The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government, Restaurants, and Utilities.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts. We look forward to your comments, so please join the conversation.

The Coalfire Blog

2013 PCI SSC European Community Meeting Wrap-Up

November 04, 2013, Andrew Barratt, Managing Director, Europe

Bookmark and Share

Andrew Barratt

Matt Getzleman – PCI Practice Director, Dan Fritsche – Director, Solution Validation, Andrew Barratt  - Managing Director UK, and Brian Pennington – Regional Sales Director, discuss the recent PCI SSC Community Meeting in Nice, France.

Matt: For our regular readers, we should introduce our European management team: Andrew Barratt and Brian Pennington. Andrew recently took on the role of our European Managing Director and Brian is our European Sales Director; both are well known faces in the information security world due to their regular involvement in the various communities that support the industry.

Matt: Andrew, the community meeting seems to have been a great success here showing off the breadth of standards the SSC is managing now as well as the cooperation with EMV Co.

Andrew: It has. The assessor pre-meeting is a great way to be able to catch up with the wider QSA community and to be able to discuss the standard directly with the PCI Security Standards Council (SSC).  The SSC is hugely receptive to feedback from those of us at the conference and it was great to hear the future updates to the current draft of version 3 are based directly on community feedback. 

Matt: Brian, the new revision of the standard and the SSC briefings gives us a lot to talk to our clients about and as we see them focusing on making the standard more business as usual and discuss common breaches.

Brian: It does, the changes and clarifications provide opportunities for our clients in both the merchant and service provider communities – technical solutions are becoming more mature and merchants have a much greater choice when it comes to implementation.  The role of our QSAs and P2PE QSAs are hugely important, especially when we look at our global reach.  Unfortunately the cyber criminals are adapting all the time and so the security standards must do the same.

Matt : Dan, I’ve not forgotten about you!  As you and Andrew hold the PCI-P2PE badges, what did you think about the difference between the U.S. and the European markets? 

Dan: Well, first, it’s great to see the impact that EMV chip and pin is having on reducing fraud rates out here but as Jeremy King mentioned in his speech, EMV is often very misunderstood. It’s just one part of the equation and has no impact on ecommerce/card not present trasactions, which is a much bigger concern in the fraud area in the U.S. The P2PE standards are complex and multi-faceted but complement both the chip and pin and swipe payment options very well.  When we are helping our clients with their P2PE road maps, it's vital we take the lessons learned in Europe back to the U.S. since during the EMV progress there's a good opportunity to implement and accredit PCI-P2PE solutions.
Matt: What about the P2PE solution provider listing announcement?

Dan: Well, I’m sure everyone is glad to see confirmation that it can be accomplished! P2PE is certainly a clearer fit in Europe since EMV is well in place, so it’s not surprising to see that a European company was the first to achieve this. Larger and more complex P2PE solution providers still face some challenges, but just as previous go-to-market standards continued to mature, we will see more solutions getting listed and eventually this excellent program and better technology will be available to more and more merchants.

Matt: And what about your continued passion for PA-DSS, anything interesting there?

Dan: Always! There are a few more technical changes than there were when 2.0 came out, so more merchants are likely to need to make changes than last time. Many clarifications on the various requirements were covered that should help software vendors understand what they need to do better, and help PA-QSAs do their jobs better as well. As with the DSS, I think we should all be on the lookout for another round of improving the detail and quality of how the software works and meets the requirements. This basically means that software vendors will need to be prepared to do more explaining and better documentation of how their applications work and how they are secured.

Matt : The SSC picked a great location this year, and it has given us a good chance to catch up with our European teammates.  When the final revision of version 3 is released we will keep you up to date with all the changes and what they mean.

Dan: Yes, it’s hard to complain much about being here! I hope others took advantage of the great availability of so many staff from both PCI and the various card brands, they need everyone’s direct input, and not only do they take it seriously, they also have great insights to share!

<< Go Back

Blog post currently doesn't have any comments.

Post Topics