PCI DSS
A practical guide to implementation
Author: Steve Wright
Publisher: IT Governance Publishing (2008)
ISBN: 9781905356454
Pages: 184
Price: £39.95, $79.10 or €51.94 from IT Governance
Conclusion
If you are an experienced information security professional or project manager tasked with your first PCI
DSS implementation, this book (coupled with PCI DSS itself and various other sources of guidance) will be a
worthwhile starting point and companion on your journey to compliance. It is good value and easy to read, providing many pragmatic tips.
Scope and objective
This short book is intended to be a practical guide, giving implementation advice and tips on the Payment
Card Industry Data Security Standard (PCI DSS). It supplements PCI DSS and as such is not intended to be a totally comprehensive guide but rather a useful adjunct to other relevant information sources.
Audience
The book is aimed at those tasked with implementing PCI DSS - project managers, executives and security
officers. The brevity would suit busy managers or senior consultants with significant experience of information security and/or project management but this is no tutorial for students and junior consultants
coming to PCI DSS, information security and project management for the first time.
Author
Steve Wright is a senior consultant with experience in information security architecture and governance,
including of course PCI DSS plus ISO27k, ISO 20000, PAS99, BS25999, PAS 77, Tickit and ISO 13335, CRAMM, COBRA, OGC M_o_R, and ISF’s IRAM. He works for the risk advisory practice at PriceWaterhouse
Coopers and manages the security management practice for Siemens Insight. Steve has undertaken information security projects for UK government agencies and global corporations, and lectures on
information risk management. He is the director for the British Computer Society Information Security Examination Board’s Management of Risk course. Read more on Steve’s website www.ISO27002.info.
Writing style
The main chapters intersperse outline summaries of the PCI DSS requirements with bullet-point tips on how
best to interpret and apply those requirements in practice. The latter read like succinct personal notes a PCI
DSS project manager might keep from assignment-to-assignment as he/she builds experience, and as such are interesting prompts for information security or project managers new to PCI DSS.
Content, utility & value
Chapter-by-chapter, the guide steps through the ‘typical’ PCI DSS implementation process from initial
planning to post-completion maintenance but the nine main chapters are rather brief (e.g. just 900 words in
Chapter 1 “Establishing the PCI Project” and around 500 in Chapter 3 “Review the Information Security
Policy”). There are numerous numbered or bullet-point lists providing just the essentials without a huge
amount of context or explanation - readers are generally assumed to be competent information security and/or project management specialists who will appreciate Steve’s hints.
Chapter 10 compares and contrasts the requirements of PCI DSS with those of ISO/IEC 27001 and 27002
(ISO27k). The author makes the point that ISO27k emphasizes the management systems aspect of information security which are deliberately flexible, allowing all types of organizations to develop their own
security requirements based on risk analysis whereas PCI DSS is more prescriptive and narrowly focused on financial services and merchant organizations. While the imperative for in-scope organizations to comply
with PCI DSS is likely to be a strong driver and reason for limiting the scope of the project, it is worthwhile
treating the PCI DSS controls as an integral part of a full-scope Information Security Management System based on ISO27k since the standards are complementary and mutually supporting.
A simple implementation project checklist and skeletal project plan in two of the appendices could be used as
basic starting points for project planners. The short bibliography references offline and online sources
(including this website!), unfortunately without stating why readers might find them useful and without citing
them fully in the main text although there is also a separate appendix with annotated references to general sources of advice and PCI DSS-related products.
|
