Society of Payment Security Professionals - Payment Security Blog

Treasury Institute PCI workshop

I got back last night from presenting at the Treasury Institute PCI Workshop that Walt Conway puts on every year.  It was a great success with over 130 participants from just about every major university and higher education facility.  It was nice meeting both TouchNet and infiNET, sponsors of the event and companies that I performed their first PCI assessment many years ago.  I also saw Breach Security a sponsor and company that helps prevent against bad things.

I gave a presentation talking about “Heroes, Chorus Lines, and Community”.  The three parts translate shortly into:

• Heros: those who have validated compliance, and their foes being those who have not.  Let’s first define the difference between compliance and validation, and then look beyond simply achieving validation and determine how you got there.
• Chorus Lines: The chorus lines are things we remember but how many of us remember the verses? We all know the details of compliance (i.e. requirements 1-12) but do we understand the intent and nuances of these?  Are we looking at the big picture or still asking, “what is a system-level object?” Also, have we moved beyond simple risk management to a state of Attack Vector based Risk Management (AVRM)?  This is where we look at how attacks occur and use that information to better allocate capital resources to mitigation measures.
• Communities: I highlight the importance of knowing who to trust and how to build trusted relationships in order to increase the flow of information and keep the signal-to-noise ratio in tour favor.  “Trust is the only real currency” is the mantra of this section and we outline a few communities for you to follow: SPSP, blog, podcasts. But most important is meeting others who are in the same situation and keeping in touch so you can do a sanity check on your status and actions.

This event was focused around the implementation of PCI DSS compliance projects for Higher Education.  In between were presentations such as mind, those from Benita Kahn on the legal aspects of PCI, and Bob Russo, Chairman of the PCI SSC.