I went to a mini-conference on PCI DSS today in Dallas (it was put on by a vendor partner of ours, but was surprisingly vendor agnostic). Anyway, I got some impressions from the speakers that I would like to share.
One of the keynote speakers was Bob Russo, the General Manager of the the PCI Security Standards Council. He was a good speaker, and he obviously knows the subject matter very well. One of the things he and an audience member discussed were manufacturers claiming PCI compliance in their products. He really seemed to disdain that practice, and he was quick to point out that no technology can equal compliance by itself.
He also mentioned the new PED (PIN Entry Devices) standards that are coming out soon. Also, the PABP (Payment Application Best Practices) standard is becoming PA-DSS, which is Payment Application Data Security Standard. I don’t have much to reflect on those. Just thought they were interesting.
What a lot of people were griping about is that they still had to meet the individual card standards as well as PCI DSS, and they were wondering when it would all become one. Mr. Russo did not have an answer for that, but he did not try to avoid the question. He acceded that it was a good question. He simply did not know.
There was a lawyer from the FTC there to discuss the law and how it applied to these standards. Basically, she just stood there and said we should follow best security practices with all our data, and if we don’t we could get in trouble with the feds. Fairly boring all around. She read off of a script and never moved from behind the podium (obviously not a trial lawyer).
Anyway, I wasn’t especially moved by anything that was said, though there was some good discussion between speakers and audience. Just thought I would share and see if anyone had some comments.