BsidesDFW 2013 Branden Williams & James Adamson

foreign so for us we we've been working with this PCI standard for a long time PCI DSS it's an original Incarnation uh was 2004 but before that there were other standards that kind of became what PCI is today and it's a big year for PCI because it's a new version being released so they switched at the last time they did a release they said we're only releasing every three years now instead of every two years so they lengthen the release cycle which means that there's obviously potential for a lot more things to change and more stuff to get in there and it is it's a release year so there's a lot of critical stuff that you know if you have to deal with

PCI on a day-to-day basis there are things that are going to change um so the biggest thing that I wanted to accomplish with this presentation was to provide some clarity around what's coming out in the new version of the PCI DSS they have a very long roll out schedule and it goes from August to November where they slowly reveal what's behind the curtain and as that happens there's a large degree of uncertainty about how it's going to impact um your your business how how you're going to adjust and react to it and providing just a little bit of of what we saw as the important parts of those changes I thought could help help get

some some clarity for everybody who's out there to understand what what they should focus on so uh 2o is active until the end of next year so all this noise that we're making is so you can be ready on January 1 December uh sorry January 1 2015. there are some requirements that are best practiced until July 2015. so really the issue is like if you have if you have a requirements to apply to the PCI then you should be doing some sort of a gap analysis now because you need to understand what changes you're gonna have to implement over the next one to two years so that when that actual assessment comes through you're able to

do it I would say that you know PCI today is typically treated as something from a compliance standard where you know it's something I have to do and I'm going to do the absolute minimum that I have to do in order to get by and I'm going to buy you know look for assessors that you know are going to be the easiest pass and I just I just don't want to do it at all and while I would say that you know we see a lot of customers that do that and you know as long as you're not the one that get breached it gets breached then you're probably okay I would say that there are a lot of better strategies

focusing on information security pieces as well as focusing on Outsourcing and and you know other types of security things you can do to the credit card information so it's just not even a problem for you anymore I think the biggest advice that I would give someone is to make sure that you budget enough time to adjust to the changes it's not something that is going to be done uh you know in one day there's going to be things that you're going to have to manage over the course of uh several weeks or a month in different projects that are going to spin off of this and not to underestimate the time that it's going to take while there may not be major

technology changes that are going to be required it is going to require time to administrate the changes that are in the new standard