I'm here in Las Vegas with 650 of my closest PCI friends, including Tom Davis of Indiana Univeristy (For those of you who forgot, we represent NACUBO which is a Participating Organization). The PCI Community Meeting - this is the third - seems about twice as big as last year. I guess that makes sense since there are now over 500 participating organizations, 203 QSA firms, 145 ASVs, and 8 PED labs.
If I had to give this PCI Meeting a title, it would be
"The Listening Meeting." The Council is in it's feedback phase, soliciting feedback from all parties on the DSS (and PA-DSS) and how it should be changed, massaged, edited, clarified, expanded, contracted, and otherwise revised. In case you missed it, we are scheduled for the next revision to PCI DSS in October '10.
There were some particularly good sessions today. Let me try and describe each and give you the highlights.
The first had Verizon presenting highlights from their 2009
Data Breach Investigation Report. The message reinforced that the threats continue (the role of organized crime; the thriving underground market for card data, etc.) and most companies are not prepared. Not surprisingly, online systems accounted for most breaches, and most companies did not have an incident response plan in place (as I've
blogged about before, in case you forgot...). Another interesting statistic: 69% of breaches were discovered not by the breached company but by a third party. Believe me, this is a call you don't want to get.
Another interesting session was the (very) preliminary report from PricewaterhouseCoopers. The Council retained them to investigate emerging payment technologies that could impact PCI: either the DSS itself, or how you as merchant or service provider comply with the Standard. They identified 12 possible technologies and focused on 4 for further study. These were: end-to-end encryption; mag stripe imaging; tokenization; and virtual terminals.
The first conclusion is that none of them is a silver bullet. Sorry to break your hearts, but there it is. Additionally, there are challenges with all of them, and the challenges are
not technical. Rather, the challenges are mainly on the business side. Examples cited were:
- The lack of knowledge and expertise on the part of all parties.
- The lack of consistency across all parties as to the role/appropriateness of the technology. for example, merchants, QSAs, vendors, and even the Council might have different interpretation of the usefulness of the technology.
- The need to change procedures for card acceptance/processing by merchants and processors.
- And somehow making it easier to ensure consistent implementation of the technologies.
The bottom line is that the impact of each of the 4 technologies is likely to be highly variable (translation: no guarantees) depending on how the technology is implemented and the particular environment in which it is implemented. And everyone is still working on making the business case (think ROI), how to integrate the technologies with current merchant and processor environments, and the impact they will have on customers.
My personal summary is that these technologies will shift some part of the burden of PCI compliance from the merchant to the processor (or service provider or acquirer). The merchant will, however, pay more to achieve this shift. Another point is that these technologies might just have an impact on the DSS itself and the scope of compliance. And nobody has worked out the liability and financial consequences for each party. Oh, did I mention that none of them was a silver bullet that would make PCI go away?
We closed the day with a rapid-fire summary from the 4 Special Interest Groups (SIGs). The Pre-Authorization Data SIG has made recommendations to the Council, and the Technical Working Group is starting its review. There can be implications for recurring payments, hospitality/hotels, travel, and of course petroleum retailers with all those wonderful self-serve gas pumps. The Virtualization SIG could have a big impact on many schools and other merchants. They are working on a phased set of releases due to the rapidly changing nature of the technology. Expect a target draft white paper (defining issues, risks, maybe some case studies) in January. Ultimately they plan to produce a mapping tool that will identify where virtualization can apply each requirement of the DSS. I saw some drafts, and it promises to be quite extensive.
The PCI Scoping SIG is just getting started, and it promises to be equally valuable. Too early to report much. But at the other end of the spectrum is the Wireless SIG. They issued their report on wireless (
click here to learn more and download a copy), and like the Energizer Bunny they keep on going. Expect a look at Bluetooth implementations next.
In between these presentations were extended "open microphone" sessions where everyone was encouraged to offer their feedback to the Council and the Brands. Like I said, this is The Listening Meeting.
Tomorrow promises to be another full day.