By Joel Weise on Nov 12, 2012
I am always looking for good books on security, compliance and of course, PCI. Here is one I think you will find very useful. "PCI Compliance, Third Edition: Understand and Implement Effective PCI Data Security Standard Compliance" by Branden Williams and Anton Chuvakin. [Fair disclosure - Branden and I work together on the Information Systems Security Association Journal's editorial board.]
The primary reason I like this book is that the authors take a holistic architectural approach to PCI compliance and that to me is the most safe and sane way to approach PCI. Using such an architectural approach to PCI is, in my humble opinion, the underlying intent of PCI. Don't create a checklist of the PCI DSS and then map a solution to each. That is a recipe for disaster. Instead, look at how the different components and their configurations work together in a synergistic fashion. In short, create a security architecture and governance framework (the ISO 27000 series is a good place to start) that begins with an evaluation of the requirements laid down in the PCI DSS, as well as your other applicable compliance, business and technical requirements. By developing an integrated security architecture you should be able to not only address current requirements, but also be in a position to quickly address future ones as well.