What You Need to Know from the North American PCI Community Meetings

Dan Fritsche, Principal, Retail and Financial Services

Too busy to attend the PCI Community Meetings this year? Coalfire has you covered with the top 6 things you need to know from the most important annual payments conference in the world.

#1: PCI DSS and Cloud – Navigating in Reduced Visibility – John Markh, Standards Manager at the PCI SSC, moderated a panel with Jonathan Christopherson, Principal Engineer at Target, and Tabitha Gallo, Senior Security Consultant at Herjavec. If one thing is clear, it’s that the Cloud is here to stay and needs to be understood in the context of the PCI requirements. As more companies migrate to the cloud, understanding how to best leverage it is becoming more important. The ability to understand key elements such as your responsibilities as well as those of the Cloud Service Provider (CSP) is critical. We are also seeing the implementation of more DevSecOps practices in Cloud deployments. These practices must be understood in the context of the PCI DSS and the intent of the requirements. Coalfire’s experience as the assessor for all of the major CSPs allows us to better understand the Cloud, the PCI responsibilities of the CSPs, as well as your responsibilities when leveraging the Cloud.

#2: State of the PCI Standards Security Council (SSC) – Lance Johnson, Executive Director of the SSC, shared not just on where things are, but also his vision for the future of payments security at his first PCI Community meeting. His vision is simple and clear: a payment ecosystem with no worries. This is accomplished by having the three following attributes for payments security:

  • Secure
  • Frictionless
  • Within 10 years

Key to success for this vision is an approach with global participation where collaboration from all parties is regular and insightful. Japan, India, and Brazil are all emerging markets to be added to existing ones.

#3: Women in PCI and Cybersecurity – The first of its kind at the community meetings, this panel shared excellent insights from some of the top women leaders in cybersecurity. Women comprise only 11 percent of the global information security workforce. The PCI community meetings are above this percentage – and on the rise! Here are some valuable key points:

  • The best teams are diverse teams
  • Don’t undervalue your own thoughts - speak up
  • Always be optimistic, clear, concise, and confident
  • Understand the business

Emma Sutcliffe, Senior Director at the PCI SSC, moderated with Gina Gobeyn, Chief Risk Management Officer at Discover, Stacy Hughes, SVP at Global Payments, Nancy Rodriguez, SVP at Wells Fargo, and Phyllis Woodruff, VP at Fiserv. Coalfire thanks these women for their leadership in cybersecurity! Coalfire has an association of women in cybersecurity and leadership called RISE (which stands for Recruit, Influence, Support, and Educate). Stacy Hughes has been a guest speaker at Coalfire RISE, and we look forward to the opportunity to hear from the rest of the women from this panel at future RISE meetings. If you’d like more info on RISE please contact Anne.Bayerkohler@Coalfire.com

#4: How Innovation Is Changing Payments Security (and Standards) – Troy Leach, Chief Technology Officer, shared his insights on the changing payments landscape. He highlighted the changes in the PCI SSC from 2006, to just protect cardholder data and PIN, to today, with continually changing and cutting-edge technologies such as mobile payments, tokenization, encryption, cloud services, and more. As the speed and accessibility of today’s smart technologies have continued to grow, the attack surface has also grown in ways that require that the payments industry to continue to keep pace and support both preventative and reactive security best practices. As far as future PCI DSS standards are concerned, the SSC is reviewing over 1,500 comments from the 750+ Participating Organizations to keep transparency in the process and inject as many real-world perspectives into the standard as possible. Small merchants should check out this recently published update on how the PCI SSC is supporting them.

#5: Proliferation of Point-to-Point Encryption (P2PE) – I had the honor of moderating a panel on one of my favorite topics, P2PE. P2PE has grown dramatically since 2012, and the past few years show the lines going at a steep incline, indicating that we are finally reaching a point where anyone that wants to leverage the benefits of P2PE has viable options to match their business needs. Ruston Miles, Chief Strategy Officer at Bluefin, shared his perspectives on how things have changed between the P2PE 1.0 and 2.0 standards. The original struggles of understanding a new standard and how to meet the requirements in the real world have been reduced for both service providers and merchants, allowing the ability to get the most security from P2PE investments and focusing back on having a successful business. Bill Bolton, VP of Information Technology at HoneyBaked Ham, was the pivot point of the panel, sharing his valuable perspectives as a merchant trying to run a business but seeing the benefits of doing things in a secure manner. Bill was able to implement P2PE in the 1.0 standard timeframe, and even under 2.0, the lessons of collaborating with trusted partners on both the service provider and the QSA side were very clear. As a merchant, if you have yet make the move, now is the time; contact Coalfire to help you navigate the challenges and get the most out of a P2PE solution. If you are a P2PE service provider or are considering this path, Coalfire can help guide you along the way to achieving the certifications your business needs.

#6: How Industry Collaboration and Feedback Shape PCI SSC Programs – Mauro Lance, COO, discussed something Coalfire holds at a premium value: collaboration to improve the standards. Looking at the many programs that have been developed or updated more recently, such as 3DS, QIR, the Associate Program, and the Global Executive Assessor Roundtable, it is clear that the SSC is open to input and feedback from multiple sources. As a QSAC that runs virtually every PCI SSC program available, we feel it is our duty to share our perspectives with the SSC in order to support their efforts to improve the standards to reflect the changing, real-world needs that merchants and service providers experience. Coalfire certainly uses our interactions with our customers to convey as much as possible, but whether you are a merchant, technology vendor, service provider, card brand, or any other entity involved with payments security, Coalfire urges you to stay involved and communicate your needs and challenges in ways that will help continue to move the standards forward in a positive way.

Still need more info? Check out these notable quotes and snippets:

  • Phishing attacks happen every 30 seconds - Angel Grant, Director, Identity, Fraud, and Risk Intelligence
  • NIST is currently working on quantum-safe cryptographic algorithms, which they expect to have in about three years. PCI SSC will continue to monitor the threats of quantum computers and any new algorithms in the future
  • The key to key length and key generation is having the appropriate amount of entropy and the appropriate amount of random numbers...pun intended - Steve Stevens, X9; Ralph Spencer Poore PCI SSC
  • Segmentation testing of all out-of-scope network segments allows representative sampling to reduce pentesting costs - Phyllis Woodruff, VP, Fiserv
  • Strong passwords are no match for affordable password crackers. NIST 800-63B proposes an alternative – components that are under consideration for the next PCI DSS revision
  • Moving to the cloud improves security. The cloud allows us to update faster and patch faster! The cost of cyberattacks will cost 6 trillion dollars by 2021 if we don’t change something - Eric O’Neill, Former FBI Counterintelligence Agent and Chief Strategy Officer at Carbon Black
  • Email is the root of all evil! No authentication of the sender, easily spoofed, and it brings out the worst in this introverted world by enabling people to avoid human interaction - Eric O’Neill, Former FBI Counterintelligence Agent and Chief Strategy Officer at Carbon Black
  • The future of payments: More than half of organizations will rely on the cloud by the end of the year - Troy Leech, PCI SSC
  • EMVCo, X9, NIST, and PCI SSC collaborate on standards to ensure management and references are relevant today and managed into the future. The real question is, how do we better leverage and start consolidating standards to simplify meeting multiple sets of requirements?
  • Almost half of all documents on the PCI SSC site are under two years old - 117 new documents!
  • 2,600,968,280 data records compromised in 2017 - Jeremy King, International Director, PCI SSC
Dan Fritsche


Dan Fritsche — Principal, Retail and Financial Services

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS