No snarky comments here ((Although, those were some fun times, use the search feature to learn more…)), and it’s time for the first of three community meetings starting tomorrow. These meetings have been going on every year since 2007 in Toronto, one year after the Council was formally announced. Even though my career has moved away from the life of a QSA, I have made every one here in the US, and several in Europe, some times as a QSA/ASV, other times as a Board of Advisor member, and finally as a sponsor.

avoiding eye contact, by Foxtongue

avoiding eye contact, by Foxtongue

Last year, I wrote that 2013 was a pivotal year for PCI DSS. We got a new version of PCI DSS that has been controversial at best. It was an opportunity to fix a number of issues in the ecosystem, and we still really have another six to twelve months before those are fully rolled out (where people will assess against PCI DSS 3.0). While 2013 may have been a pivotal year for PCI DSS, the remainder of 2014 and all of 2015 are critical years that will most likely determine its longevity.

We’ve had some fun exploring some of the challenges with this complex ecosystem over the last week. The standard and its ecosystem are under scrutiny thanks to the significant breaches we’ve seen. I’m reminded of a talk that I saw Art Coviello of RSA give a number of years ago where he diagrammed what networks looked like in 2001, 2006, and 2011. All increasingly complex, wide, and with multiple entry and exit points. The complexity of networks multiplied by the complexity of PCI DSS yields something unruly. Unsolvable, perhaps.

As we converge today in Orlando, I’d personally love to foster discussions around the future of PCI DSS. If we take the economics into consideration, how can we balance the number of players with the risks inherent in payment data? I will be at both networking events as well as the Tenable event on Wednesday. Let’s have a chat!

This post originally appeared on

Possibly Related Posts: