Archive for the 'PCI Dream Team' Category


Guru And David Get The Last Word!

About a month ago, Coop and Ben were interviewed on the Sycurio QSA Seminar Series. Well, now the “better half” of the PCI Dream Team are speaking at the Sycurio QSA Seminar Series on Friday, September 30, at 11AM ET/1500 UTC.

We are going to “dish” on this year’s PCI North American Community Meeting as well as I am sure discuss what we have learned about PCI DSS v4 and whatever else comes up in our conversation as well as answering questions from the audience.

For anyone that wishes to attend, you can register here

David Mundhenk and I look forward to “seeing” you at this great session.


The Gag Is Coming Off!

Coming Thursday, April 28, to an internet connection near you!

The PCI Dream Team of Ben Rothke, Art “Coop” Cooper, David Mundhenk and the PCI Guru himself will finally be able to openly discuss PCI DSS v4 – warts and all!

So, bring your questions and concerns to this open discussion of v4. As always, if you cannot attend the live session, you can submit your questions to pcidreamteam AT gmail DOT com.

Register here for this session.

We look forward to “seeing” everyone there.


See The PCI Dream Team LIVE!

I just wanted to give everyone a heads up on the latest speaking engagement for the PCI Dream Team.

I recently got word that the PCI Dream Team will be back speaking at Secure360 in Minnesota. We do not have our time yet nor the location of the event (I would assume it will be held at Mystic Lake Casino) but we do know that the conference occurs on Tuesday, May 10, through Wednesday, May 11, and is currently expected to be a LIVE event. I am not sure if the event will also be live streamed for those of you unable to travel.

As usual, we always accept questions at our email address of pcidreamteam AT gmail DOT com.

Stay tuned to the blog and as we get more information I will share it here.


A Half Day Of Dream Team!

Apparently, a successful talk I gave more than a year ago on PCI compliance for the Toronto Chapter of ISACA’s Lunch and Learn program has led to an opportunity of a half day of the PCI Dream Team on Thursday, February 3, from 1PM – 430PM ET/1800 – 2130 UTC.  Because of the scale of this event, there is a fee involved to attend.  Attendance by ISACA members will cost $50 CAD (approx. $40 USD or €35) and non-member attendance will cost $60 CAD (approx. $48 USD or €42).  You can register here for the event.

The format of this session is like a TED Talk only with a Q&A session afterwards.  One of the Dream Team will make a 20 to 30 minute presentation on a PCI topic near and dear to their heart and then open the floor to questions on the presentation or any other PCI or information security topic for another 40 to 30 minutes.  Rinse and repeat.

As with all our sessions, we will be accepting questions via our Gmail account at pcidreamteam AT gmail DOT com so that you can ask them ahead of time and allow us to prepare.

We look forward to seeing you at this event.

UPDATE: Thank you to all who joined us at this great event. The Dream Team had a great time and enjoyed all of the excellent questions that got asked. We look forward to future meetings like this.


So Much For “Live” In October

We have been notified that the (ISC)2 Security Congress in October will now be virtual.

We would still like to virtually meet with all of you anyway. See this post for where to register and how to submit questions for our session that will still go on virtually.


PCI Dream Team LIVE! Is Coming In October

The PCI Dream Team will be appearing LIVE at the (ISC)2 Security Congress in Orlando this Fall, Monday, October 18 through Wednesday, October 20, 2021.   Our session is scheduled for Tuesday, October 19, at 11:45 AM ET/ 1545 UTC.

While we will be live at the conference, you can also attend the conference and our session virtually.  So other than training budget limitations, there is no other good reason you cannot join us.

As usual, we will be taking questions live and via email at pcidreamteam AT gmail DOT com.  We also monitor Twitter if you use #pcidreamteam.

We are expecting our usual lively discussion of all topics PCI and other security standards if time allows.

We really are looking forward to physically seeing people at the conference.


Same Dream Team, New Venue

After years on BrightTalk, the PCI Dream Team is relocating to a new venue due to changes in BrightTalk’s revenue model (i.e., you need to pay to be on BrightTalk).

Thanks to Dream Team member Arthur “Coop” Cooper and his employer, TrustedSec, we will now be broadcasting through TrustedSec’s GoToMeeting instance.

Which brings us to the fact that the PCI Dream Team will be live online on Wednesday, June 23, at 1PM ET/ 1700 UTC. If you would like to attend this live event, you can register here. As usual, this will be an interactive event with attendees providing the questions to the Dream Team to answer.

