The Definitive Guide to PCI Dss Version 4: Documentation, Compliance, and Management

This book is your go-to reference on how to achieve PCI compliance. With more than 400 PCI requirements, the updated PCI Data Security Standard (PCI DSS) v4.0 does not detail the specific documentation that a PCI auditor--known as a Qualified Security Assessor (QSA)--needs to know. This book is the first reference to detail the specific documentation needed for every PCI requirement. The authors provide real-world examples of complying with the 12 main PCI requirements and clarify many of the gray areas within the PCI DSS.
Any merchant or service provider that stores, processes, or transmits credit card data must comply with the PCI Data Security Standard. PCI DSS 1.0 was first published in 2004, yet many of those tasked with PCI compliance still encounter difficulties when trying to make sense of it. PCI DSS version 4 was published in March 2022, and at 360 pages, it has numerous additional requirements, leaving many people struggling to know what they need to do to comply.

PCI DSS v4.0 has a transition period in which PCI DSS version 3.2.1 will remain active for two years from the v4.0 publication date. Although the transition period ends on March 31, 2024, and may seem far away, those tasked with PCI compliance will need every bit of the time to acquaint themselves with the many news updates, templates, forms, and more, that PCI v4.0 brings to their world.

What You'll Learn

• Know what it takes to be PCI compliant
• Understand and implement what is in the PCI DSS
• Get rid of cardholder data
• Everything you need to know about segmenting your cardholder data network
• Know what documentation is needed for your PCI compliance efforts
• Leverage real-world experience to assist PCI compliance work

Who This Book Is For

Compliance managers and those tasked with PCI compliance, information security managers, internal auditors, chief security officers, chief technology officers, and chief information officers. Readers should have a basic understanding of how credit card payment networks operate, in addition to basic security concepts.

這本書是關於如何達到PCI合規性的參考資料。根據超過400個PCI要求，更新的PCI數據安全標準（PCI DSS）v4.0並未詳細說明PCI審計師（被稱為合格安全評估師（QSA））需要了解的具體文件。這本書是第一本詳細介紹每個PCI要求所需文件的參考資料。作者提供了符合12個主要PCI要求的實際案例，並澄清了PCI DSS中的許多灰色地帶。

任何存儲、處理或傳輸信用卡數據的商家或服務提供商都必須遵守PCI數據安全標準。PCI DSS 1.0首次發佈於2004年，然而，許多負責PCI合規性的人在試圖理解它時仍然遇到困難。PCI DSS版本4於2022年3月發佈，共有360頁，增加了許多要求，使許多人難以知道他們需要做什麼才能達到合規性。

PCI DSS v4.0有一個過渡期，在此期間，PCI DSS版本3.2.1將從v4.0發佈日期起保持有效兩年。儘管過渡期將於2024年3月31日結束，並且可能看起來還很遙遠，但那些負責PCI合規性的人需要利用這段時間熟悉許多新的更新、模板、表格等，這些都是PCI v4.0帶給他們的。

你將學到什麼

- 了解成為PCI合規的要求
- 理解並實施PCI DSS中的內容
- 清除持卡人數據
- 關於分割持卡人數據網絡的一切
- 知道PCI合規性工作所需的文件
- 利用實際經驗協助PCI合規性工作

適合閱讀對象

合規經理和負責PCI合規性的人、信息安全經理、內部審計師、首席安全官、首席技術官和首席信息官。讀者應該對信用卡支付網絡的運作方式有基本的了解，以及基本的安全概念。

Arthur B. Cooper Jr. ("Coop") is Principal Security Consultant at TrustedSec. He has 44 years of experience in information technology with the last 17 years focused on the security of payment systems and architectures, ecommerce, payment application assessments, forensic investigations, compliance security assessments, development of secure network architectures, risk management programs, security governance initiatives, and regulatory compliance. Coop was a member of the US Air Force for most of his young adult life and had direct experience with the original ARPANET and ARPANET 1822 Protocols. He was directly involved with the original DoD X.25 networks, the Defense Data Network (DDN), and the Automatic Digital Information Network (AUTODIN). He was directly involved with the original BBN Packet Switch Node (PSN) systems and has witnessed every major information technology "leap" or development since that time.

Coop was the Standards Trainer for the Payment Card Industry Security Standards Council (PCI SSC) for three years from 2010 to 2013 and has been a consultant to some of the largest retail companies and financial institutions in the world. He has worked with businesses to improve their overall security posture and to meet compliance regulations such as PCI, HIPAA, GLBA, and SOX. Coop is an experienced team leader and IT security expert who can ensure timely and successful completion of projects, as well as an enthusiastic security engineer researching emerging security technologies, trends, and tools. His certifications include: Security +, CEH, CISA, CDPSE, CISSP, PCIP, and PCI QSA.

