Wednesday, February 10, 2010

ShmooCon 2010 – Our PCI DSS Panel

It goes without saying that our PCI DSS panel was – for me – the most fun part of ShmooCon 2010. Yes, spectator sports are OK, but the most fun is had when you are playing and kicking the ball – or balls as the case may be in a heated discussion :-) So, Mike Dahn, Jack Daniel, Joshua Corman – over video Skype! he got “snowed out” – and me got to play.

Everybody who’s been to ShmooCon, can easily figure out that the audience there is extremely smart – I sensed there were no “security laggards” in the room. So what happens if you combine PCI and some smart security people? Rage! In fact, we had people from large merchants, QSAs, issuing bank (!) and other organizations. I am amazed that even some non-PCI folks, who can’t tell a QSA from an SAQ found the discussion enjoyable…

It was very interesting to watch that the debate split into two distinct flows: “security vs prescriptive compliance” AND “fuck PCI, they [the brands] must fix the system.” The latter sentiment was very strong, like the Dark Side of the Force (even though there is absolutely nothing dark about it…). It ranged from “why don’t they fix it [the payment system]? they have billions in profit!” (naive) to “if 4 millions of people put the Band-Aids on, is this cure for cancer?” (philosophical). The impression that PCI DSS approach is “too much work” even if good security results from it – which is …how should we put it… not always the case… was also represented. Given the circumstances, it is evident that the view that PCI DSS is many companies’ first encounter with real security management kinda was not very visible…

Also, I always felt it for the issuing bank guys, since they were often left holding the bag for ignorant merchant (TJX anybody?) and unlucky processors or acquirers (Heartland anybody?). But I didn’t expect the present issuers to be so angry at the brands – and not at the merchants! Well, learn something new every day…

The other discussion that even if “checklist security” is offensive to some people, it is the only way to many organization to actually do something. A lot of “risk management stuff” just goes – whooosh! – over their heads. IMHO, this is still an unsolved problem.

Also, somebody very smart in a red blouse :-) said the following: even if we “do everything perfect with PCI DSS”, we will only solve the problem of cardholder data…not any other data (like SSN or key IP) and not any other security issue. Indeed, if PCI DSS magically “just works” and payment card security “becomes 100% secure” , a lot of security work will remain. This is something useful to keep in mind.

I don’t remember signing any NDAs, so I will share some of the reviewer comments that I got from the ShmooCon feedback system (BTW, if you were at the show, please leave the feedback!!)

“Best panel discussion of the con. You could tell there wasn't agreement amongst the panel but the disagreements weren't made personal. Mike and Josh did a great job in explaining their positions and Jack did a super job moderating.”

as well as:

“This dissolved in a religious argument 30 seconds into the talk.”

(in reality, it was maybe 20 minutes into the talk :-))

Overall, the panel was “awesome+” We even took one question from the Internet, something I have not seen at other sessions. Looks like that live video feed was not broadcast in vain… So, watch the video when [correction: it appears that the correct word is “if” here…] it comes out – VERY fun!

BTW, I had an Eureka moment when I spoke to Josh after the panel – deep thought warning! – if we think that the only way to get some merchants to secure their system is to force PCI DSS on them, then how can we expect for them to do a good job with it and not just “check the box”? “Forced standards” and “doing a good job” are hardly compatible.

Finally, thanks to my publisher for providing a copy of the PCI book for the event. I had a chance to wave it at the audience a couple of times :-), but in all the excitement I completely forgot that I wanted to give it out via a contest (FAIL!). In any case, a well-deserving person got the book.

Possibly related posts:

Dr Anton Chuvakin