of the PCI programme must comply with the requirements in this document and must successfully complete the PCI security scanning vendor testing and approval process.

PCI DSS approved scanning vendors

This list is updated on a regular basis. Any ASV that carries out a scan must be on the list at the point that the scan is carried out.