Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
We're back from Berlin after a great event. The greatest part of the attendants were experts from security companies and, while most of the topics heard day 1 are well known to these people, nevertheless they were very useful and important. Participating Organisations (Merchants, Service Providers and Financial Institutions) will highly benefit from this event.
The concepts of PCI Compliance and Security in the payment card industry are often used interchangeably, however there's much more than that. Being Compliant at one point in time does not mean being secure every day. PCI Compliance can be achieved today, but security is about keeping up with the processes after compliance audit is passed. How many organisations are able to do that? How many struggle?
The first speech was about the importance of maintaining PCI Compliance. The opening question was: how many of you were already compliant on day 2 of the audit, without having to fix anything? Just a few hands raised in a busy hall. We know the biggest challenge is not achieving but maintaining compliance.
Mistakes like the reliance on annual assessment are common due to many factors: the pressure to meet customer demands, failure in adapting to changes (organisational or operational). We all know that merger and acquisition operations or the launch of a new product can take a lot of energy and have usually higher priorities than the security checks.
The new version 3 standards include recommendations about implementing PCI DSS into BAU Processes. Who knows, maybe these best practices might become requirements in future versions!
Maintaining PCI DSS Compliance goes around few main points:
A very interesting quote came from Jake Marcinko:
"All systems must be checked periodically, do not use sampling for your interim checks"
Next on stage was Lauren Holloway and she spoke about Scoping and the importance of doing it properly, a topic that we have already covered on this blog post in the past.
Then it was the turn of Elizabeth Terry who spoke about Service providers and how the version 3.0 will impact them. We will soon have a new Blog post to go into more details on this topic but the main points of her presentation were:
After that we had again on the stage Lauren who explained what's new in the PCI DSS 3.0 SAQs, a topic we already discussed extensively on this Blog. The larger time consuming item was explaining SAQ A-EP vs SAQ A.
Brandy Cumberland and Emma Cutcliffe have then remembered the audience what is the correct use of compensating controls. At last they left us with a short but very amusing and interesting presentation about the 10 Myths of PCI DSS. Here they are:
Stay tuned on Twitter and follow the PCI Community Meeting event!
I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.
Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA