Another Annual Community Meeting

Another year has come and gone and so has another North American PCI Community Meeting. This one held in the beautiful city of Vancouver, British Columbia, Canada.

I have to say that the new leadership of the Council is showing. I heard many comments from attendees that this year’s conference was better than in years past.

The Good

  • The ‘Mobile Forum Roundtable Discussion’ was probably the best session of the conference. That is based on comments from the attendees of this session as well as the comments from other conference attendees that went to the competing sessions. If the Council is looking for how to structure future sessions, this is the format. Participants sat at numbered tables and then each table was given a question on the topic of mobile payments to discuss for half of the session. The last half of the session was a representative from each table presenting the findings from those table discussions. I think the Council’s Mobile Working Group, of whom some members were present, as well as the other attendees of this session learned a lot in an hour and a half.
  • There were two notable sessions regarding point-to-point encryption (P2PE) that had nothing to do with P2PE. One was given by First Data regarding TransArmor and the other was given by Caesars International regarding Shift4. Neither of these end-to-end encryption (E2EE) solutions are P2PE validated. In years past, these sessions would never have occurred. Apparently the new leadership at the Council felt it was important to have their stories told to the Community Meeting participants as a more secure way of conducting transactions even though neither is a P2PE solution. I commend the Council for their foresight in holding such sessions.
  • Brian Krebs’ Keynote on Thursday was not what I was at all expecting. I expected Brian would mostly rehash stuff out of his latest book as most writers do at these sorts of events. But it was a very informative and enlightening session with a lot of good information. For those who regularly read his blog, a lot of the stories he gave we had already heard but not with the personal touches he gave them. If anything, people walked away with a better understanding of why card data is sought after by the underground.
  • As always it was great to get together with everyone involved in PCI and meet a lot of you. The nightly receptions were excellent as were the session breaks. It always amazes me how many people just walk up and introduce themselves to me at these meetings. I really appreciate the fact that so many of you find the blog so useful as well as providing people with a voice in sharing frustrations with PCI and the process. Thank you to all of you that read this blog and find it useful.

The Not So Good

  • The Thursday “TED Talks” format was so-so. While it was definitely the talk at lunch and afterwards at dinner, it was not viewed as a highlight. As I coalesced the comments I heard, I do not think it was not the format as much as not all of the topics presented belonged in such a format. For anyone that has seen or been to TED Talks, they are very, very high energy and involve a passion for a topic that was not completely present in those Thursday sessions. If this is a format the Council wants to use going forward, then the topics are going to have to have a much higher energy to them and be much more important to discuss.
  • I had to chuckle at the vendor booths that were pushing their “silver bullet” solution for PCI compliance. There were only a very few of these “snake oil salesmen” present, but there they were saying they could put parts of your environment completely out of scope for PCI compliance. I thought we were long past such claims, but apparently not.
  • As with any such event, I saw a lot of people that I really wanted to talk to and just did not get the chance to catch up with them.
  • I unfortunately ended up with a number of client and emergency meetings I needed to attend during the conference. As a result, I had a few interruptions and could not attend a number of the sessions I really wanted to attend.

The Notably Missing

  • Professional Breakout Sessions were missing. This is a PCI conference that brings together qualified security assessors (QSA), internal security assessors (ISA), approved scanning vendors (ASV) and participating organizations (PO). Yet, there were no breakout sessions for those participants to meet with anyone from the Council. You would think that getting feedback from each of these important groups would be important to the Council. Other than these groups going individually to the Council’s office on “Card Brand Row”, there was no program for these important constituents to get together and voice their concerns. One would think this is a key part of why you hold such an event yet this piece was missing.

Overall though this year’s Community Meeting was probably one of the better ones I have attended.

See you all next year in Las Vegas.


2 Responses to “Another Annual Community Meeting”

  1. 1 JJ
    October 3, 2015 at 11:05 AM

    Were there any discussions on the “old TLS” issue? Both with regard to ASV scans and with regard to potential lost business?

    We’ve had two ASV scans since that guidance came out and we have TLS 1.0 enabled on Internet-facing web servers. The first time they said their scanners had not yet been updated. The second time they said they were not going to mark anyone as a fail until the June 30, 2016 deadline. The odd thing was they did not require the Risk Mitigation and Remediation Plan. It’s as if non-public guidance said that was no longer necessary.

    We’ve prioritized the TLS 1.2 ciphers on the servers but we’re still seeing between 10% and 15% of connections using just TLS 1.0 (for unique source IP addresses). I imagine we’re like other companies that will not change a thing until the hard deadline because there’s no way we’re going to cut off 10% of our customers just because of some rule change. I’m kind of hoping that the IE 11 issue in January as well as the adoption of Windows 10 will help but so far we’re not seeing it.

    • October 3, 2015 at 12:50 PM

      The impact of TLS v1.0 and v1.1 is really hit or miss depending on merchant and the location of their customer base. Some merchants stopped supporting SSL and early TLS and saw very little repercussion. Others (particularly merchants overseas) are complaining that they cannot shut off early TLS let alone SSL v3. As a result, there are a lot of merchants that will wait until the very last minute before they stop early TLS.

      As to discussions about it at the Community Meeting, there was no formal discussion. I am sure there were plenty of informal discussions between merchants about what they are doing about early TLS.

      Technically, the ASV should be requiring migration and mitigation plans for early TLS. However, a lot of ASVs are letting things slide for the time being as in a lot of cases, there is little the merchant can do about the situation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

October 2015

%d bloggers like this: