Book Recommendations on PCI DSS Compliance


Posted on by Ben Rothke

Rather than focusing on a single book this month, I’d like to highlight a topic: Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is an information security standard from the Payment Card Industry Security Standards Council, whose use is mandated by the major credit card brands. 

 

As an aside, PCI is not, as commonly described, a law or regulation. It is simply a contractual requirement between a merchant or service provider, and their acquiring bank. Unlike Federal regulations, prison time is not a fear factor with PCI. 

 

PCI version 1.0 was introduced in 2004, and its most recent and significant iteration, version 4.0, was published in March 2022. Version 4 contains significant changes and will require considerable work for those tasked with PCI compliance.  

 

Migrating from version 3.2.1 to 4.0 is far from a trivial endeavor. While full compliance with version 4 is not mandated until 2025, that is not much time when it comes to complex payment systems.  

 

While PCI has been around for close to 20 years, for many organizations, PCI compliance is still a struggle. Due to the various complexities, limited budgets, and staff, these organizations need resources to help them achieve the holy grail of PCI compliance. 

 

If you buy only one book to assist in your PCI journey, make that PCI Compliance: Understand and Implement Effective PCI Compliance (CRC Press) by Dr. Branden Williams and James Adamson.

 

The authors have written a reference that is of value to those just starting their journey toward PCI and those that need to get a handle on the many new requirements in version 4. 

 

Now in its 5th edition, Williams and Adamson provide the reader with a thorough and comprehensive overview of everything you need to know about PCI and how to achieve compliance. Updated for PCI DSS version 4, the authors include countless tips and advice to guide the reader toward compliance. 

 

Williams and Adamson make an important point: If you think PCI is too onerous, stop and consider if things like seat belts and brushing your teeth are too cumbersome. New tasks often seem like they are arduous; by understanding their needs, one will find that is not the case. 

 

And while the nearly 400 requirements in PCI are certainly no walk in the park, the consequences of non-compliance can be devastating for firms that require credit card transactions. PCI compliance, in the end, doesn’t cost; it pays. 

 

Another helpful PCI reference is Payment Card Industry Data Security Standard (PCI DSS) v4.0: Helping You to Navigate a Safe Passage Through the Maze of Payment Card Data Security Controls (self-published) by Jim Seaman. I reviewed Seaman’s previous book PCI DSS: An Integrated Data Security Standard Guide, here

 

For those more visually oriented, Seaman’s book has many graphs and charts to assist the reader. He also provides a lot of implementation advice on how to deal with the many PCI requirements. 

 

When it comes to actually using card payments, there are not a lot of good technical guides. Often developers only have the product documentation. But that is only for a single product, not a guide to developing or integrating payment systems. 

 

In Acquiring Card Payments (CRC Press), Ilya Dubinsky, CTO at Finaro, an online merchant acquiring bank and payment service provider, has written a highly technical guide that details what actually occurs during an online credit card transaction.

 

Dubinsky gives the readers deep technical insight into how payment card processing actually works. While there are plenty of off-the-shelf solutions, developers still need to do a significant amount when designing systems expected to be PCI compliant. 

 

This is an excellent guide for anyone who wants to know how a credit card payment works. It should also be on the reading list for software developers tasked with designing and managing payment systems. The devil is in the details, and PCI DSS is all details. 

 

Finally, just-released, The Definitive Guide to PCI DSS Version 4: Documentation, Compliance, and Management (APress) won’t be reviewed here. The reason is that along with Art Cooper, Jeff Hall (AKA The PCI Guru), and David Mundhenk, I am one of the co-authors. So consider this just a book announcement. 

 

PCI DSS compliance is a monster of a task. There are plenty of reasons why firms may offer why they can’t achieve it. But the lack of books on the topic to assist them is certainly not one of them. 


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

Professional Development & Personnel Management

compliance management governance risk & compliance secure payments & cryptocurrencies

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs