Note: After my last post, I received a phone call giving me permission to fill in the blanks. So here’s what I really wanted to say! It’s almost like a madlib.  In fact, you should try that with the last post, I bet it would be fun!

PCI 2.0 is just around the corner, and what better way to discuss it than by reviewing the PCI Community Meeting that just wrapped in Orlando! Much of the information we received was classified as confidential or embargoed, so unless you are a stakeholder (like a Participating Organization, QSA, ASV, or described by any other of the acronyms we have come to love) you are missing out.

it was a secret!, by platinumblondelife

Of course, the first thing we all heard was the ban on social media (Note: the terms we all agreed to when we registered basically followed the guidelines I put out in the preceding link). Ironically, there was a press table in the back, so I’m not sure what those guys are going to be able to do with the info if they cannot write about it. Anyway, here’s my take:

Wednesday’s session kicked off with the PCI Rock video from Bob Russo and the Lovely Ladies. Kind of tired of that thing, but some enjoyed it. We saw a video message from Bob Russo who couldn’t make it (my thoughts are with your family), who moseyed off into the sunset, and then Jeremy King (PCI EU Director) came up to kick things off. Unfortunately, we didn’t see an appearance from Elvis Russo like last year (sincerely bummed).

Next, we got to hear the State of the Union, which had some pretty interesting stats in it!  For example, this year has seen 600 new QSAs, 250 new PA-QSAs, 59 new firms, and 830 requalifications. I have some renewed concerns on quality based on this information, though I know that quality concerns overall are not uniformly shared by insiders. The QA team has grown to 5, and 180 ISAs have been trained thus far (thanks to _____ from _____ for making the presentation to the ____ board that ultimately got us to where we are! [Note: these blanks still need to be here to follow the guidelines I laid out.]). We learned about all the cool things that the Council is doing, and new features to the website that are coming in the coming months.

By far, the most interesting session for me was the keynote by Howard CoxHoward did a complete analysis of the Albert Gonzales case, and illustrated how we catch the bad guys by ____ them into _____ (I want to keep this redacted). The main conflict I perceived in this discussion was the statement that the standards must remain dynamic. In light of the new three year life cycle, it appears that this is where law enforcement and the Council will be at odds. While law enforcement is pushing for the standards to keep up with the bad guys, the community is resisting that level of change.

Companies that handle this type of sensitive data will see the most benefit from removing their risk by reducing or eliminating their in-house use of PAN data.

Up next, my favorite session—Q/A. It’s a great session to hear how the community is dealing with PCI DSS. Unfortunately for the veterans, this fourth iteration of the session (sixth for those of us who hit Europe) is getting a little old. The questions fall into four categories.

  1. People new to PCI DSS that ask relatively basic questions that absolutely must be addressed by the folks on stage. It takes testicular fortitude to stand up in front of 1000+ people and ask a question, so props to those of you who did. At a minimum, it’s interesting enough for the vets to see if the Council‘s response changes.
  2. Vendors asking loaded questions to try and get the Council to endorse their product (you know who you are, _____ [Not going to fill in this one either.].
  3. Jaded individuals that point out flaws in PCI DSS and discuss its information security failings.
  4. People struggling with their own implementations that try to push responsibility to other parties.

How many times does the group up there need to say, it depends, or that it is up to your QSA before the folks in the last three groups learn how to handle the Q/A session?

The last session of the day was the Emerging Technologies session that many of us want to see more of from the Council for planning purposes.

Thursday kicked things off with an update from the SIGs, which seemed a bit light. More details of what we do, how we do it, how we can help, and progress made would have been fantastic. Then the forensic presentation from Verizon Business, which was similar to the one given at Blackhat.

For those staying the afternoon, you got to hear more about PA-DSS and PTS, and then a final closing remarks before dismissal.

It was good to see everyone this year! I think 2011-2013 will be very interesting years in the PCI life cycle!

Final note: the PCI SSC has a FANTASTIC group of folks running PR for them now. These guys are truly top notch!

This post originally appeared on

Possibly Related Posts: