Report from the PCI SSC North American Community Meeting

Joseph Tinucci, Senior Director, Managed Services

The Payment Card Industry Security Standards Council (PCI DSS) held their 2015 North American Community Meeting this year in Vancouver, BC, from September  29 – October 1.  Coalfire was well represented at the meeting, with Dan Fritsche, Managing Director, Application Security, making two presentations at the event (Point-to-Point Encryption and Securing Virtual Payments).  Since I was also there, and I am a guest blogger for the Treasury Institute for Higher Education’s PCI DSS blog, I posted about the PCI DSS trends that I observed at the meeting.
In summary, the main themes that I heard were:

  • Risk, Risk, Risk – just about every speaker approached their topic from the perspective of managing and/or reducing risk.  This is an ongoing theme that will carry forward into future years.
  • Collaboration – working together with other organizations is the key to keeping up with the bad guys.
  • Incident Response – there was a lot of discussion of this topic, and I think that we will see more requirements around IR in coming versions of the DSS.
  • Segmentation – a fundamental scope-reduction technique that is receiving renewed emphasis.
  • Being Compliant Does NOT Equal Being Secure – this theme echoed over and over again throughout the meeting.
  • P2PE – this part of the industry finally appears to be developing useful products and solutions.

If you would like to read more, the full post can be found on the Institute’s blog at
Joseph D. Tinucci recently moved from the University of Colorado Treasury to Coalfire Systems. At CU Joe managed the PCI DSS compliance program for over 175 merchants across four campuses.  Now he is helping clients manage their compliance programs from the other side of the desk; he notes that it is a refreshing change of pace and duties to be on the "illuminating side" (as opposed to the “Dark Side”).

Joseph Tinucci


Joseph Tinucci — Senior Director, Managed Services

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS