#pcissc

This morning, the Payment Card Industry Security Standards Council (PCI SSC) announced the keynote speakers for its 2013 Community Meetings for North America, Europe and Asia-Pacific. Jacob Ansari, our very own Director of Technical Services here at 403 Labs, will be giving a keynote talk on forensics at both the North American and European Community Meetings.

Jacob A. Ansari will tap into his extensive experience managing forensic investigation procedures and security and compliance assessments to discuss payment data breach prevention and recovery methods to help merchants avoid substantial drains on their resources.

Here is some additional information on the forensics update that Jacob will be presenting:

Merchants face significant cost challenges after experiencing a breach of payment data. Between the forensic investigations, remediation efforts and potential fines and penalties, the financial burden can be devastating. This session will outline ideas for a more complete solution focused on better breach prevention and recovery methods to help merchants avoid substantial drains on their resources.

403 Labs is excited for the opportunity to have a member of our work family offer insight on the important topic of forensics to the PCI community. We’re also looking forward to hearing the other great speakers and presentations, meeting with clients and colleagues and connecting with some new people.

Participating Organizations interested in getting a peek at what’s in store for 2012 will have their chance during the PCI Security Standards Council’s Open Mic sessions. POs will want to check their email for an announcement from the Council. Attendees can learn about:

How to submit feedback on the PCI Standards

Ways to get involved in Special Interest Groups

PCI Training opportunities

The sessions are to be followed by live Q&A with representatives from the Council.

PCI 2.0 is not only here, but we are already entering the official feedback period.

The formal feedback period for both PCI DSS and PA-DSS opened November 1. Any Participating Organization (PO) can provide comments on any of the requirements. In particular, the PCI Council is asking for your feedback on what issues or problems you have had meeting the standards, any clarification you would like to see, and especially any changes or enhancements that are needed to the standards.

If your organization is a PO, then your primary representative received an email announcing the opening of the official comment period. Your representative also received instructions to go to the Council’s web portal where they will find a spreadsheet containing the standards.

This spreadsheet allows your organization to make comments alongside the particular requirement. The process makes it much easier for you, and a whole lot easier for the Council to see quickly what areas of each standard are attracting the most comments.

Comments from merchants, service providers, and vendors who implement the new standards are important. While the current versions of both PCI DSS and PA-DSS have a three-year life, there is room for (and we can expect!) interim updates and changes to reflect both new security threats and industry feedback.

Voting is now open to decide which PCI Security Standards Council (PCI SSC) Special Interest Groups (SIGs) you want in 2012. Your vote is important, and the choices include both business- and technical-focused topics, so you will want to include all affected parts of your organization in your decision process.

The SIGs are important to every merchant and processor (and QSA, too). Each SIG – composed of volunteers from across the PCI ecosystem – researches a particular issue and develops written guidance and/or best practices to help manage PCI compliance. Past SIGs addressed wireless networking, virtualization, EMV standard, tokenization, and point-to-point encryption.

There will be three SIGs selected in 2012. Seven topics are nominated, and the selection of the three will be based on votes of Participating Organizations (POs). Merchants and processors that are POs should have received email notification of the voting procedure, together with a link to the Council’s PO portal containing videos of the presentations as well as the ballot.

Every merchant and processor will cast a (weighted) vote for their first, second, and third choice. Because of the range of nominated topics, I humbly suggest gathering together representatives of your business, IT, and security teams to make a joint decision reflecting the needs of your entire organization.

This vote is your chance to directly affect where the PCI Council focuses its resources. If you are reading this and your company is not a PO, this might be the nudge you need to get you to join the 650 POs and have your voice heard.

Tokenization is a technology that can – if properly implemented – reduce a merchant’s PCI scope. It does this by replacing primary account number (PAN) data with surrogate (or “token”) values in merchants’ systems and applications. The result is the merchant can potentially remove these systems using tokens from their PCI scope. This scope reduction can reduce the cost and effort to become PCI compliant.

The big question has always been: What is the “proper” way to implement tokenization? In a previous post here on the 403 Labs Blog, I wrote about the PCI Council’s Tokenization Guidance document. That document is a great place to start.

Most merchants will want more specific information on implementing a tokenization solution or choosing a tokenization vendor. That is why we were so excited at the opportunity to do some research and bring you this Tokenization Buyer’s Guide.

In response to the market need, and in conjunction with Intel Corporation, 403 Labs prepared a Tokenization Buyer’s Guide to help merchants decide whether tokenization is right for them, and if it is, how best they should implement it. Intel sponsored the research, but the Tokenization Buyer’s Guide is an independent, vendor-neutral, and technology-neutral white paper. We insisted on – and were given – complete editorial control so we could focus on the technology and not any single implementation or vendor. You can download a copy of the white paper via Intel’s site.

The PCI Council has just released an updated version of its PCI DSS Wireless Guidelines Information Supplement. This updated publication reflects the efforts of both the Wireless Special Interest Group (SIG) and the PCI Council’s staff.

The updated document includes details on scoping and securing both WiFi and Bluetooth networks. It also has useful guidance on meeting PCI Requirement 11.1: Testing for Unauthorized Access Points.