BKPCICPL.RVW 20080306 "PCI Compliance", Tony Bradley et al, 2007, 978-1-59749-165-5, U$59.95 %A Tony Bradley %A James D. Burton %A Anton Chuvakin www.chuvakin.org %A Anatoly Elberg %A Brian Freedman %A David King %A Scott Paladino www.eds.com %A Paul Schooping %C 800 Hingham Street, Rockland, MA 02370 %D 2007 %G 978-1-59749-165-5 1-59749-165-9 %I Syngress Media, Inc. %O U$59.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1597491659/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1597491659/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1597491659/robsladesin03-20 %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 329 p. %T "PCI Compliance" The Payment Card Industry Data Security Standards (PCI DSS, generally referred to simply as PCI) document is currently the security framework that is of greatest concern to those in the retail sector. Chapter one very tersely introduces PCI and states that the book is written at a strategic level appropriate for senior managers. This assertion of an executive audience is somewhat at odds with the declaration, in chapter two, that the book is intended for small and medium sized businesses. (The chapter otherwise notes a few instances of credit card fraud.) The PCI elements of (and terms for) merchant levels, assessors, and the six control objectives (and twelve requirements) are given a quick overview in chapter three. Chapter four presents general concepts related to firewalls and intrusion detection systems, but does not completely fulfill the titular promise of suggesting how to build and maintain a secure network. (Some additional topics are mentioned, such as a brief reference of computer virus scanning.) Most of chapter five, relating to protection of cardholder data, concentrates on encryption. However, there is a repeat of some of the network material from the previous chapter, as well as a rather confused mention of information classification. Chapter six deals with log data, both from the perspective of requirement 10 (which mandates monitoring) and in relation to some of the other requirements as well. The fourth control objective, comprising requirements seven, eight, and nine, address access control. Chapter seven provides a good, general overview of the topic, with the material being padded out by fourteen pages of Windows screenshots. Vulnerability management, in chapter eight, mentions requirements five (antivirus), six (secure application development, and eleven (testing), but in a confused and confusing manner. Since monitoring is covered in chapter six, and testing in chapter eight, it is difficult to see what purpose chapter nine serves in terms of recovery, monitoring and testing. A mostly generic look at project management makes up chapter ten. Similarly vague and banal is the material on roles and responsibilities, in chapter eleven, and advice on how to react to the findings from a security audit, in chapter twelve. Chapter thirteen suggests that, once you are compliant with the PCI standard, you have a periodic self-assessment. (There is also a terse list of areas to check. The book could have been considerably shorter, and perhaps more helpful, had it concentrated more on the PCI standard and specific details. However, given the current interest in PCI, it does provide a useful introduction, with a large amount of extraneous padding. copyright Robert M. Slade, 2008 BKPCICPL.RVW 20080306