Book Reviews: Information Security Books and Product Reviews – PCI DSS

Book Title:  PCI DSS – A Practical Guide to Implementing and Maintaining Compliance

Author: Steve Wright

Publisher: IT Governance Publishing

Date of Publishing: 2011

ISBN(13): 9781849281867

Price (UK&US price – full price, not discounted price): £39.95,  $69.95

URL of Publisher Site: IT Governance

URL of Amazon UK web page: PCI DSS: A Practical Guide to Implementing and Maintaining Compliance 3rd Edition

URL of Amazon US web page: PCI DSS A practical guide to implementing and maintaining compliance

The book is clearly aimed at the organizations that need to implement PCI. It’s not aimed at QSAs, or someone who knows PCI and it wouldn’t work for the techy or consultant. This is the book for the not so technical someone who has been told to sort out PCI compliance.  The book certainly explains PCI in some detail, explaining the objectives of PCI, common myths, why it’s actually a good thing, and what all the terms mean. However, the bulk of the content is how to actually “do” PCI. So, it’s all about the PCI Project (it includes basic project management steps). The author takes a sensible approach, rather than vague “it depends what you do” answers, he starts each section with, “To meet this requirement you need to do X.” In some cases it’s just a reiteration of the standard, but for the more complex issues he breaks them into smaller targets that are explained in plain and simple English. Interestingly, it assigns responsibilities within the project management plan. Whilst this is a useful starting point, many companies simply will not have people to put in these predefined roles.The use of tables in the book is very simple but excellent; it makes it possible to get a simple answer without having to read everything. It’s something that all technical books should do but often fail to deliver upon. At the back of the book is a brilliant table: a map of PCI to ISO 27001. This is an incredibly useful artifact showing that, contrary to popular belief, there is a crossover and its worth thinking about implementing both standards at the same time. There is also a very interesting diagram that shows PCI and 27001 as part of the ISMS Plan Do Check Act cycle. This helps to make clear the continual requirement for compliance and that it’s not just a once-a-year task. There is no getting away from the fact that this is an expensive book when you consider it’s pocket sized, and most of the information is available in the standard, which can be downloaded for free. Having said that, it’s substantially cheaper than a QSA and if you need a QSA this will help you understand what they are talking about.

Overall, this is a useful book, albeit very expensive, and all of the information is available elsewhere for free. It doesn’t really add anything new, just presenting PCI in a very accessible way. I wouldn’t use this book myself, but I would recommend it for non-technical clients as a guide to help them understand PCI.

This is a useful book, albeit very expensive, and all of the information is available elsewhere for free. It doesn’t really add anything new, it just presents it in a very accessible way. I wouldn’t use it myself, but I would recommend it some non technical clients as a guide to help them understand PCI.

Marks: 5 out of 5
*****