05 Oct Thoughts from the PCI Community Meeting
Rob Sadowski, RSA
PCI SSC Board of Advisors member
The annual Community Meetings are the best way for anyone who has a stake in payment security to take stock of the current state of the industry and the issues that are shaping its evolution. So, thinking back on a whirlwind three days, what did this year’s North America Community Meeting in beautiful Vancouver, BC reveal?
More focus on effectiveness – We’re at the point that most stakeholders understand the various standards and their objectives, and any new or changed requirements at this point, for the most part, mesh well into this understanding. Pure education to drive this understanding was a major focus of many previous community meetings. This year, I saw an emphasis instead on how can we make implementations more effective, and compliance with the standards, particularly PCI DSS, easier and more impactful. Stephen Orfei’s keynote remarks and Troy Leach’s introduction to the ecosystem overview on day 1 both described the planned evolution of the standard to take a more risk-based approach going forward. Ciske van Oosten’s data from Verizon on which requirements are most often not met in breached organizations was another invaluable source of guidance. A better understanding of the risks and threats that are the biggest contributors to major compromises, and using that intelligence as a lens to prioritize activities should ultimately result in organizations and cardholder data being more secure.
Technologies can have a major impact – One of my favorite presentations was Caesars Entertainment’s overview of their implementation of P2PE and tokenization. If an organization as large as Caesars in a sector as complex payments- and business process-wise as hospitality is able to implement these technologies and reap the benefits of security and scope reduction, many others can and should follow suit to get the same benefits. Bravo to the organizers for featuring a solution that is not yet validated in the P2PE program but still provides tremendous reduction of risk.
We’re all in this together – The importance of people and human impact on security and risk was a consistent theme. John Nance noted that human error is the biggest opportunity for systems to fail. Brian Krebs emphasized that we can all do better – merchants, vendors, acquirers, associations and issuers all need to up our game and work more closely together if we want to see breaches go away. Calling this gathering a Community Meeting has never been more appropriate.
A necessary eye toward the future – My favorite talk on day 3 was Ashok Misra’s overview of Bitcoin and the blockchain. It’s increasingly important that the community begin thinking more broadly about the security and risk impact of new technologies as they begin to gather momentum and safeguards can be added as the technology develops as opposed to once they’ve achieved ubiquity and need to be retrofit.
As a Board of Advisors member, I am constantly asked by Participating Organizations to drive more pragmatic, practical points of view into the standards activity. This year’s Community Meeting and these takeaways show that we are making progress that direction.