It was a hectic week out in Las Vegas at the Community Meeting this year. I wish I had more time this year to just hang out with everyone, but I was in the middle of a number of assessments that needed to get done, so I was working at night and attending sessions during the day.
By the time you read this, the slide decks from the sessions will have been posted on the Council’s Web site. So all of you that attended will be able to download those presentations. You go to the link provided in the program guide, provide your name, organization name, email address and the password from the program guide (ve4eqepR) and you are in.
The Council tried the 20 minute “TED Talk” format again with the Wednesday sessions. A number of the sessions I attended could have easily used an extra 10 minutes if not a complete hour. I know the Council is trying to move things along and get a lot of information covered, but trying to discuss topics like “the cloud” or EMV standards just cannot be properly accomplished in 20 minutes. I do not care how good a speaker or organized the presentation.
Here are some of the more notable highlights.
The Assessor Session Is Back
Possibly the most anticipated session of the Community Meeting this year was the return of the Assessor Session after being missing for two years. But unlike previous years where this session occurred before the start of the Community Meeting, the return of the Assessor Session was moved to the end of the Community Meeting. I heard a number of complaints throughout the week from assessors about being at the end of the meeting. Yet when Thursday lunch came around, there were a lot of QSAs, ISAs and ASVs that adjusted their travel schedules (Guru included) to attend this session.
While I originally agreed with people that moving the Assessor Session to the end was not a good idea, the more I have thought about it, the more I think it was better at the end. That way assessors can have questions covering topics that come up during the meeting get answered while we are all together. I know we all want to get home, but I think the Assessor Session offers more value to all of us being at the end.
On the not so good side, the Council chose to use up an hour and 10 minutes to present a variety of topics, some of which took way too long to discuss. But the larger question was why was this material not presented during the main conference? Not only did all of the meeting attendees miss out, but there were people that did not get their questions asked. I am also sure that running long discouraged a lot of people from asking questions as well.
That said, there were a number of good questions asked during this session and the Council rewarded five people with large PCI SSC coffee mugs for their “good” questions.
One question though really created a stir. I will address that question regarding multi-factor authentication (MFA) as a separate post to be published later. However I will say this about this discussion. The Council really needs to go back and re-think their position on MFA if what they said is accurate.
The Council was asked about SAQ A and where it is headed. The concern in the assessor community is that the mechanism that issues/controls the iFrame/redirect needs protection. However the changes to SAQ A for v3.2 did not seem to address this obvious risk. Based on how the question was answered, I am guessing that the hosting community is trying to keep SAQ A as simple and easy as possible regardless of the risk.
Another area that the Council agreed to review was the change to requirement 3.2 in the ROC Reporting Template. In v3.2 of the template you can no longer mark those requirements as Not Applicable however it was pointed out that an ‘NA’ was still allowed in the SAQ D. The reason for seeking this clarification was related to past comments from the Council to follow SAQs for P2PE (SAQ P2PE) and outsourced eCommerce (SAQ A) when filling out a ROC for merchants with these solutions. It was pointed out that neither of these SAQs has requirement 3.2 in them, so how is a QSA/ISA supposed to respond to it in the reporting template if it cannot be marked as ‘NA’.
Understanding The Current Data Breach Landscape (aka Verizon DBIR Report Discussion)
When Verizon sends out Chris Novak, you know you will get a great presentation on the data breach incident report aka ‘The DBIR’. This year was no exception albeit somewhat depressing as Chris again pointed out that most breaches are the result of sloppy operations, lax security and insecure applications. Essentially security issues that we should have gotten past a long, long time ago but have not.
Architecting for Success
Who better to talk about success than a representative from the Jet Propulsion Laboratory (JPL) talking about how to develop spacecraft to explore the most inhospitable environment we know, outer space and planetary bodies. Brian Muirhead was the keynote speaker on Wednesday and is the Chief Engineer for the Mars Science Laboratory, the group that designed and developed the various Mars exploration rovers. He gave a great discussion on how to look out for problems and develop self-managing devices. Very interesting and I am sure an eye opener for people that we need to stop accepting the sloppy and messy solutions we get for handling cardholder data.
Internet of Things Keynote
The Thursday keynote was just a great time. While there seemed to be very little directly relevant to PCI compliance presented by Ken Munro and an associate from Pen Test Partners, it was a fabulous time exploring the wonderful world of flawed technology from a tea kettle, to a refrigerator to a child’s doll. In the case of the child’s doll, they removed the word filter database and therefore allowed the doll to say things that no child’s toy should say.
What was relevant to PCI was the ease with which these folks were able to reverse engineer firmware and software used by these devices. It gave a lot of people unfamiliar with IoT and penetration testing in the room pause as to how seemingly sophisticated technology can be easily abused.
Cloud Security
While it was great to see Tom Arnold from PSC, the even better thing about this presentation was the fact that Amazon provided an actual human being, in the form of Brad Dispensa, to talk about Amazon’s EC2 Cloud. While billed as a discussion on incident response, the session provided great insight into AWS’s EC2 service offering as well as the variety of new tools available to manage the EC2 environment and also provide auditors and assessors with information regarding the configuration of that environment. The key take away from this session is that organizations using EC2 can provide everything needed for conducting a PCI assessment using their EC2 Master Console.
EMVCo
Brian Byrne from EMVCo gave a great 20 minute session on EMV. The slide deck will be more valuable than the presentation because he had so much content to share and so little time to share it in. Of note was his discussion of version 2.0 of three domain secure otherwise known as 3D Secure or 3DS. While v1.0 will remain under the control of Visa, EMVCo has taken over management and development of the 3DS standard. The new version is in draft and only available to EMVCo members, so this was the first time I had been able to see what the new version has to offer. But because of the time constraint, I will need to wait for the slide deck to be published to know more.
PCI Quality Assurance Program
Brandy Cumberland of the Council provided a great presentation on the Council’s quality assurance program that all QSAs have become familiar. I appreciated her discussion of James Barrow who took over the AQM program after most of us wanted to kill his predecessor for creating one of the most brutal QA programs we had ever seen. James efforts to make the AQM program more relevant cannot be underestimated as he took over a very troubled affair. This was a bittersweet discussion as James passed away right after last year’s Community Meeting and will be greatly missed by those of us that came to know and respect him. Brandy took over the AQM program when James left the Council and has been doing a great job ever since. She is possible one of the best resources the Council has and does the AQM program proud.
Application Security at Scale
The last great session of the conference I saw was from Jeff Williams of Contrast Security. The reason this session was great was it discussed what application developers can do to instrument their applications for not only security, but also for operational issues. He introduced us to interactive AppSec testing (IAST) and run-time application self-promotion (RASP). The beauty of this approach is that applications get security in the form of embedded instrumentation that results in actionable analytics which then allow decisions to be made to respond to threats to these applications. It sounds like an interesting approach and concept and I cannot wait to see it in action.
As always, it was great to see and catch up with all of my friends in Las Vegas at the PCI Community Meeting. It was also great to meet a lot of new people as well. I look forward to seeing all of you again next year in Orlando.
