Monday, October 5, 2015

The 2015 PCI SSC North America Community Meeting

[Mike Leach sent in this terrific summary of his time at the PCI Security Standards Council's North America Community Meeting, held last week in Vancouver, British Columbia, Canada. I wasn't able to attend this year, so thanks Mike! --gaw]

We wrapped up the PCI SSC North American Community Meeting in Vancouver, BC last week. Before I review a few key points of the meeting I want to highlight our host city: Vancouver, BC is a fantastic city! The streets are pedestrian friendly and clean, the people are friendly, the downtown is alive and vibrant after 5. I even stumbled into a shooting set for Minority Report on an evening walk. Then the waterfront and harbor called to us every day, making it hard to go back into meeting sessions. I recommend Vancouver as a vacation destination. I will be back.

This year Indiana University, Michigan State, North Carolina State, Oklahoma State, Penn State and University of the Pacific were represented as well as the British contingent: University of Surrey, University of Manchester and the University of Leicester. If I overlooked any Higher Ed schools I'm sorry we missed you at the meeting.

The theme this year was Educate, Empower, Protect. As a between-standards year much of the content was review and reinforcement of known topics. Building on PCI as Business as Usual the Council reiterated its focus on providing guidance and content for Small and Medium Businesses (Hey, that's us!).

To do that they are using a 4 pronged approach:

  1. Establishing a SMB task force
  2. Highlighting the QIR program
  3. Encouraging us to develop Acquirer relationships
  4. (The Council) Deepening relationships with Merchant Associations
There will also be a refreshed website with a preview offered here:

Another sub-theme was collaboration. We know the bad guys are sharing info and learning as a community. We need to do the same. As IU's Ruth Harpool reminded General Manager for the PCI Security Standards Council, Stephen Orfei, Higher Ed knows collaboration. This is one of our strengths we need to continue to leverage so none of us are left behind. When schools write to the PCI listserv with questions, please offer up your answers or experience. If you don't feel comfortable discussing with the larger group reply privately. Continue to ask and share.

Keynote speaker John Nance related his experiences in aviation and healthcare to information security. Humans are the weakest link. By admitting we will fail we can plan for failure and be ready to respond to failures.  John also supports the call for collaboration. Collaboration without a common goal is just disparate groups trying to cooperate.

Several presentations covered the importance of P2PE and Tokenization. We are starting to see more validated solutions listed. These two services provide real card data security and scope reduction. However in speaking with merchants who have started down this path some acquirers are trying to squeeze all merchants into a category that doesn't fit well. A complete implementation will take some time and planning so start now. Caesars Entertainment reviewed their 3 year project to implement P2PE at all 37 properties in 14 states.

Keynote Brian Krebs highlighted some of his adventures in learning and writing about card markets and ATM skimmers. His prediction for US EMV adoption is that we will see growth in new card/account fraud because so much of our US personal data is out there, unlike other countries with more strict privacy laws or less electronic personal data available.

Those are just some of the highlights. Please see the Council's meeting blog site for more meeting coverage:

Next year's North American meeting will be September 20-22 at the Mirage, Las Vegas, Nevada.
Thank you,
Mike Leach

Mike Leach is a System and Network Security Analyst in the Office of Information Systems at The Pennsylvania State University. As a primary function of that job he has been managing the PCI compliance program for nine years. PSU has successfully bridged the IT-Finance/Treasury gap and in cooperation with the Office of Corporate Controller Mike oversees 55 merchant areas using some 150 merchant IDs across 24 campus locations.

Mike Leach can be reached by using the Contact Form in this site’s sidebar.

No comments:

Post a Comment