I will be joining some very smart folks for a panel on PCI at Shmoocon next year. Yes, PCI at a hacker con. No, not a Pointy-Haired-Boss type presentation, but a panel discussion of PCI and its impact on our industry. This is part of a larger effort to bring compliance issues to a broader audience, focused on PCI but with insights into the larger compliance realm- look for more presentations and some podcasts in the new year. In this panel I will be joining Michael Dahn, Dr. Anton Chuvakin, and Joshua Corman to discuss everything from the origins of PCI through its unintended consequences and speculation about the future of PCI.
The abstract for this session:
Whether you love it, hate it, or are merely "friends with perks"- compliance is significantly changing what we call security. PCI has been accused of being the Spawn of Satan by some, and yet it has also been credited with advancing security by others. This panel of PCI experts, analysts, and victims will discuss and argue the realities of PCI: its origins, goals, and consequences (intentional and otherwise). PCI is having an impact on priorities, budgets, and personnel, which is being felt throughout the security industry. Unfortunately, there have been few informed discussions of PCI and compliance issues in the technical ranks of the security community. This panel will bring PCI subject matter experts with real-world experience to the technical security professional and hacker audience to discuss, engage, enrage, and argue about what may well be an existential threat to information security as we know it. The diverse viewpoints and experiences of panel members will guarantee a lively and often heated discussion, and will provide a broad base for fielding audience comments, questions, and criticisms. Bring plenty of Shmooballs to this session, you will need all you can get.
As far as Shmoocon in general- Yes, there will be a Shmoobus. Maybe more than one. There will be great talks, great people, much hilarity, etc. I hope to see you there.
Jack
4 comments:
Not a single word about DDoS in the PCI spec whatosever, just a totally iatrogenic mandate to put 'Web application firewalls' in front of Web servers processing credit cards - this provides no security value whatsoever as stateful inspection is impossible when every packet is unsolicited, and makes the security situation far worse, given the fact that the firewall will fall over due to state-table exhaustion far easier than the hosts themselves.
DDOS falls within the "Availability" spectrum and therefore shouldn't be within the PCI spectrum. Also WAFs are NOT mandated but an option for those small merchants with limited security acumen.
Completely uninformed opinion by Roland.
I couldn't have arranged a better intro to the PCI events on the horizon than these two comments- thank you. There is a lot of incomplete and inaccurate information out there, and more may be subject to interpretation (or mis-interpretation). Our goal is to provide a venue for questions and answers, from a variety of perspectives.
You might want to track down a man named Phil Mellinger on the history of PCI. He's the former CISO from First Data and worked with folks at the associations (Visa/MC) to create the "Digital Dozen" which in turn became Visa's CISP program. Phil is CEO at a company called Turiss I think.
http://www.turiss.com/
I worked with him at First Data and he has an interesting perspective on PCI.
Post a Comment