If you caught me this year at the PCI Community Meeting you may have noticed something strange attached to my badge—a green “Press” ribbon. While it was strange to wear it and I don’t consider myself a member of the press, I’m thankful for what it ended up getting me. I had some great 1:1, on the record discussions with key stakeholders which I plan on bringing to you here in the blogorino.

Speed Graphic Press Camera, by Glen Edelson

The first one I want to review is a conversation I had with the public leaders of the PCI SSC, Bob Russo (GM), Troy Leach (CTO), and Jeremy King (EU GM). The first thing I asked about was the new Special Interest Group (SIG) process that Jeremy unveiled on Tuesday.

If you have ever participated in a SIG, you probably remember a sense of disorganization, a vendor land-grab, and lots of conversations that really didn’t seem to go anywhere. In the old days, SIGs were chaired by a Board of Advisor member. Unfortunately, we all have day jobs, and the workload associated with chairing a SIG loaded with volunteer resources is significant.

According to Russo, there were lots of disparate people on SIG calls, and everyone had an agenda. The largely unproductive nature of many of these calls frustrated and discouraged participants. The Council realized the process wasn’t working and made changes. “There will be a defined charter for each [SIG] so we will know before we start what will be produced at the end,” said Russo.

In the past, the SIG selection criteria was largely closed, which alienated large sections of the Participating Organizations as they didn’t feel like they had a voice on choosing a SIG relevant to them. But now, the SIGs are much more open. “All the participating organizations will have an ability to vote on [SIGs] that are most important to them,” said King. Of the initial thirty-one SIG proposals1, the Technical Working Group (TWG) narrowed those to thirteen, and then ultimately selected seven for a vote.

Each SIG is given a period of a year (for the most part), and each will be chaired by a PCI SSC staffer. “If they don’t take a year, that opens the possibility to spin up another SIG ahead of schedule,” said Russo.

I understand that the SIG presentations were taped and should be available online prior to voting.

One SIG from last year that seems to have disappeared into the ether is the Scoping SIG, chaired by Paypal. Ironically, that SIG may have been the most influential over the last twelve months without producing a final, over-arching document detailing their results. According to Leach, the EMV, Tokenization, Roadmap for Encryption, and Point to Point Encryption documents released by the Council all contain content produced by the Scoping SIG.

According to Russo, the amount of documentation created by the Council and sub-groups does not seem to be insurmountable to know and understand for your specific piece of the puzzle. When you look at the library of supplemental documentation produced by the SIGs or TWG, some documentation is tied directly to a specific requirement while others are more general across the DSS. There are some that do both like the Virtualization SIG’s end paper that includes general comments and an appendix that reviews controls by requirement. The volume of available documentation is daunting, and there isn’t an easily navigable “Wiki-Style” version of the standard that incorporates all the relevant documentation.

Keep in mind, the DSS is the baseline from which everything flows, so anyone with questions about requirements or controls should start with the DSS and then venture out into the supporting documentation as needed.

Pizza Making, by Jeff Kubina

Next I asked the three what they saw on the horizon for the Council and the standard over the next year or two. The general, “What keeps you up at night?” question that is ever so popular among security practitioners.

According to Russo, it’s time that the focus shifts to small business. “We’ve done a good job with the Level 1 and 2 merchants, the next logical area is the levels 3 and 4 merchants,” said Russo. He says his ultimate goal would be to answer the “Is there some place I can just go buy something and make this go away?” question for small businesses globally. “Ultimately we are trying to get to a place where we can list a device that will take away the majority of the burden for PCI DSS,” said Russo.

King focused more on the eCommerce element of small business. “E-commerce is a bigger issue for fraud in Europe,” said King. EMV deployments have sent Card Present fraud trends “through the floor.”

“When you look at the history of PCI DSS, it originated in the US. It was perceived in Europe as an American standard designed to protect the magnetic stripe,” said King. EMV, also commonly known as Chip and PIN, is much more prevalent in Europe than it is here in the US, thus PCI DSS sent waves of confusion toward European merchants.

“The introduction of EMV into Europe was a way of authenticating the card and the user at the point of interaction. The PAN, the expiry date, the cardholder name, are all ‘routing information’ according to EMV, so [terminals] sent it in the clear,” said King. While most merchants in the US protect themselves by asking for CVV2/CVC2 type information on Card Not Present transactions, all you need to technically process a card is a card number, cardholder name, and expiration date. Thus, EMV effectively shifted fraud from the EU to other areas of the world.

King emphasized the enthusiasm about the Point to Point Encryption document from European merchants. “EU Merchants are keen about hearing about Point to Point Encryption,” said King. He believes this will further reduce their PCI burden to the Point of Interaction and potentially remove large portions of systems and networks out of scope, post-EMV deployment.

King also cautioned European merchants on a trend he is seeing today—something we dealt with a few years ago in the US. King has uttered the phrase, “It’s not a one-off, its a continuous process.” multiple times to multiple merchants over the last few months.

Chip, by Declan Jewell

Finally, we briefly explored some of the emerging payment technologies that are coming to market today, almost at-odds with the standards. Payment technology is evolving at a rapid pace, yet the Standards are now updated every three years instead of every two.

With emerging technology, we may see new requirements made public through the errata process, which would then most likely be incorporated into the next revision of the standard. “The standard is fairly mature, and every time we see a breach, it’s somehow or another always covered by the standard,” said Russo, echoing comments we have heard from payment brands and forensic examiners many times.

Mobile technology is on everyone’s mind, but its impact is largely not understood with respect to the threat landscape. It’s not like Brick and Mortar technology that can be powered off at the end of the day. “We keep our phones on all the time, therefore there is a potential to access data at all times,” said Leach.

The Council also struggles with releasing guidance before markets have matured to a point where they are viable. Releasing standards on may of these emerging technologies would be irresponsible with the rate of change we see. “We don’t want standards to become an inhibitor to innovation,” said Leach.

According to Leach, we should expect an upcoming document to be released soon on mobile technologies.

And then, my time was up. Bob’s parting words were an obvious end result, but I think we all struggle with the means to get to that end on a daily basis.

“At a bare minimum, you need to be compliant with the standard,” said Russo.

This post originally appeared on BrandenWilliams.com.

  1. I only voted 10 through my initial cut. []