After a tumultuous year and months of anticipation, RSI Security’s virtual PCI Expert Summit has come and gone. There were a plethora of speaker sessions, a virtual expo with our sponsors as well as a digital platform for online networking.
And with over 150 attendees, this year’s PCI Expert Summit was proof positive that organizations are taking cybersecurity and compliance more seriously than even in the COVID-19 pandemic era.
In case you weren’t able to attend — or just want some insights into what’s new in PCI and cybersecurity — read on for highlights of our amazing event.
PCI Standards and Program Updates
RSI Security’s very own managing director John Shin provided a comprehensive update on what to expect from PCI 4.0 in 2021 and beyond. As part of his opening remarks for the event, John also shared key talking points from the recent PCI Community Meeting 2020. Some of the hot PCI topics on the horizon are card payments becoming even more reliant on software and how Gen Z will impact the future of payments.
John gave some key insights into the changes that will take place when PCI 4.0 rolls around next year. This includes better guidance for passwords and multi-factor authentication security measures as well as outcome-based testing. All told, John re-assured attendees that PCI 4.0 will continue to meet the needs of the payment industry. Organizations should prepare to meet six core goals and 14 requirements under PCI 4.0.
Legal Implications of the PCI Standard
It’s easy to forget that PCI in and of itself isn’t an actual law. However, there are legal concepts and foundations that underpin PCI and that organizations should be aware of on some level. To clarify what PCI means from a legal standpoint, we were joined by Elaine Harwell from internationally recognized San Diego law firm Procopio. Elaine is senior counsel and heads up Procopio’s cybersecurity and privacy practice group.
During her session, Elaine explained that while the Payment Card Industry Data Security Standard (PCI DSS) isn’t a law, it operates in a similar fashion. The main legal framework that businesses should be aware of is that PCI is part of a contractual relationship between merchants, vendors and payment processors. Every entity along the value chain has a contractual obligation to protect payment card data.
In essence, PCI is a security standard that is now law in a de-facto sense. Companies should consider how security and compliance decisions may be viewed in a court of law, and encourage collaboration between information security and legal teams.
Using Cyber AI for Security and Compliance
One of the biggest advances in cybersecurity is coming in the form of Artificial Intelligence (AI) applications. And as workforces become increasingly more dynamic with collaboration platforms, cloud computing and smart devices, businesses AI is becoming a key player in securing entire ecosystems. That’s why David Masson — director of enterprise security at DarkTrace — joined the PCI Expert Summit to explain.
In this session, Masson went into why organizations should adopt a privacy and regulation first framework prior to implementing AI. He also offered insights into how AI-powered cyber defense provides organizations with technologies and tactics that help prevent the most devastating varieties of cyberattacks. Masson went on to explain how cyber AI supports compliance with regulations like the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and the New York State Department of Financial Services Regulations.
Keynote: Offensive Security for Compliance
The concept of offensive security isn’t new. But applying the concept to compliance obligations is relatively innovative. That’s the topic that Rapid7’s senior director Scott King focused on during our keynote speech. Traditionally, compliance needs for penetration testing have been met with fairly commoditized approaches using automated, scripted tools and basic human analysis.
But what King recommends is a process integration approach that melds change and asset management with compliance and auditing. Offensive security employs professional hackers that mimic real-world attacks. It’s not just meeting compliance obligations but more importantly showing where your business could fall victim to operational disruptions, fines, and negative publicity.
We want to thank all of our sponsors, speakers and attendees that made the first-ever virtual PCI Expert Summit a raging success. Security and compliance are more front-and-center than ever, especially when it comes to online payments and the payment card industry. At RSI Security, we’re just grateful to be a key part of forming a strong PCI community in the Southern California area and beyond.