Listen to learn about the many different PCI standards, as well as receive tips from the PCI Council.
"The PCI Security Standards Council oversees a lot more standards than just PCI DSS. The council is very much involved with the payment lifecycle. We have standards to ensure the security of card data from start to finish."
There are many standards out there to ensure the security of card data - each with a specific target to protect. Tune in this week as Jen Stone (MCIS, CISSP, CISA, QSA) and Jeremy King (Regional Head for Europe at PCI Security Standards Council) give you the entire rundown of all the PCI standards, as well as tips from the PCI Council.
Listen to learn:
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Watch our free cybersecurity and compliance conference - www.securitymetrics.com/summit
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. Very excited about the topic today because so many of our listeners deal with, credit card data protection and are familiar with PCI.
But there's a lot more to the PCI standards than than what a lot of people are are most familiar with. And so today, I'm going to have, with me Jeremy King, the regional head for Europe at PCI Security Standards Council to talk to us about the kind of the breadth of programs offered by PCI. Let me let me give you a little bit of an intro on what that is. The PCI Security Standards Council or PCI SSC is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.
PCI security standards are developed specifically to protect payment account data throughout the payment life cycle and to enable technology solutions that devalue this data and remove the incentive for criminals to steal it. They include standards for merchants, service providers, and financial institutions on security practices, technologies, and processes, and standards for developers and vendors for creating secure payment products and solutions. Today, I'm happy to be able to talk to Jeremy King who will help us understand what PCI is all about and some of the programs and resources they offer.
Jeremy King leads the PCI Council's efforts in increasing adoption and awareness of the PCI security standards internationally.
In this role, mister King works closely with the council and representatives of its policy setting executive committee from American Express, Discover, JCB International, Mastercard, UnionPay, and Visa. His chief responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SSC managed standards throughout European markets, driving education efforts and council membership recruitment through active involvement in local and regional events, industry conferences, and meetings with key stakeholders. He also serves as a resource for approved scanning vendors or ASVs. You might have heard of ASV scans, especially if you're a merchant, they're part of what you do. Qualified security assessors or QSAs, which is what I am. Internal security assessors or ISAs, PCI forensic investigators or PFIs, and related staff in supporting regional training, certification, and testing programs. Jeremy, welcome, and thank you for joining me.
It's an absolute pleasure. Gosh. That sounded like I'm very busy today.
I hope you're not. I hope you're actually enjoying your summer very much and not not as crazy busy as that made you sound.
I'm having a lovely time. Thank you.
A lot of people are familiar with the PCI data security standard or PCI DSS, as I mentioned earlier, because that seems to be what most merchant organizations come in contact with. But the PCI SSC oversees a lot more standards than that. Can you give us a high level overview of those standards?
No. Absolutely. And and it's interesting there when you're doing that introduction, I was thinking I was like, yeah. That's true.
That's true. Okay. So the council the council is is very much involved in the payment life cycle. It's probably always easier to say the payment life cycle can go through all of that.
From start to finish, we have standards that are involved or occurring or, you know, play a part to ensure the security of the card data from start to finish. And, literally, I mean the start. So two of our standards are based on card production. They look after those organizations that manufacture and personalized cards.
There are card production logical and card production physical standards. So literally from the start, we also have our PIN security standard. It's aimed at ensuring the security of the PIN, however it's generated and used and wherever it's used.
And then you start moving into that transaction life cycle. So PCI DSS is all about protecting the cardholder data wherever it's stored, processed, or transmitted.
We're also very much interested in how to secure the cardholder data when it is first brought in, and that's generally in a face to face environment. It's it comes in through a point of interaction device. So we do evaluate. We have the standard for we do the evaluation and the approval of every payment device, every payment terminal that's used to accept a a a card based payment. And we list those on our website.
Behind that, we're also approving and evaluating the HSMs that used in so many different parts of the life cycle.
And then you move along and you're into point to point encryption, which is a way of really removing the the plan and and encrypting that so it's of no use to the criminal.
And then you're coming to some of the other areas and and ensuring the soft ensuring the security of the software that's used is another standard.
We've got new technology standards coming in for, software based payments on mobile devices, pay mobile phones, tablets.
We tend to get a bit sort of strange with some of our titles there. We we call it SPOC and CPOC, and we've got a new one coming along called MPOC just to make it nice and easy for everybody. But, basically, this is moving into mobile payments.
And then behind that, we're also supporting EMV with some of their work. So we have standards on three d s, the core, and the software life cycle. So pretty much wherever there is involvement of card data that needs to be secured, we have a standard on it.
