PCI Expert Summit 2019: Event Recap

RSI Security

5 years ago

RSI Security’s first-ever PCI Expert Summit is in the books, and we couldn’t be happier about how things turned out!

Marina Village Conference Center – San Diego, California

On October 2nd we were joined by four speakers, a number of sponsors, an expert panel, and over 70 attendees to begin the process of building a strong, vibrant PCI compliance community in the Southern California area. The event took place at the beautiful Marina Village Conference Center in San Diego.

“I found the event to be very informative. It was also nice to be around other folks I’ve worked with previously but haven’t actually met in person. It was definitely worth the time coming down for what I hope to be the first of many future RSI Summits,” said Gurpal Singh, head of compliance at Finix Payments.

From surviving a PCI assessment to working with a qualified security assessor (QSA) to comply with the newest updates, here are a few highlights from our first annual PCI Expert Summit.

Cybersecurity Forensics from the FBI

The most basic step towards PCI compliance is securing critical data and systems against potential cyber threats, both external and internal.

That’s precisely why we brought in experienced FBI cybersecurity forensics expert Tim Hammond to provide attendees with his real-world insights into how cybercrimes are investigated.

Tim broke down a true-to-life story of a cyber breach that he investigated while at the FBI and how a forensic investigation actually takes place. In the end, attendees learned that investigations into breaches can lead just about anywhere – including to people within your organization that you least expect.

Surviving a PCI Zombie Apocalypse

Tim was followed by our second speaker, Jessica Sica, who gave attendees a detailed and informative breakdown about how to survive a PCI DSS assessment at their own organizations.

As the information security director at Petco, Jessica has years of experience working with PCI compliance and meeting overall security standards and compares PCI compliance to surviving a Zombie Apocalypse.

Some of Jessica’s key recommendations:

Preparation: Decide whether or not you need a PCI readiness assessment, know how they work, and invest time early on in selecting the right auditor.

Have a Plan: Come up with a one-year action plan to put all the proper security measures in place from WiFi scans to penetration tests. Inform staff in advance, let partners know what to expect and know how to respond to gaps.

Zombie (Audit) Proof Yourself: Gather the right documentation, and do everything you can to “audit proof” yourself.

Get Physically Involved: Appoint an Internal Security Assessor (ISA) and be closely involved with them by asking questions and not making any assumptions about your readiness.

Know “First Aid” Basics: Make sure you have the right compensating controls that cover outsourced payment processing, network access controls, encryption and tokenization, data loss, and leak prevention.

Buddy Up!: Like in a Zombie Apocalypse, you don’t want to be wandering the wilderness alone. Buddy up with the right business partners, mentors, industry leaders, and vendors as an essential part of your PCI assessment survival.

Aim for the Brain: If you get attacked by a “Zombie” assessor that might not know what they’re doing, double-check their work and get their boss on the line. Don’t be afraid to get a new QSA next time.

PCI Compliance and the Cloud

As one of the largest financial software companies in the world, Intuit takes PCI compliance and cybersecurity extremely serious. Edward Asante, PCI ISA and Staff Technical Compliance Program Manager at Intuit, gave attendees a glimpse at how they handle PCI compliance in the cloud.

“You have to approach cloud PCI assessments differently. You may need to put some compensating controls in place, and definitely bring your whole team together to get everyone on the same page,” says Asante.

Here are some nuances that Edward said companies should be aware of when undergoing a PCI assessment if the majority of data and systems live in the cloud:

Compensating controls may be required based on how services are implemented
Know who is involved in the assessment, both internally and with your cloud provider
Prime the pump with a pre-assessment to ensure the assessment goes smoothly
Get to a repeatable stable state to minimize headaches with the QSA

Updates to PCI Program Standards

RSI Security’s own managing director John Shin closed out the speaker sessions by providing some key PCI updates as it relates to program standards coming around the pike in 2020 and beyond. Many of these updates came out of the recent PCI Community meeting in Vancouver, including changes in PCI DSS 4.0 which is scheduled to be published and finalized by Q4 of this year.

“Some of the main goals of PCI 4.0 are to continually ensure the security needs of the payment industry, and to add a layer of flexibility on top of what already exists,” John explained. “It’s also designed to support additional methods of control validation.”

John also dove into the release of Verizon’s annual Data Breach Investigation Report, and what its findings will mean to PCI compliance and the payment industry at large.

“One of the key highlights of this report is that C-Level executives are 12-times as likely to be the target of attacks than others within an organization,” said John. “And over the past twelve months, there’s been an 18 percent increase in social engineering attacks.”

According to John, financial gain still remains the top motivational incentive for threat actors. External threat actors are still the primary force behind attacks – 69 percent of breaches – with insiders accounting for 34 percent.

Overall, John recommends that organizations take a close look at changes specifically in standards 6, 8, 10, and 11. The causes of breaches have – and will continue to – remain constant over time, and John advises a relentless focus on PCI and cybersecurity essentials to shore up your critical payment data and systems.

Q&A with our PCI Expert Panel

The formalities at the PCI Expert Summit concluded with an interactive Q&A session involving an esteemed panel of experts that were kind enough to join us. They fielded questions about everything from biometrics and passwords to legal and regulatory changes that will affect PCI compliance moving forward:

Kim Lamoureux, CISA – Sr. Security Analyst at Sony PlayStation
Victor Gamra, CISM, CISSP, and PCIP – Chief Technology Officer at FortifyData
Steve Levinson, CISSP – Vice President & Chief Security Officer at Online Business System
Andrew Serwin – Partner at DLA Piper Law Firm & Co-Chair at Global Cybersecurity Practice
Kyle Ngo – PCIP, CISA, CRISC, CRMA, IT GRC Professional
Dan Clarke — President at IntraEdge

From left to right: Dan, Andrew, Victor, Kim, Steve, Kyle

We also want to thank our wonderful sponsors for showing up to the event and making it such a rousing success: Darktrace, Birdrock Systems, Fortifydata, Truyo, and Keyfactor.

Looking Forward

There’s simply no way around it: the first-ever PCI Expert Summit went above and beyond our expectations. We want to thank everyone from our speakers and panelists to our sponsors, attendees, and the entire RSI Security family for bringing everything together. We certainly had a blast, and can’t want to see what the 2020 version of the PCI Expert Summit will have in store.

Cheers!

Do you need help with your upcoming PCI assessment? RSI Security is a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV) with over 10 years of experience as top-of-the-line service providers. Let’s get started!

Speak with a PCI compliance expert today!

Download Our PCI DSS Checklist

Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.