REVIEW: "PCI Compliance", Tony Bradley et al
- BKPCICPL.RVW 20080306
"PCI Compliance", Tony Bradley et al, 2007, 978-1-59749-165-5, U$59.95
%A Tony Bradley
%A James D. Burton
%A Anton Chuvakin www.chuvakin.org
%A Anatoly Elberg
%A Brian Freedman
%A David King
%A Scott Paladino www.eds.com
%A Paul Schooping
%C 800 Hingham Street, Rockland, MA 02370
%G 978-1-59749-165-5 1-59749-165-9
%I Syngress Media, Inc.
%O U$59.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 329 p.
%T "PCI Compliance"
The Payment Card Industry Data Security Standards (PCI DSS, generally
referred to simply as PCI) document is currently the security
framework that is of greatest concern to those in the retail sector.
Chapter one very tersely introduces PCI and states that the book is
written at a strategic level appropriate for senior managers. This
assertion of an executive audience is somewhat at odds with the
declaration, in chapter two, that the book is intended for small and
medium sized businesses. (The chapter otherwise notes a few instances
of credit card fraud.) The PCI elements of (and terms for) merchant
levels, assessors, and the six control objectives (and twelve
requirements) are given a quick overview in chapter three.
Chapter four presents general concepts related to firewalls and
intrusion detection systems, but does not completely fulfill the
titular promise of suggesting how to build and maintain a secure
network. (Some additional topics are mentioned, such as a brief
reference of computer virus scanning.) Most of chapter five, relating
to protection of cardholder data, concentrates on encryption.
However, there is a repeat of some of the network material from the
previous chapter, as well as a rather confused mention of information
classification. Chapter six deals with log data, both from the
perspective of requirement 10 (which mandates monitoring) and in
relation to some of the other requirements as well. The fourth
control objective, comprising requirements seven, eight, and nine,
address access control. Chapter seven provides a good, general
overview of the topic, with the material being padded out by fourteen
pages of Windows screenshots. Vulnerability management, in chapter
eight, mentions requirements five (antivirus), six (secure application
development, and eleven (testing), but in a confused and confusing
manner. Since monitoring is covered in chapter six, and testing in
chapter eight, it is difficult to see what purpose chapter nine serves
in terms of recovery, monitoring and testing. A mostly generic look
at project management makes up chapter ten. Similarly vague and banal
is the material on roles and responsibilities, in chapter eleven, and
advice on how to react to the findings from a security audit, in
chapter twelve. Chapter thirteen suggests that, once you are
compliant with the PCI standard, you have a periodic self-assessment.
(There is also a terse list of areas to check.
The book could have been considerably shorter, and perhaps more
helpful, had it concentrated more on the PCI standard and specific
details. However, given the current interest in PCI, it does provide
a useful introduction, with a large amount of extraneous padding.
copyright Robert M. Slade, 2008 BKPCICPL.RVW 20080306
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Mass transportation is doomed to failure in North America because
a person's car is the only place where he can be alone and think.
- Marshall McLuhan