Now what I would say out of all of that list, it's it's it seems to be an ever growing list is actually, this year, we're going to be reducing it. So I mentioned software security and the software security framework standards. Actually, this year, we're closing off and ending our payment application data security standards. So PADSS, that's one of our oldest standards. It comes to an end in the end of October this year. So we may want to talk a bit about that as well as we're going through some of these questions.
Actually, I would love to. I I didn't list that here because I didn't wanna put you on the spot in something that seems kind of technical and also a little bit fraught for a lot of people. I've already had quite a few, customers reach out to me who have in the past relied on PA PADSS, the the, getting that, documentation from their vendors. And so they have a degree of assurance on on the software that they're using, and and they're a little bit panicky almost now saying, how do I what do I ask for now?
How do I know? What what how does this relate to me as a merchant? But then also on the on the other side of things, I know we have PADSS assessors in our organization. I'm not personally one of them, but I know that that requires a lot more kind of education and and certification in order to to, go that direction.
Can can you tell me a little bit about that change and how it's going to affect various groups? Maybe why the change happened?
Yeah. I think I think why the change happens is a really good starting point there, Jen. And and and when you when you go back to the history so the council was formed in two thousand and six. So PCI DSS was formed in two thousand and six. One of the other very early standards was PADSS.
So back back in the day, as we like to say, back in two thousand and six, two thousand and seven, When you wrote software for use in in the payment environment, it was generally software that was written. You would send it off for evaluation. It would take a few weeks and then come back, and it would be used for a year in an organization. At the end of the year, they may do an update, and we'd reassess it, and and they'd be used for the next year. Now you skip forward to where we are in in the twenty twenties.
And if you said to someone, oh, yeah. I'm gonna develop this software and not change it for a year. They would look at you as though you would, you know, you were out you're out of your mind, you know, who who doesn't update their software. Yeah.
And and so one of the challenges we faced was software is updated so much more frequently. And so it was beginning become a a sort of struggle for organizations to keep their software approved, and also how we're using software and where it's being developed and how it's being developed and and and the patching of it becomes so much more important. We realized that rather than try and do a big change to the PA DSS, it was actually more important to sort of just start again and get it get the focus right for how software is used, where it's used, and and sort of the the the time the short time frames for each use.
And so we developed something new called our software security prepping work, which is built up of two key standards. It's the software, the secure software standard, and the secure software life cycle. I'll start with the second one first, if I may, because this is new and this is really exciting. So in the past, vendors would develop software.
They'd send it into the lab, and we'd assess it and and and make sure it was good and give them a tick in the box and a certificate.
Now what we're doing with the SLC is we're going to validate that the software developer has good quality control procedures in place and is developing their software against those good quality control procedures. So if they do a minor change, if they're doing a patch or something like that, instead of having to go through all this process, we will validate their process. We will check and certify to say, yes. You are doing this correctly. So when they do an update to some software that they're approved against, rather than go through that whole process, they can just inform us, hey. We've done this update against our approved standard.
Here's the changes, and we can look at that. We can check that it's all gone through and go, okay. Yep. We'll we'll update the listing. That is far quicker. It has to be quicker because for most people and, you know, some of the software developers, they're they're they're doing patches or updates every day.
Right.
So you can't take six weeks to update to to evaluate software when it's changing every day. It just doesn't work. So the new process will we've got the soft with the secure software standard that enables the developers to have good confidence in the security of their development. We know software is one of the key targets that the criminals are attacking, so we want to make sure it's secure.
And we can still validate that. So we'll validate that probably initially or maybe have you know, every now and then. I know every now and then is a little vague, but, you know, as we build confidence up with the vendors and everybody about this, that will give us an idea on that. And then we'll be able to use the SLC to do the patching.
So from a merchant's perspective, this is gonna be great because as they're getting these patches, they're thinking, does that mean that I'm no longer compliant? Does that take me into a different problem? It's like, no. It's updated already on the website.
Our our website is updating this. So for us, this is a huge change. Now the scary part is, we we we've been announcing this in as much, outreach as we can that this program was ending. So we started off probably more than a year ago, probably two years ago to say, hey, guys.
The PABSS is ending. Last year, we stopped accepting new submissions. So in the June last year, we stopped accepting new submissions, and we said, guys, it's ending in October next year. And as is always the case, everyone's like, yeah.
October's miles away. And now we're in August, and it's like, October's not so far away. So it is important that, if you are looking for new software that you you were talking to the vendors and going to vendors and going, hey, guys. Are you into the new software security framework?
And I can tell you now, not enough of them are. Right. We really need the vendors to start picking up all the software developing companies to pick this up and run with it. So I think in the short term, it's going to be a brand issue compliance, by the way.
