2018 North American PCI Community Meeting – Day One

Today was Day One of the 2018 North American PCI Community Meeting.

Today was a bit slower content wise as we had to deal with checking into the conference, and allowing some folks to fly in this morning. The day included two keynote talks, a third presentation, and a chance to visit the vendor showcase.

The opening keynote and panel discussion was interesting, and there is definitely a long way to go in making a secure payment environment. It was nice seeing several vendors working on new ways of tokenizing data – here the focus is on CHD, but this has use cases in just about every industry.

A second keynote given by two folks from the Verizon Threat Research Advisory Center dove into the 2018 DBIR. This ended up being a pretty interesting talk, as they were able to dive into more detail on a subset of the report to tailor to the PCI audience. The most interesting part of the talk was the audio recordings from one of their investigations, showing how important securing your humans is, I have a decent amount of exposure to the vishing testing looking for sensitive information, but this example was very impressive.

Through a series of calls the attacker obtained the username, had a password reset, and even had the help desk install VPN software on his “home” PC. This company was “lucky” in the sense that this breach took place on a Friday and by the following Tuesday they had detected the Intrusion and shut down the foothold – this is significantly faster than the average. The main trigger was actually thanks to Google Apps flagging some suspicious searches through the inbox.

The afternoon wrapped up with Troy Leach (PCI SSC CTO) talking about the upcoming changes to the PCI programs. Software PIN-Entry on COTS is the most recent release, and is really focused on changing the approach to securing the transaction process (e. G. More monitoring). The next standard out will have to do with contactless payments – something that is really picking up steam.

Later this year we can also expect a release of their Software Security Framework – something different from PA-DSS. This will attempt to integrate a secure life cycle process into an agile environment.

We also got a teaser for the next major release of the DSS (2020), including potential integration with NIST SP 800-63, as well as working with FIDO – all great news for authentication in the PCI world.

Looking forward to a very busy Day Two!