I am currently at the annual North America PCI Community Meeting in Orlando where I am attending sessions with over a thousand of my peers to learn about the latest interpretations of the PCI standard, and trends in the PCI industry. We’re also getting an overview of the PCI Security Council’s (PCICo) and Card Brands’ thoughts about emerging technologies such as mobile payments and point-to-point encryption (P2PE). Here’s a roundup of what I’ve learned so far.
The state of the union is good!
Bob Russo presented the annual PCI State of the Industry. The industry continues to move in the right direction when it comes to increasing the focus to protect cardholder data. They’ve implemented several programs in the past year, including Qualified Integrators and Resellers (QIR) program, Payment Card Industry Professional (PCIP) certification, PCI Awareness Training, and the Internal Security Assessor (ISA) Program.
SIG voting is now open
The PCICo’s Special Interest Groups (SIGs) leverage valuable business and technical experiences from PCI Participating Organizations’ (QSAs, merchants, vendors, solution providers, and financial institutions). This allows for better collaboration with the PCI SSC on any supporting guidance or special projects relating to the PCI Security Standards. For 2013, PCICo has narrowed down the SIG candidates for 2013 from 14 to the following 7 candidates. You can make your voice count by voting for the SIGs you’d like to see created – these are all viable topics!
- PCI DSS New Guidance for Issuers
- Cardholder data discovery
- External penetration testing
- Internal scanning and vulnerability management
- Third-party security assessments
- Best Practice for Managing PCI compliance
- Guidance on logging
Spider Labs’ mobile device security review
Nicholas Percoco from Spider Labs presented an overview of mobile device security and reviewed several mobile attack scenarios. Some security issues highlighted include the following:
- Attackers can potentially access data on users’ devices.
- Apple IOS devices are vulnerable to jailbreak software and potentially to SSL man-in-the middle attacks on older versions.
- Androids are susceptible to root kits, malware, and focus stealing (where one application can steal a focus from another application).
In short, mobile platforms are not inherently secure. Troy Leach from PCICo announced that they have released a mobile payment best practice document that will provide guidance about securing cardholder data on general purpose devices, including transaction controls (e.g., cardholder data entering device, cardholder data stored in-device, and cardholder data leaving the device) and environmental controls (e.g., unauthorized access, remote management, strong host-side controls compliant with PCI DSS, and indication operating in secure state).
The learning continues…
The PCI Community Meeting gives us much to think about in the coming months. I look forward to your thoughts on these developments.