I didn't we with the the c word. Yeah.
The council are not responsible for compliance. That is always the brand's responsibility. So they if someone is using PADSS and is concerned, they do need to talk to their brand reps about that. In terms of the migration to software security framework, they should be leaning on their software developers saying, guys, you need to get into the SSF program yesterday.
Yeah. And if they're doing it internally, they need to find their internal people and say, guys, get in touch with the council because you need to be picking this up. It is actually going to be one of in my mind, it's one of the most important standards that we have. It's equally as important as DSS because as we see the payment world changing as everything more and more things are becoming mobile, more and more things are running on apps, everything is reliant on software.
Having good secure software is essential if we're gonna be protecting payment data going forward. So getting everyone bought into this new program, critical, and don't wait. Absolutely.
You need to be doing it.
And I think merchants have more power than they think they do, with the the service providers. One of the the messages that I'm hearing from merchants is, oh, well, my service provider said PADSS is going away, so they're not gonna provide us anything now. And I said, oh, great. Well, then we'll have to schedule an application layer pen test for the payment application that you're using.
We'll have to do all because that was one of the the the levels of assurance that they were getting from the PADSS and now getting from the new software standard is is that the merchant can rely on that, so Yeah. To meet some of the requirements. And if they don't, then if they don't have that, then they all of those requirements for the software, security land back on the merchant. So the merchant shouldn't be accepting, a payment application that isn't going through that program.
No. Absolutely. Absolutely. That's why I say you should be reaching out to to them to their suppliers and say, you you need to be on this. You should be given us this certificate. It's there now.
Absolutely.
And the good news is the number of approved, you know, software, applications through this new process is growing. It's, you know, we've been watching it, and it's it is as we get in near October and people are beginning to put it through, we're we're beginning to see the rise in the number of approved, solutions. So, yes, just everyone get on to it, please.
Absolutely. Otherwise, October is going to hit, and then nobody's going to get any holidays because they're going to be in a panic.
Oh, yes.
This episode is brought to you by the SecurityMetrics twenty twenty two guide to PCI compliance. I personally helped with this guide and can highly recommend it to anyone going through PCI compliance. It goes through what the the requirements are and then tells you in the real world what they mean, how to meet them, recommendations from, auditors. So, it's a great resources to get the fundamentals of PCI compliance.
You can get it on our website, www.securitymetrics.com. So, another change that we've had is to the PCI DSS, the one that most merchants are familiar with. We moved well, we are moving. Excuse me.
Haven't totally moved yet. But it the four point o just came up, and everybody's really been on three point two point one. And so a lot of the merchants that that are smaller are are still kinda fuzzy on where they're at with things. And and they were there were some some panic that the SAQs were going to go away.
Very happy that they did not go away.
But but for people who are kind of unfamiliar with what an SAQ is, how it's related to the PCI DSS, you know, the intent, maybe run run over that for me a little bit.
Yeah. Absolutely. And and just to confirm, the the the the merchant sort of assessment form was never going away, the SAQ. Yeah.
What we wanted what we were trying to do was to really clarify that self assessment questionnaires are for merchants. There is a tendency for other organizations, maybe service providers, to think that they can do a self assessment questionnaire. It's like, no. This is this is for merchants.
You're you're as a service provider. You you are aggregating data. You need to prove to organizations that you are taking security very seriously. So what we were contemplating was an old was another way of, showing that these were specifically for merchants.
But I think we took a step too far too quickly, when we released that, and it did cause a little bit of panic. So we went, okay. You know, we'll step back, and we we use the time to update the self assessment questionnaires and really then have moved those out. And that's why some of those documents weren't out as quickly as the DSS because we were we'd taken on board that input.
You know, one of the thing one of the great things that I've seen from working with the community has been their involvement in the RFC process. We've had something like six thousand comments through all of the Yeah. All of these, RFC program. And every one of those comments was reviewed and and led to a change.
And it was quite funny. I was I'll come back to the SEQs. Don't worry. Oh, no.
I was working with I was working with one organization, and they they submitted some some comments. And I wanted to show them how their comments had had led to a change. But when I when I compared, like, the first draft of the of the DSS to what had come out, there was so it was different. There's the layout had changed because the comments were all about, please provide more guidance, make it easier.
And all of this had been taken on board as well as some of the specifics about, can you, you know, make this correct or this requirement or can you put a bit more guidance? But it made it very difficult to map where someone's comments from the very first RFC had affected it, but I can say they absolutely did. And the number of positive comments I've received from organizations about how we've laid it out, about how we've provided the guidance, how we've made it clear what we're looking for, that's been tremendous, and that's been very encouraging. So bringing that into the FAQs, really, the self assessment questionnaires are are to try and simplify the process, especially for smaller merchants.
