We're back from Berlin after a great event. The greatest part of the attendants were experts from security companies and, while most of the topics heard day 1 are well known to these people, nevertheless they were very useful and important. Participating Organisations (Merchants, Service Providers and Financial Institutions) will highly benefit from this event.

2014 PCI Community Meeting in Berlin

The concepts of PCI Compliance and Security in the payment card industry are often used interchangeably, however there's much more than that. Being Compliant at one point in time does not mean being secure every day. PCI Compliance can be achieved today, but security is about keeping up with the processes after compliance audit is passed. How many organisations are able to do that? How many struggle?

So here is a recap of what is worth taking home from day one.

The first speech was about the importance of maintaining PCI Compliance. The opening question was: how many of you were already compliant on day 2 of the audit, without having to fix anything? Just a few hands raised in a busy hall. We know the biggest challenge is not achieving but maintaining compliance.

Mistakes like the reliance on annual assessment are common due to many factors: the pressure to meet customer demands, failure in adapting to changes (organisational or operational). We all know that merger and acquisition operations or the launch of a new product can take a lot of energy and have usually higher priorities than the security checks.

How to address this? How to maintain PCI DSS Compliance and continuous security?

The new version 3 standards include recommendations about implementing PCI DSS into BAU Processes. Who knows, maybe these best practices might become requirements in future versions!

Maintaining PCI DSS Compliance goes around few main points:

  • Monitor Security Control Operation - can be automated so people tend to ignore them for a long period of time
  • Detect and respond to Security Control Failures
  • Understand how changes in organisation affect security controls - loss of key personnel, absent or weak backup plan
  • Conducting periodic security controls assessments on literally any system in scope - before the QSA does it with sampling

A very interesting quote came from Jake Marcinko:

"All systems must be checked periodically, do not use sampling for your interim checks"

Next on stage was Lauren Holloway and she spoke about Scoping and the importance of doing it properly, a topic that we have already covered on this blog post in the past.

Then it was the turn of Elizabeth Terry who spoke about Service providers and how the version 3.0 will impact them. We will soon have a new Blog post to go into more details on this topic but the main points of her presentation were:

  • There is a new requirement to consider: 8.5.1
  • New clarifications contained in requirement 12.8
  • New clarification in 12.8.2
  • New requirements in 12.8.5
  • New requirements in 12.9, effective from June 30 2015

After that we had again on the stage Lauren who explained what's new in the PCI DSS 3.0 SAQs, a topic we already discussed extensively on this Blog. The larger time consuming item was explaining SAQ A-EP vs SAQ A.

Brandy Cumberland and Emma Cutcliffe have then remembered the audience what is the correct use of compensating controls. At last they left us with a short but very amusing and interesting presentation about the 10 Myths of PCI DSS. Here they are:

  • Myth 1: PAN must be encrypted in transmission even over a VPN.
  • Myth 2: Payment Devices (e.g. PEDs) must be bolted down.
  • Myth 3: PCI Requirement 10.6.2 (Logging)  applies to out-of-scope systems.
  • Myth 4: Merchants must meet Requirement 12.9.
  • Myth 5: PCI DSS prohibits remote access to a CDE.
  • Myth 6: I am compliant because I use a PCI compliant system.
  • Myth 7: I'm compliant because I've paid my compliance fee for this year.
  • Myth 8: PCI DSS applies to zip-zap machines.
  • Myth 9: I'm a small merchant so PCI doesn't apply to me.
  • Myth 10: PCI DSS does not apply to mobile phones/tablets.

 

Stay tuned on Twitter and follow the PCI Community Meeting event! 

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA