Bear with me as I tell you a short story.
“A long time ago, in a galaxy far, far away,” (thank you George Lucas) I worked with a very seasoned IBM systems programmer. He had the acronym ’R T F M’ neatly framed hanging behind his desk. I quickly found out what it meant the first time I had a problem with the mainframe that I could not solve. As I walked into his office carrying the huge case of paper that was my program dump, he pointed to the picture behind his desk.
“Yeah, so what?” I replied rather indignantly.
He said, “R T F M!”
“Yeah. And what the [expletive] is R T F M?” I replied a bit confused and frustrated.
He snapped back, “Did you Read The [Expletive] Manuals?”
RTFM was one of his few pet peeves. If you had read the manuals, he would help you as long as it took to solve your issue. If you had not read the manuals, you were quickly guided back out of his office and not so politely told to read the [expletive] manuals. If you then went and read the manuals and still had problems, then you could come back and ask for his help. Heaven help you if you still did not read the manuals and came back. I only saw it happen once and it was not pretty.
The reason I was brought back to this memory recently is because I am getting tired of people only reading the PCI DSS. It is painfully obvious from their questions that this is all that they have read. The PCI SSC’s Web site contains all of the documentation you need to interpret the PCI standards, yet it seems the only document that people download and read is the PCI DSS. All the rest of the documentation just seems to get ignored. If people were just reading the rest of the documentation that is available we would all be better off.
As a result, I thought I would take some time to walk people through the documentation that exists outside of the PCI DSS and explain why they should read it. In my opinion, the following documents are mandatory reading for anyone involved in PCI compliance efforts.
- PCI DSS Quick Reference Guide – At 30+ pages long, it is not as “quick” as one might like, but it is probably the best Primer you can get. If you are new to credit card processing, new to the PCI standards or an Executive just trying to figure this PCI thing out, this will get you up to speed in a hurry. This is the piece that you put in your Executives’ and Board of Directors’ hands to get them up to speed and should be mandatory reading before discussing PCI compliance.
- Glossary – This document should have been titled, “READ ME FIRST” instead of the Glossary as it is more than just a traditional glossary of terms. The Glossary explains key industry concepts as well as the terminology. In some cases, the Glossary explains key security concepts that are referenced in the PCI DSS. The bottom line is that this document should be read before reading the PCI DSS and then used as a key reference as you read the PCI DSS. Even for those of us “veterans” of the banking and technology worlds need to read this document just as a refresher. I would guess 45% of questions regarding the PCI DSS are answered just by the Glossary.
- Navigating the PCI DSS – This document explains the other 45% of the questions regarding the PCI DSS (I know, that only adds to 90%. The other 10% are valid questions). The key thing you will get out of this document is the intent of each of the requirements and some of the tests. This document should be read in conjunction with the PCI DSS as it will answer most of those, “Why in the world would I want to do that?” and “What were they thinking?” sorts of questions.
- Information Supplements – These are white papers published by the PCI SSC that explain technologies or concepts that can enhance PCI compliance and/or improve your security. As of January 2011 there have been seven of these published on topics such as wireless, penetration testing, code reviews and other key topics. This is where you can get all of that detailed PCI compliance guidance that QSAs have running around in their heads. The PCI SSC promises us even more of these in the coming years, so you need to check this section of the Documents Library regularly to make sure you have them all.
These documents are optional reading for any involved in PCI compliance efforts. However, the Prioritized Approach is a great tool to get you quickly moving on PCI compliance.
- Prioritized Approach for PCI DSS v1.2 – Okay, this is out of date and I am sure a new one will be produced. However, for those of you that want to focus on getting PCI compliant, this is for you. It will take you through the PCI DSS is a way that hits the requirements that are most important to least important so that you focus on big ticket, big bang requirements first and then work your way through the rest of the PCI DSS. For the most part, it still works with v2.0.
- PCI DSS Summary of Changes Version 1.2.1 to 2.0 – For those of you familiar with the PCI DSS and you want to know where the changes are between v1.2.1 and v2.0, this is the document for you.
The PCI SSC’s Web site has a wealth of information on its Documents Library page. Not only is the PCI DSS covered, but they also have all of the Self-Assessment Questionnaires and related documents, Payment Application Data Security Standard (PA-DSS), PCI Pin Transaction Security (PTS) as well as information on Approved Scanning Vendor (ASV) standards and other resources.
In addition to the Documents Library, there is also the ‘FAQs’ system. This is an interactive system that allows you to research questions that have been posed to the PCI SSC. So, before you ask your QSA that question, go to the ‘FAQs’ and look for it there. I would have posted a link, but it is a dynamic Web page and you must go to the page by clicking on the word ‘FAQs’ at the top of the Web page.
RTFM people! And for those of you that are curious; yes, I had read all of the relevant manuals.