The Logic Group Blog

Well as usual, I attended PCI London this week, which is probably my fourth or fifth one over the years. As always it was very well attended, which was encouraging as it demonstrates that merchants, schemes and service providers continue to treat security seriously, even in these difficult times.

It has been interesting to see the changes in approach.

Initially at my first one, the event had an educational bias. “What is PCI DSS, who does it impact, what does it mean?”

Then it moved to a more supplier centric focus, with many presentations talking about technology and solutions which would allow a merchant to meet a variety of controls within the standard.

Over this and the last event in the summer of 2011, the focus has moved again and there has been a definite move across to focusing on the data which would be considered within the scope of the assessment and how to reduce the footprint of this data within the merchant environment. Indeed we had a full house at the seminar I gave with our partners from Semafone focussed directly on how to reduce the scope of an assessment when a merchant has the multiple payment channels such as card present, e-commerce and call centre environments.

Alongside this, there has been a big push in the area of data discovery to help define where the cardholder data actually is. I saw more people talking about PAN discovery than ever before, with a number of booths offering solutions in this area at various stages of maturity.

The talks themselves ranged in topic and quality, as they always do. This time there seemed to be more focus on merchants describing how to approach a PCI DSS programme. What was encouraging to see was a maturity of approach; moving away from just treating compliance as a PCI project with a specific end date when all resources are released to a more holistic approach of developing a security architecture and security management system to meet and continue to meet compliancy requirements including PCI DSS.

As always, there was an interesting approach taken by Barclaycard, talking about the new dimension and how this would encompass the CISO, and how the CISO role would move from just a technical security perspective to becoming a business enabler, helping the business to achieve their aims in a secure and compliant manner. There was a lot of discussion about risk management and risk assessments and how this can be embedded within a PCI DSS model. As we all know, PCI DSS remains a prescriptive standard. However the requirement for risk assessments has been raised up to a milestone 1 control in the PCI DSS Priority based approach which demonstrates how the PCI SSC are trying to incorporate risk modelling and assessments into the standard. This risk based approach continues to be developed and one of the PCI SSC Special Interest Groups is directly focussed on this particular issue. I think it will be a case of watch this space, to see what comes out of this.

With regard to The Logic Group and our stand at the event; we had many visitors to the stand the majority of whom seemed very keen to discuss the Point to Point encryption (P2PE) and hosted Paypage type solutions on offer.

When people come back in a few years time to reflect on the effect of PCI DSS within the UK I suspect one of the findings will be that many merchants used the standard as a reason to move from an in-house to a managed service payment solution.

So a successful day and I suspect the next one later in the year will have further to say in these areas of defining and reducing scope and risk management and assessment for PCI DSS.