We expect to have a lively discussion after the PCI SSC’s QSA event on June 15 for an hour and a half. Still no clue as to what is going to be discussed at this QSA session, but if it is going to take an hour and a half it must be good.

As usual, we will also be accepting questions at pcidreamteam AT gmail DOT com. So if you cannot attend the live event or have questions that are just bugging you, you can submit them to that email account so that we have them for this session.

And as a reminder, no questions are off limits EXCEPT those regarding PCI DSS v4 (thank you NDA).

We look forward to seeing you at our new online home.


PCI Dream Team at Secure360 2021

Back by popular demand, the PCI Dream Team will again be taking our show to Secure360 this May 11 (Tuesday) at 4PM CT/2100 UTC.

Secure360 is the Upper Midwest’s premier security conference and will be meeting again virtually on Tuesday, May 11 and Wednesday, May 12.  It is well worth the cost to attend as there are always many informative sessions and keynotes.  If interested, you can register here.

While not in person last year, we had a great time answering a variety of PCI and not so PCI security questions.  We look forward to having another great session this year.

If you want to make sure your question gets answered, please submit them before the session at pcidreamteam AT gmail DOT com.

We look forward to seeing you at Secure360.


Quick Hits From PCI Dream Team Session 10

The following are some questions that were asked at the last PCI Dream Team session but we were unable to get to them during the session.

  1. If a PCI validated service provider omits requirements from SAQ-D-SP because they themselves also use PCI Validated Service providers who meet said requirements?

    First off, requirements cannot be “omitted” or marked “Not Tested” and have a compliant Service Provider SAQ D or ROC per FAQ #1382.
    As to how the organization should deal with requirements covered by a third party is to mark them as “In Place” with the description that the appropriate third party is responsible for the requirement and that the third party is PCI compliant as of the AOC date.
  2. Most QSA’s are suggesting that the best way to mitigate new requirements in PCI V4 is to implement P2PE. Would you agree?

    Going to a P2PE or E2EE solution is only part of the equation.  To reduce the scope the most, you would also want to implement tokenization to ensure that your systems never retain PAN.  It is important to remember that most P2PE/E2EE solutions do not automatically include tokenization.
    Also remember, only P2PE gets the immediate scope reduction without asking the acquiring bank.  However, E2EE can also result in scope reduction if properly documented and approved by your acquiring bank, so do not limit yourself to only P2PE solutions.  E2EE solutions from First Data (TransArmor) and Verifone (VeriShield) are the largest implemented scope reducing solutions in the marketplace and are offered through almost all payment processors.
  3. Can you give examples of connected-to tools for pushing out code – are you referring to Git, Chef, what other tools fall into this category?

    Yes, we were talking about tools such as Git, Jenkins and Chef.  But it is also more than just code that gets pushed out.  Configurations, networking, etc. are all getting pushed out by tools such as Ansible, Terraform and others in the cloud and are also in scope.
    Regardless of the PCI scoping issues, these tools create security issues for organizations because they are typically not very well protected and monitored.  These tools are an organization’s software factory and most organizations are leaving the factory’s doors wide open for anyone to come through and see how you construct your in-house software solutions that are supposedly the key to your organization’s success.  All of this should hit home pretty hard after the SolarWinds debacle.
  4. On the topic of end of life (EOL) software, what about open-source projects with no LTS such as React 16 since the next major version has been released?  Would I be compelled to update all my dependencies to the latest major version?

    As far as I am aware, there is no announced React 16 EOL date nor has there ever been an EOL announcement for any release of React.  That said, since React is a group of JavaScript libraries and JavaScript is a well-known attack vector, the risk of using an older React version just gets worse as time goes on.  A risk assessment for the React versions should take that all into account and drive your analysis as to when you should update React barring the vendor stating an EOL for the version.
    But there are larger issues with open source application projects that process, store or transmit cardholder data (CHD).  I wrote about this a few years back in this post and it has a link to a post on the subject from 10 years ago.

The PCI Dream Team Rides Again

Please join us on Thursday, December 10, at Noon ET/1700 UTC as the PCI Dream Team discusses all things PCI EXCEPT PCI DSS v4. LOL!

You can register here for this free one hour session.

As usual, if you wish to submit questions before the session, please send them to our email box at pcidreamteam AT gmail DOT com.

We look forward to all of you attending this session.

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2023