Back on the 27th of January our team attended the PCI London conference held at the Victoria Park Plaza hotel. The event was a complete success with over 300 delegates in attendance from a broad variety of merchants, service providers, schemes, acquirers and vendors.
The format of the day included a mix of presentations, education seminars, networking opportunities and a general vendor showcase floor that enabled organisations to learn about the latest technologies and services available to assist in maintaining PCI compliance.
Some of the presenters included Jason Woods from Virgin Atlantic Airways and Phil Davies from Aviva UK who offered interesting stories on their experience with achieving PCI compliance and the challenges faced when maintaining compliance within larger corporate environments.
Other areas covered throughout day included tokenization, proactive compliance management, key management, cloud security for payments, proper scoping, secure systems development, PCI DSS 2.0 and PCI compliance challenges faced by contact (call) centres.
The conference was also fortunate to attract Steven Elefant, CIO of Heartland Payment Systems who offered further insight behind the cause of Heartland’s widely publicised breach back in 2008. Steven also went on to highlight Heartland’s PCI Compliance initiatives since the breach in developing their E3 end-to-end encryption technology within card processing terminals which has been offered to their merchant customer base at no additional charge. Heartland sent a valuable message to the audience that being open and transparent in the event of a breach can offer a positive way to move forward if it is handled in the right way.
Ground Labs Director of Corporate Development, Stephen Cavey provided an educational presentation that leveraged Ground Labs’ core expertise in understanding where cardholder data often hides within corporate environments that had traditionally stored, transmitted or processed cardholder data. Unfortunately this is a major area that was traditionally overlooked my merchants (and in some cases, their QSAs) due to lack of adequate or affordable tools to achieve this very specific task.
The response from the audience was very positive and highlighted the fact that many organisations are beginning to understand the importance of searching for rogue storage of cardholder data when both achieving PCI Compliance for the first time and monitoring compliance over the longer term. Some of the cardholder data storage locations discussed include emails, temporary files, log files, databases and legacy systems.
The presentation also highlighted PCI DSS 2.0 and it’s revised approach to scoping a cardholder data environment with the view that a QSA must now assume a customers entire environment is in scope until such time that areas of the environment can be proven as being out of scope. This is different from the approach traditionally taken under PCI 1.2 where a QSA would normally rely on information supplied by the organisation to determine size of scope.
One simple way of establishing solid proof that non-compliant handling of CHD does not exist is to perform cardholder data discovery on out-of-scope systems and ensure the results are retained as evidence. Ultimately we always recommend seeking guidance from your QSA with respect to their preferred approach in establishing PCI Compliance scope each year and the type of evidence they are willing to accept when signing off a PCI Report on Compliance.
Overall PCI London was a well run conference with high levels of positive feedback from delegates confirming the quality of the information on offer throughout the day. We must compliment the event organisers, AKJ Associates in their execution of this event whilst ensuring the conference delivered educational and practical advice to delegates for their PCI Compliance programmes.
The next PCI London event will be held on the 6th of July 2011 and there is no charge for delegates who attend. More information is available here.