I had the pleasure last week to travel to Las Vegas and attend the PCI North American Community Meeting.
In honour of the PCI SSC's 10th anniversary, I have created my own personal top 10 take-aways. This is my list of most important messages from the conference in reverse order.
Please feel free to respond in the comments. What were your take-aways?
10) Emerging technologies: we will see biometrics used more often, it will be used to authenticate transactions for mobile wallet.
9) Mobile payments, more specifically the practise of using the mobile devices as the point of interaction / point of sale, requires the use of an approved SRED device. SRED is Secure Read and Exchange of Data, and allows for encryption at the point of capture. The list of approved devices SRED devices is on the PCI website. Go to https://www.pcisecuritystandards.org/.../pin_transaction_devices, and set "Functions Provided" pull down to "SRED."
8) David Phister of Diebold Nixdorf said that long edge card readers will be the way forward for ATM. According to David, they do not carry the same risks for card skimming devices and can worked for EMV. As an aside, this was my favourite talk overall - why are ATMs so interesting? Just google "Diebold ActivEdge," to learn more about long edge card readers. Other tidbits from this talk - discussion of ATM malware, the need to sign ATM software, and boot process integrity checking. Perhaps it just reminds me of my days working for a regulator of electronic gaming equipment. Also, did you know and the 18-24 year old cohort have the strongest preference for cash at 40%?
7) Special Interest Groups (SIGs) for 2017 will be chosen by election after the European Community Meeting. For next year, the choice of SIG will be from the pool of previous SIGs, so that in 2017 we can update these materials. i.e. no new SIGS for 2017.
6) Talking to the Board of Directors - the Boards need to start asking questions, like why are we doing what we're doing, challenging assumptions, why are we keeping certain data, have we looked at how to devalue that data.
5) SDLC - 80% of attacks are at the application level. Organizations should ensure documented secure SDLC is being followed. I think the emphasis here is that requirement 6.3 may not be given the full attention that is needed and organizations would be well advised to strengthen their SDLC to improve overall security, not just to obtain PCI compliance.
4) Chris Novak, Verizon - up until now, organizations are concentrating on north / south protections. Using Multi-Factor authentication helps protect against east / west threats. I agree. Perhaps east / west threats should be examined more closely in our annual threat risk assessments and security shored up accordingly.
3) Chris Novak, Verizon said that we could be better at using our people in the line of defence as a type of human intrusion detection system. This means educating them to speak up if they see anything unusual. That is, it is not enough to just report confirmed security incidents... Instead "If you see something, say something." How catchy is that?! I see it is a slogan of the Department of Homeland Security: https://www.dhs.gov/see-something-say-something
2) Troy Leach in his state of the council keynote said that organizational focus has been (1) Get compliant, (2) Stay compliant, and (3) Simplify compliance. More and more companies are now looking towards the simplify compliance stage.
1) The strongest theme throughout the conference was on moving past the "if you don't need it, don't store it" towards a push to devalue account information using tokenization or encryption. I detected that there was a strong push towards tokenization, and secondly towards P2PE and end-to-end encryption solutions that protect card data at the point of capture.
So that's it - what was your top 10 take-aways from this year? Please post in the comments below or connect with me on LinkedIn.
Picture Credit: http://www.classism.org/wp-content/uploads/2014/03/cake.jpg
If there is a push towards tokenization the incentive surely isn't there. We have consistently been told that tokenized or encrypted data cannot be de-scoped as long as we have the keys or CDV inside our organization to de-tokenize. No matter how good the segmentation and separation of duties are. While I realize that the true security of the datastores are improved by moving to tokenized data, I am disappointed by the council in not encouraging the practice in their auditing.
ReplyDeleteHi Chris - true data is not de-scoped when you have the encryption keys and/or using some on-premise reversible tokenization solutions, but it should provide reduced scope as a type of segmentation. I think the point was made that it keeps the data out of the hands of the criminals (who don't have access to the decryption keys / de-tokenization tools)
DeleteThanks for sharing, this is very informative.
ReplyDeleteYou are welcome :-)
Delete