Tags ArchivesPCI community meeting

Why I am Skipping the PCI Community Meeting standard

I know, you guys have given me crap for so long. “Suuuure you are going to skip this year. Whatever, Brando, see you in X city at  happy hour.” This has been the discussion over the last few years, and every year I have made my way to the city in question going back to the initial meeting in Toronto, 2007. This will be the first year I will miss. For me, it comes down to two things: content and how the hard questions go unanswered. Content: I looked at the agenda this year. For new people to PCI DSS, there are quite a few great sessions to attend. If you have more than one year experience and perhaps have ...

Continue Reading

PCI DSS Feedback 2012 standard

The PCI Security Standards Council released a statement this morning outlining some of the highlights from the feedback period we just finished this year as part of the PCI DSS lifecycle. If you are going to be at the community meeting next week (or later in October for EU), I strongly suggest you attend the session on the feedback and potential proposed changes to the standard (if they have the ability to turn that around this quickly). Here are a couple of notes from my analysis (note some of the wording is similar to the press release, go read it): Scoping is still an issue. I think we all agree that at some point the framers of PCI DSS will ...

Continue Reading

Top 3-5 Things to Remove from PCI DSS standard

PCI DSS 2.0 has been out for over a year now, and the feedback period is almost closed (ends April 15). If you have not submitted feedback yet, do so! But here’s an interesting challenge I would suggest. If you could pick three to five requirements to REMOVE from PCI DSS, what would they be, and why? I’m looking for options to simplify the standard without compromising its goal as it stands today. I’m looking to make this a serious exercise in improvement that we can submit as part of the feedback period. Comments below are open! Debate below and I’ll forward this entire thread over to the Council for review.

Continue Reading

A Conversation with MasterCard standard

And finally, my conversation with John Verdeschi, Senior Business Leader, Payment Systems Integrity will wrap up my interviews and posts from the PCI Community Meeting that happened two weeks ago in Scottsdale, AZ. MasterCard is widely known as a major influence in the payment industry and is the number two player in the market behind Visa. If you have ever had to hire an Approved Scan Vendor (ASV) or filled out a Self-Assessment Questionnaire (SAQ), you can thank MasterCard as both of those items are largely distilled from their Site Data Protection (SDP) program. One of the first things that I had to ask about was how MasterCard’s new PCI DSS Risk-Based Approach framework compared to Visa’s Technology Innovation Program ...

Continue Reading

A Conversation with Visa standard

Wednesday was a busy day for me at the Community meeting. In between sessions, I spent thirty minutes with Eduardo Perez, head of global payment system security, Tia Ilori, business leader, U.S. payment system risk, and Ingrid Beierly, business leader, fraud control & investigations from Visa. Visa is the largest payment brand and creator of the Cardholder Information Security Program whose content drove the majority of what we see in the PCI DSS today. We started by discussing the fraud rates and how PCI DSS is helping to keep fraud under control. According to Perez, fraud rates are very low and fairly stable—around 5%. So PCI has to be doing SOME good if fraud rates are not spiraling out of ...

Continue Reading

A Conversation with Bob, Troy, and Jeremy standard

If you caught me this year at the PCI Community Meeting you may have noticed something strange attached to my badge—a green “Press” ribbon. While it was strange to wear it and I don’t consider myself a member of the press, I’m thankful for what it ended up getting me. I had some great 1:1, on the record discussions with key stakeholders which I plan on bringing to you here in the blogorino. The first one I want to review is a conversation I had with the public leaders of the PCI SSC, Bob Russo (GM), Troy Leach (CTO), and Jeremy King (EU GM). The first thing I asked about was the new Special Interest Group (SIG) process that Jeremy ...

Continue Reading

PCI Community Meeting Reviews from the Field standard

While I was at the community meeting, I chatted with several individuals that had feedback on the conference, and here are a few nuggets distilled from over an hour of audio recordings: Council is getting better at understanding how reports are generated, but there still seems to be an inability to tie any given report back to the environment assessed. For example, was it scoped correctly? Were the controls assessed per the intent of the standard? Was the appropriate risk-based approach taken? CBT Requalification is convenient, but lacks the flowing Q/A that you might see in an interactive training course. May consider trading an in-person training (or interactive training) every so often as opposed to all CBT. Large variance among ...

Continue Reading

PCI Community Meeting 2011, That’s a Wrap standard

What was day 2 like at the community meeting? Lots more tweeting, lots more networking, and lots more info! First off, HUGE thanks to Gene Kim for being the most prolific twit, by far. Those present and not thank you! We started with the Verizon Data Breach Investigation Report review from Chris Novak. While the report is not new, Chris’s anecdotes that went along with the report solidified key findings for the group. Next the conference offered options. I opted for the PCI in Practice track with fellow board members Peter Cooper, Philip Morton, and Patrick Phalen. Each presented stories and strategies they used to bring their global organizations in compliance with PCI DSS. I enjoyed the session, and I ...

Continue Reading

PCI Community Meeting, Day 1 Observations standard

The first day of the event has been packed full of activities! First off, it’s been great to see everyone. Say what you want, but there are some very smart people in this industry and I really enjoy the conversation (even if it is over one of those silly Compliance on the ROC drinks). We opened the session with Bob doing that thing that he does, including a heartfelt thanks for the outpouring of support he had after missing the meeting last year. Then we saw Eduardo Perez jump up and do a quick update. My favorite quote from him is “Security has to evolve as new technologies emerge.” New technologies change the attack surface, and it seems like most ...

Continue Reading

Full Review of the 2010 PCI Community Meeting standard

Note: After my last post, I received a phone call giving me permission to fill in the blanks. So here’s what I really wanted to say! It’s almost like a madlib.  In fact, you should try that with the last post, I bet it would be fun! PCI 2.0 is just around the corner, and what better way to discuss it than by reviewing the PCI Community Meeting that just wrapped in Orlando! Much of the information we received was classified as confidential or embargoed, so unless you are a stakeholder (like a Participating Organization, QSA, ASV, or described by any other of the acronyms we have come to love) you are missing out. Of course, the first thing we ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!