Firstly the PCI SSC and PCI DSS has been around for many years now, I was at the inaugural SSC community meeting in Toronto in 2007. Since then the PCI standard has only undergone a few fairly minor changes, don't be fooled with PCI SSC's version control process i.e. PCI DSS V1.21 to V2.0. We can certainly expect PCI DSS Version V3.0 next year. The actual changes since the original release of PCI DSS are minor, so in essence we have a mature and highly static data security best practice standard.
Secondly, over the last 6 years PCI SSC has provided reams of guidance, FAQs and have improved how they communicate with those within the payment card industry trying to comply. Again this has matured, there just aren't any new questions anyone is posing which haven't already been answered in PCI SSC online library of information.
What to expect with PCI DSS V3.0
Well we will have to wait until the North American Community meeting in Las Vegas in September 2013. I tried my best to find out what changes PCI SSC have in store from various PCI SSC board members I know. As I believe SSC board do have an idea about what will be changed within PCI DSS, even though the standard process is still in a "feedback stage". But it was like getting blood from a stone, even after several pints of the Irish black stuff they all remained tight lipped. Personally, I think we'll see very little changes with PCI DSS V3.0. Sure some security vendors would like to see new requirements to help them sell solutions such as cardholder discovery (card data searching), but that isn't going to happen in my opinion. I do expect some changes with the PCI DSS Self Assessment Questionnaire (SAQ). I think SAQs should be "rebooted", made to be more small merchant (retailer) friendly and clearer, especially as most of the card fraud at the moment is occurring with level 4 (small) merchants. In these breach instances merchants have been found to not correctly complying, or even attempting to comply with PCI DSS. We'll have to wait until Q3 2013 when PCI DSS V.3.0 is released.
Key moments from the Community
So nothing really happening with PCI DSS, PA-DSS, PCI PTS, but there were some excellent presentations from the community meeting, these are my main highlights.
Mark Gallagher, the former Head of Cosworth’s Forumla 1 Business Unit, Head of Commercial Affairs at Jaguar / Red Bull Racing and Marketing Director at Jordan Grand Prix, was the keynote speaker at the event. His F1 risk management focus talk was superb, especially if you were a petrol head or F1 fan.
Mark had some great stories about Lewis Hamilton's rise from a 10 year old boy, to F1 World Champion, lessons learn from Ayrton Senna fatal crash, and a highly insightful yet some what information security industry familiar, F1 approach to risk management, not just with the cars but with processes, and the people maintaining and driving the cars. Technology, processes and people, now where have we heard that before.
Nicholas Percoco, Senior Vice President and founder of Trustwave SpiderLabs, talked about the mobile threat to cardholder data, and showed several examples of mobile device hacks. Scary demonstrations indeed, therefore no wonder the PCI DSS states no mobile device can be considered a secure platform for payments unless they are using a PTS approved card reader.
Andy Bontoft, Foregenix co-founder and lead forensic investigator, gave an excellent and gripping presentation about what he had seen in the course of investigating numerous card data breaches around the world. I always say the most difficult challenge facing card data hackers, is not getting into the systems, but extracting the cardholder data out.
So when Andy described how he spotted the usage of a small website image file to extract cardholder data, I was really intrigued. The hacker used a small graphic file on the website, and appended cardholder data to the image file parameters, then automated a cardholder data collection and clean up of the file on a periodic basis.
Sky and Semafone presented separately about call centre fraud, and the usage of Semafone's solution which removes cardholder data from call centre environments. The solution allows call operators to remain on the call, while customers type in their card details on their phone keypads, the operator only hears a normal tone for each key press and doesn't see the card number on their systems, so removing cardholder data from their view, their local computer, servers, network infrastructure, and the phone system including the call recording. The Semafone solution not only descopes the call centre environment from expensive PCI DSS compliance IT technologies, but removes the opportunity for call centre fraud, and allows companies like Sky to provide better working conditions for their employees, such as allowing Facebook access and personal mobile phones at operator's desks, as the risk of internal cardholder fraud is virtually gone.
The networking at the event was excellent as always, I made new friends and caught up with many old friends within the industry, so until next year...