A Thing
The Green SheetGreen Sheet

Friday, September 27, 2019

PCI SSC meeting energizes base

The PCI Security Standards Council’s annual North America Community Meeting, held Sept. 17 to 19, 2019, in Vancouver, B.C., drew more than 1,300 attendees. Top agenda items included upcoming releases of the PCI Standard for contactless payments on commercial off-the-shelf (COTS) mobile devices and PCI Data Security Standard Version 4.0 (PCI DSS 4.0).

In addition to continually updating security standards, the PCI SSC is promoting interaction and innovation among payments industry stakeholders, noted Troy Leach, chief technology officer. Recent efforts discussed at the meeting include a Request for Comment (RFC) process, currently employed in the PCI Data Security Security Standard Version 4.0 Request for Comments initiative; the PCI Software Security Framework, which supports agile innovation within approved process guidelines; and the P2PE Standard and Program.

“At last year’s community meeting, these new engagement models were still being designed and we had just created the framework for new areas of engagement,” Leach said. “Seeing the fruits of their labor has energized the industry.” He expects the newly implemented RFC process to improve collaboration when developing next-generation security standards for “a quickly changing world of payments.”


Participating members and attendees praised PCI DSS 4.0 and the Council’s renewed focus on collaboration.

Ruston Miles, chief strategy officer, executive vice president and founder at Bluefin, said PCI DSS 4.0 will be easier to understand and implement and “a significant upgrade to the standard in terms of usability and user experience.” Miles was also pleased that P2PE is a top-of-mind topic and becoming widely adopted at a growing pace. Reworking existing standards and organizational structures will improve the user experience, he added.

Marc Punzirudu, vice president, security consulting services at ControlScan, said, “PCI 4.0 will give entities that have established security programs the ability to perform alternative validation of controls.” This significantly improves the standard by replacing compensating controls with objective-based control tests, he stated.

“I’m also personally energized about the Small Merchant Taskforce I’m a part of, because we will be reviewing and commenting on the PCI 4.0 SAQs as they start getting developed,” added Chris Bucolo, vice president of market strategy at ControlScan. “In doing so, we have the opportunity to consolidate and streamline concepts where possible.”

Jen Stone, senior security analyst at SecurityMetrics, presented on formjacking, a cybercrime that intercepts web pages and payment forms. Malicious JavaScript code collects payment card numbers and other personally identifiable information and sends data to another location of the attackers’ choosing, she explained.

“A great part of collaborating with the Council is being able to talk about these trends,” she said. “Half a dozen security analysts came up after the presentation and said, ‘that was a great piece.’”

For further details, please visit www.pcisecuritystandards.org.

end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2024 2023 2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing