As you know, I gave a keynote presentation at PCI DSS Workshop 2010 by Treasury Institute for Higher Education (the other keynote being Bob Russo, naturally :-)). Addressing an audience of about 130 mostly University IT, IT security and finance (!) professionals in charge of their payment and PCI DSS programs was a fun challenge. The slides are embedded below – I seriously consider it to be my best PCI presentation ever… mmm… to date.
(I suspect some of the things I had to invent for this presentation – e.g “the kitten bit” – will end up on Twitter pretty soon :-))
Also, the workshop was also pretty educational for me since I learned how PCI DSS is really done at the most challenging environments possible – large Universities with hundreds of merchant IDs, every possible card acceptable method, wayward academics, general skepticism for policies and mandates, desire for “openness” (aka come-take-our-PANs-SSNs-medical-records-kinda-openness…), lack of centralized control and (sad and unjustified, but frequent) disdain for central IT groups.
On the other hand, I was amazed to learn that many Universities do not need any extra pushing and hand-wringing to treat PCI DSS and payment security as … gasp!… a business problem. As I mentioned above, the audience at a PCI Workshop was only about 30% IT and IT security with 70% finance/treasury folks responsible for PCI DSS compliance (there were also 2 stray auditors in the room).
So, the second day keynote was given by Bob Russo who is definitely known for putting up a good show (and, nowadays, song and dance!). A new bit for me was the establishment of ISAs – Internal Security Assessors – and upcoming ISA training by the Council. He also reiterated that PCI DSS “1.3” (October 2010) won’t have massive changes, but mostly additional clarifying guidance, produced by SIGs, will be released at or before that date.
Also, I was involved in “PCI Experts Panel” with Bob Russo and representatives from Elavon and Fifth Third Processing Solutions. We covered many fun questions (some of which sure made my head spin… we are talking deep PCI esoterica here). I was kinda surprised to learn that people still ask whether encrypted data needs to be protected, even though it is answered in the official PCI DSS FAQ.
P.S. WTH is “a kitten bit”? I coined the following phrase for this presentation: “Every time you think ‘PCI DSS OR security,’ god kills a kitten!”
Possibly related posts:
- ShmooCon 2010 - Our PCI DSS Panel
- Minor Bit of Promotion: PCI Book Rocks!
- Source Boston 2010 Conference Notes (and my PCI DSS presentation with Branden Williams)
- RSA 2010 EXCLUSIVE PCI Security Standards Council Interview
- How to Stay Compliant? or Ongoing Tasks in PCI DSS