Since I missed all the PCI fun, all that remains is to aggregate other people’s posts, starting, of course from …
- … Branden Williams. His “Ask The Council” wonders why people go to the PCI Community meeting and then ask questions with the answer of “1. Read PCI DSS.” or “5. It’s on the website.” :-)
- “Observations from the PCI Security Standards Council’s Community Meeting” from my friends at AlertLogic.
- “Prepare Ye List Of PCI Grievances” is a pre-meeting post by Dave Taylor, worth a read. It has gems like : “Why is it that [issuing] banks say they don’t think they have to comply with PCI, when their debit cards are co-branded and carry the same risks of theft and even more risks to consumers.” Dave also has the second meeting post about the famous PwC reports: “The Two Scenarios Coming From The PWC PCI Report” (quote: “there were no reported fistfights” at the meeting), read the comments too.
- NetSPI folks add “Maturity and Convergence at the PCI-SSC Community Meeting” which mentions risk: “the focus on moving to more of a risk-based approach to implementing the PCI DSS. The council was only lukewarm to this idea […] Managing a risk-based approach may be something that is incorporated over time, but it adds too much subjectivity [A.C. – yes!] to the current PCI program.”
- Retail Payments blog adds (“Former Congressman Does Not See Federal PCI Legislation Likely”: "there is no benefit to any congressman in pushing cyber security legislation of any kind until there is some kind of cyber Armageddon" :-(
Enjoy! More will be added as they surface… please add them to the comments and I will move them to the main post.
Obligatory “added everywhere” posts :-)
- I am not at Qualys anymore and looking for the next big security idea to work on! Meanwhile, I might be available for fun consulting projects related to PCI, log management or other fun security and compliance things.