Jeff Hall is Principal Security Consultant at Truvantis, Inc. He has over 30 years of technology and compliance project experience. Jeff has done a significant amount of work with financial institutions, and the health care, manufacturing, and distribution industries, including security assessments, strategic technology planning, and application implementation. He is part of the PCI Dream Team and is the writer of the PCI Guru blog, the definitive source for PCI DSS information.

David Mundhenk is Principal Security Consultant at the Herjavec Group, as an information security, governance, risk, and compliance consultant with extensive multi-organizational experience providing a myriad of professional security services to business and government entities worldwide. He has worked as a computer and network systems security professional for more than 30 years. David's experience covers a broad spectrum of security disciplines, including security compliance assessments, security product quality assurance, vulnerability scanning, penetration testing, application security assessments, network and host intrusion detection/prevention, disaster and recovery planning, protocol analysis, formal security training instruction, and social engineering. He has successfully completed 200+ PCI DSS assessments, and scores of PA-DSS assessments.

Ben Rothke, CISSP, CISM, CISA is a New York city-based Senior Information Security Manager with Tapad and has over 20 years of industry experience in information systems security and privacy. His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography, and security policy development. Ben is the author of the book Computer Security - 20 Things Every Employee Should Know, and writes security and privacy book reviews for the RSA Conference blog and Security Management. He is a frequent speaker at industry conferences, such as RSA and MISTI, is a member of ASIS, and InfraGard, and holds many security certifications, besides being an ISO 27001 lead auditor.

Arthur B. Cooper Jr.（"Coop"）是TrustedSec的首席安全顧問。他在資訊技術領域擁有44年的經驗，其中過去17年專注於支付系統和架構的安全、電子商務、支付應用評估、法庭調查、合規安全評估、安全網絡架構的開發、風險管理計劃、安全治理倡議和法規合規等領域。Coop在他的年輕成年生活中是美國空軍的成員，並且直接參與了原始的ARPANET和ARPANET 1822協議。他直接參與了原始的美國國防部X.25網絡、國防數據網絡（DDN）和自動數字信息網絡（AUTODIN）。他直接參與了原始的BBN Packet Switch Node（PSN）系統，並見證了自那時以來的每一個重大信息技術的"飛躍"或發展。

Coop曾在2010年至2013年期間擔任支付卡行業安全標準委員會（PCI SSC）的標準培訓師，並曾擔任全球最大的零售公司和金融機構的顧問。他曾與企業合作，改善其整體安全狀態，並滿足PCI、HIPAA、GLBA和SOX等合規要求。Coop是一位經驗豐富的團隊領導者和IT安全專家，可以確保項目的及時和成功完成，同時也是一位熱情的安全工程師，研究新興的安全技術、趨勢和工具。他的認證包括：Security +、CEH、CISA、CDPSE、CISSP、PCIP和PCI QSA。

Jeff Hall是Truvantis, Inc.的首席安全顧問。他擁有超過30年的技術和合規項目經驗。Jeff在金融機構、醫療保健、製造和分銷等行業進行了大量的工作，包括安全評估、戰略技術規劃和應用實施。他是PCI Dream Team的一員，也是PCI Guru博客的作者，該博客是PCI DSS信息的權威來源。

David Mundhenk是Herjavec Group的首席安全顧問，是一位信息安全、治理、風險和合規顧問，具有豐富的多組織經驗，為全球的企業和政府實體提供各種專業安全服務。他在計算機和網絡系統安全專業方面有超過30年的工作經驗。David的經驗涵蓋了廣泛的安全領域，包括安全合規評估、安全產品質量保證、漏洞掃描、滲透測試、應用安全評估、網絡和主機入侵檢測/防禦、災難恢復計劃、協議分析、正式安全培訓指導和社會工程學。他已成功完成200多個PCI DSS評估和數十個PA-DSS評估。

Ben Rothke是Tapad的紐約市高級信息安全經理，擁有超過20年的信息系統安全和隱私領域的行業經驗。他的專業領域包括風險管理和緩解、安全和隱私法規問題、系統安全設計和實施、加密、密碼學和安全政策制定。Ben是書籍《Computer Security - 20 Things Every Employee Should Know》的作者，並為RSA Conference博客和Security Management寫安全和隱私書評。他經常在行業會議上發表演講，如RSA和MISTI，是ASIS和InfraGard的成員，並擁有許多安全認證，此外還是ISO 27001主審核員。