We just got back from the North American PCI community meeting. The turnout was about double compared to the 2007 meeting, with all the major QSAs and many name brand retailers and banks in attendance. and the SSC has clearly achieved quite a bit in the last year. Changes to the new PCI DSS version 1.2 were discussed, the first in-person Special Interest Group (SIG) meetings took place, and there were even about 40 vendor exhibits. Branden Williams, Director of the PCI Practice at Verisign, and I sat down and talked about some of the trends and changes in DSS 1.2 (watch the video).
The exhibits were a great opportunity to meet face to face with top technical representatives from these vendors and QSAs. And for them they got direct access to key influencers and decision-makers in the PCI community. Interesting note about the marketing banners, just about all claimed to have an easy PCI Compliance solution. Of course the practitioners know there is no magical "PCI Compliance Solution" and that it is more of a process or journey where the multiple layers of details cannot be avoided. But clearly some marketers are going for the standard easy benefit-oriented taglines, because after all, a marketer's goal is to get you to stop and listen. We heard a lot of merchants and card brands talking about the challenge of getting that next layer of information, which was a great segue into what NSS Labs does to validate vendor product functionality and specifically how it relates to PCI DSS.
Vik and I are serving as secretary for the Wireless Security SIG and I was honored to be able to address the community and provide an update of the SIGs activities. The goal of the SIGs is to make recommendations to the council, which will then review the recommendations, ask questions and render the final decisions. Without revealing too much, it is important to know that we are not taking a technology-centric approach that will make life harder for merchants. Rather, the SIG has decided to take a problem-oriented approach to the task, by focusing first on the problems we are trying to solve for specific groups of users. Very similar to the methods taught by pragmatic marketing. So, Level 3 & 4 merchants who believe they do not have wireless in their network would be one use case; Level 1 & 2s with known use of WiFi would be another. Of course there are many details, and there are sub-groups working on implementation guides and advanced technologies (like BlueTooth and Satellite). If you're a participating organization and would like to 'participate' drop me a line - rmoy AT you know where.
skip to main |
skip to sidebar
Security Product Testing
This blog contains perspectives and commentary on network, host and security product testing & certification, industry trends, and PCI compliance from NSS Labs experts.
Topics
- Testing (40)
- anti-malware (18)
- nsslabs (18)
- Security (14)
- Exploit (13)
- IPS (13)
- Products (13)
- events (11)
- PCI Compliance (10)
- Browser (9)
- Methodologies (8)
- vulnerability (4)
- Misc (3)
- News (3)
- Performance (2)
- Phishing (2)
- firewall (1)
Posts
