Ground Labs at the PCI Security Council Asia-Pacific Community Meeting

The Ground Labs Team has traveled to over 7 payment card industry-related conferences this year, and it’s not just because we love racking up frequent flyer miles- for us, mingling with other members of the data security community and showcasing our products is one of our top priorities and one that we relish.

And it’s not been without purpose, either- at this year’s PCI Asia-Pacific Community Meeting held in Sydney, Australia, it seemed we have become something of a household name for many QSAs in the region. It was amazing talking to people who use our products on a frequent basis and hearing their inputs on how we can further improve upon our data discovery tools.

Of course, the main highlight of these events is the talks by distinguished members of the PCI Council, as well as data security experts from around the world.

As with all PCI Community Meetings, the key focus was the future of the payment card industry. Jeremy King, the International Director of the PCI Security Standards Council (PCI SSC), opened with a very stern, hard-hitting fact- that cybercriminals are much more focused and efficient than we are. While security is not a top priority for many of us, it is for criminals, which is why the good guys often find themselves on the losing end.

King also warned of the dangers of the world getting more connected, that the more of our gadgets and gizmos come equipped with chips and internet connectivity, the more at risk we are. Shara Evans, a Technology Futurist (how cool is that), backed up this fact, by delivering a flashy presentation showing off new emerging technologies and how they could pose a threat to security. Some examples include pacemakers that can potentially be dealt an 830v shock from 50m away and drone technology that can be used to spy on the public, even reading credit card details from the sky.

There was also a lot of talk revolving around the PCI Data Security Standard (PCI DSS). PCI SSC council members Troy Leach, Emma Sutcliffe and Gareth Bowker gave a shared presentation on the PCI Technology Update. One interesting statistic shared is that only 1 in 9 companies could meet PCI standards the year after they had been declared PCI compliant, which shows that more emphasis needs to be placed on maintaining compliance. Currently, many vendors are placing too much reliance on annual assessments, failing to adapt to new changes, and putting compliance aside to meet other business needs.

Chris Novak, the Managing Principal of Global Investigative Response from Verizon, further elaborated on the Verizon Data Breach Incident Report 2014 and included some most-welcomed additional statistics not included in the report. One of the things he said he hears often is that a lot of people who suffer breaches ask why they were targeted when their competitors seem to be more lucrative targets. Novak’s answer is simple: you were simply more vulnerable. 73-75% of breaches are opportunistic in nature, and hackers are not above going for low-hanging fruit.

One of the show highlights, though, had to have been the appearance of the new GM for the PCI Council, Stephen Orfei. Taking the stage to the tune of Eminem’s ‘Lose Yourself’, Stephen was quick to dismiss the notion of EMV chip cards as the silver bullet America is waiting for, and that card-not-present transactions are just as at risk as ever.

Orfei also addressed the demand for a PCI DSS for the mobile territory- while it’s incredibly difficult to create a standard for the platform, it’s one of their key focuses, and while a standard may be some time away, guidelines might be something closer in the horizon.

All in all, it was a great conference- we got to touch base with existing contacts, and make many new ones as well. We’re looking forward to next year’s PCI Asia Pacific Community Meeting in Tokyo so much, we’re picking up Japanese. こんにちは！