2018 North American PCI Community Meeting – Day Two Recap

Today was Day Two of the 2018 North American PCI Community Meeting. Read my Day One Recap here.

Today started off really exciting, with a keynote given by Eric O’Neill – a story about FBI spy hunting calling out the common thread of insider threats. This is an issue that is certianly picking up steam, especially as the 2018 DBIR noted 28% of their incidents involved an internal actor.

Another highlight of the day for me was the discussions around EMVCo and mobile payments. The SSC is approaching the publication of “Contactless on COTS”. EMVCo is also starting to plan for the second generation of EMV – something that is likely 10+ years off in the future. Although this planning is underway, EMV 3DS exists to secure these card-not-present situations with additional information being protected.

There was some talk around quantum computing and the potential impacts on payment security. While the theory makes it sound like the world is on fire, I am not totally convinced this is a legitimate concern for 2018. In the meantime, Bruce Schneier has some interesting takes on the topic. While you’re at it, take a look at the research being performed by NIST preparing for “Post-Quantum Cryptography”.

Network segmentation is something a lot of folks seem to still struggle with, though the guidance has not changed a whole lot. The addition of semi-annual penetration testing to validate the segmentation controls seems to be the driver for this pain point. Pulling the same quote used in the presentation:

In order for a system to be considered out of scope, controls must be in place to provide reasonable assurance that the out-of-scope system cannot be used to compromise an in-scope system component, as the in-scope system could then be used to gain access to the CDE or impact security of the CDE.

P2PE received a decent amount of attention, and really seems to be an area of massive potential for reducing compliance efforts of merchants. The biggest draw back seems to be the limitations of competition for the merchants. As it stands now, once you engage with a processor and their supported P2PE solution, you are looking at a significant cost to convert. Hopefully the number of solutions continues to grow, and processors move to support multiple solutions.

Lastly, some conversations surrounded work to simplify the ever-present problem of patch management. This seems to be the issue that never really gets solved. The focus today seems to be pushing to cloud computing to standardize the environment and minimize and streamline the footprint you have to actually patch.

Overall, I was a bit underwhelmed with the content today. I came into the conference with high hopes based on how much experience would be in attendance. So far the presentations seem to be far too “PCI 101” for a conference dedicated to folks who deal with PCI as (at least in part) a full time job. The “hallway con” conversations, on the other hand, have been useful as I have been talking real world issues with other QSAs.

Here is to hoping to a solid Day Three to wrap the conference – at a minimum the Assessor lunch should provide some good conversations with other QSAs and ISAs.