PCI Community Meeting: Tales From The Trenches
Mobile Payment, P2PE And Mobile Device Security Take Center Stage
September 17, 2012
Views
I am currently at the annual North America PCI Community Meeting in Orlando where I am attending sessions with over a thousand of my peers to learn about the latest interpretations of the PCI standard, and trends in the PCI industry. We’re also getting an overview of the PCI Security Council’s (PCICo) and Card Brands’ thoughts about emerging technologies such as mobile payments and point-to-point encryption (P2PE). Here’s a roundup of what I’ve learned so far.
The state of the union is good!
Bob Russo presented the annual PCI State of the Industry. The industry continues to move in the right direction when it comes to increasing the focus to protect cardholder data. They’ve implemented several programs in the past year, including Qualified Integrators and Resellers (QIR) program, Payment Card Industry Professional (PCIP) certification, PCI Awareness Training, and the Internal Security Assessor (ISA) Program.
SIG voting is now open
The PCICo’s Special Interest Groups (SIGs) leverage valuable business and technical experiences from PCI Participating Organizations’ (QSAs, merchants, vendors, solution providers, and financial institutions). This allows for better collaboration with the PCI SSC on any supporting guidance or special projects relating to the PCI Security Standards. For 2013, PCICo has narrowed down the SIG candidates for 2013 from 14 to the following 7 candidates. You can make your voice count by voting for the SIGs you’d like to see created – these are all viable topics!
- PCI DSS New Guidance for Issuers
- Cardholder data discovery
- External penetration testing
- Internal scanning and vulnerability management
- Third-party security assessments
- Best Practice for Managing PCI compliance
- Guidance on logging
Spider Labs’ mobile device security review
Nicholas Percoco from Spider Labs presented an overview of mobile device security and reviewed several mobile attack scenarios. Some security issues highlighted include the following:
- Attackers can potentially access data on users’ devices.
- Apple IOS devices are vulnerable to jailbreak software and potentially to SSL man-in-the middle attacks on older versions.
- Androids are susceptible to root kits, malware, and focus stealing (where one application can steal a focus from another application).
In short, mobile platforms are not inherently secure. Troy Leach from PCICo announced that they have released a mobile payment best practice document that will provide guidance about securing cardholder data on general purpose devices, including transaction controls (e.g., cardholder data entering device, cardholder data stored in-device, and cardholder data leaving the device) and environmental controls (e.g., unauthorized access, remote management, strong host-side controls compliant with PCI DSS, and indication operating in secure state).
The learning continues…
The PCI Community Meeting gives us much to think about in the coming months. I look forward to your thoughts on these developments.
Will you be voting on SIGs? What do you see on the horizon in terms of mobile platform security? Have you reviewed the PCI Mobile Payment Acceptance Security Guidelines – and what are your thoughts?
AT&T
Networking Exchange : Topics : Mobility : PCI Community Meeting: Tales From The Trenches
PCI Community Meeting: Tales From The Trenches
Mobile Payment, P2PE And Mobile Device Security Take Center Stage
By Steve Levinson
Steve Levinson
PCI Practice Director, AT&T
Find me on:
The state of the union is good!
Bob Russo presented the annual PCI State of the Industry. The industry continues to move in the right direction when it comes to increasing the focus to protect cardholder data. They’ve implemented several programs in the past year, including Qualified Integrators and Resellers (QIR) program, Payment Card Industry Professional (PCIP) certification, PCI Awareness Training, and the Internal Security Assessor (ISA) Program.
SIG voting is now open
The PCICo’s Special Interest Groups (SIGs) leverage valuable business and technical experiences from PCI Participating Organizations’ (QSAs, merchants, vendors, solution providers, and financial institutions). This allows for better collaboration with the PCI SSC on any supporting guidance or special projects relating to the PCI Security Standards. For 2013, PCICo has narrowed down the SIG candidates for 2013 from 14 to the following 7 candidates. You can make your voice count by voting for the SIGs you’d like to see created – these are all viable topics!
Spider Labs’ mobile device security review
Nicholas Percoco from Spider Labs presented an overview of mobile device security and reviewed several mobile attack scenarios. Some security issues highlighted include the following:
In short, mobile platforms are not inherently secure. Troy Leach from PCICo announced that they have released a mobile payment best practice document that will provide guidance about securing cardholder data on general purpose devices, including transaction controls (e.g., cardholder data entering device, cardholder data stored in-device, and cardholder data leaving the device) and environmental controls (e.g., unauthorized access, remote management, strong host-side controls compliant with PCI DSS, and indication operating in secure state).
The learning continues…
The PCI Community Meeting gives us much to think about in the coming months. I look forward to your thoughts on these developments.
Will you be voting on SIGs? What do you see on the horizon in terms of mobile platform security? Have you reviewed the PCI Mobile Payment Acceptance Security Guidelines – and what are your thoughts?
Networking Exchange Blog
Get the latest posts delivered right to your inbox. [+]
Receive our daily or monthly email updates and keep current on all the hottest networking trends, perspectives and reports.
Networking Exchange Blog
Thank you for subscribing. Your alerts will be sent to . Be sure to add networkingexchange@attbusiness.com to your safe contact list.
You Might Also Be Interested In...
Networking Exchange Blog
Get the latest posts delivered right to your inbox. [+]
Receive our daily or monthly email updates and keep current on all the hottest networking trends, perspectives and reports.
Networking Exchange Blog
Thank you for subscribing. Your alerts will be sent to . Be sure to add networkingexchange@attbusiness.com to your safe contact list.