We are very, very conscious that small merchants, especially micro merchants, are not technical experts.
Right.
And so if you if you presented them with four hundred pages of DSS, then they're very much gonna go, well, okay, and they wouldn't touch it. Yeah. So one of the things we wanted to try and do was to try and simplify the scope in a way by sort of breaking it down into, well, how are you doing business? You know?
Are you just doing face to face? If you're just doing face to face, then, actually, self assessment questionnaire b is going to be the one for you. And what we did then was, like, shrink down the applicable requirements to those that we still felt were relevant. And and if you would if your terminal was, connected via the Internet and most of them are, we'd have a few more requirements.
But instead of having to address three or four hundred, you are now down to maybe twenty or thirty. So now it becomes more manageable. And, really, what we've done there is we've we've sort of highlighted whether people are doing face to face transactions, whether they're doing online transactions, whether using remote terminals. And then as as a sort of the range of standards that we we talked about right at the start has expanded, then we've added a few more in.
So we've got one specifically focused on point to point encryption because, again, there are some differences there. So it's a way of helping them focus on the scope. And and, again, even some of the and even some of the larger merchants are are looking at this, and it's interesting that has as as the merchant community has moved with us, it's it's it's again when you look at the history of of of the council, seeing how the merchants have improved their own security and how they look after data and how they understand how they're operating and and and transactions are going through their system.
So they can also identify sometimes whether they're, you know, they can separate and and and and and really keep keep separate their online business from their face to face business, which means then they can instead of having to do it all, they can look at that and go, well, our face to face business will do SAQ b BIP, and our online business will go through SAQ AEP.
And and the deep again, depends how they're working. The other thing that's changed that's also influencing this is that a lot of service providers are now bringing in payment solutions for these small merchants. So they're coming to these small merchants going, look, don't worry about the payment side. We'll provide that for you so you can just focus on your selling.
Now that is fantastic because a lot of these service providers have got good experience and know how to do this securely. The challenge is that too many of these service providers are going, and that's all you need to do.
Oh, I know I've got that.
It is wrong. Wrong. Wrong. Wrong. To every service provider that's watching this program, every merchant still has things to do even if you're providing the payment page. And that is they have to do SAQ IP because it's how do they transition from from themselves to you because the criminals are very clever, and they'll try and get into that gap between that transition point, and they'll attack everybody.
Right.
So, yes, great service provider. You're providing these lovely secure payment pages, but the merchant still has a little bit to do. Please tell them. Please remind them. Please help them, and we'll we'll ensure the whole process is gonna be smoother, easier, and more secure.
Right. And and even from a nontechnical point of view, even if they have third party providers that are taking care of every aspect of that for them, there's still something for the merchant to do. And that is receiving the attestation of compliance and the responsibility matrix to make sure that every aspect of what they're doing is covered and that they're choosing service providers that have been assessed. Now there are occasionally service providers that I see that self assess says using that, SAQD for service providers, which, I believe is a risky move, for merchants.
Agreed. Agreed.
And and I'll tell them often, if you're using a third party service provider, I wanna see in your your organization's risk assessment that you are choosing to do that, that you're not just glossing over the fact that you're getting a self assessed questionnaire from a service provider because, like you said, they aggregate that information that the the the service provider can potentially be a big risk for a small merchant. And so if they are going to to accept that, I wanna see in their risk assessment a line item that says, we have assessed the risk of using, a self assessing service provider, and we are approving it, because of a b c reasons. And here's our senior, business leader who has made this decision and knows about it. Right? So sometimes, the the way that that you can, protect yourself as a merchant is making the decisions and making sure that that your service providers really are up to snuff. I think it's one one area where sometimes they gloss over it a little bit.
Do you know? I I I totally agree with that. I cannot believe that if a service provider wants to be taken seriously, they wouldn't want to have an external organization come in and assess them and say, yes. You were doing you were taking security seriously.
Because, you know, if I was a merchant and and and a service provider was coming to me with a self assessment question, you know, self assessment, validation, I'd be like, you don't take it seriously. You're not going to look after me, and you're not going to look after my customers. I'm not going to use you.
Right.
It's as simple as that. There there's a lot to choose from and go for the ones who will come with the the the right level of validation.
You know, this feels like it it leads us into the topic of ASV scans because there are a lot of vulnerability scans, and the the, ASV scan is is a type of vulnerability scan, but this is a very specific type because it's directed by, the the PCI, standards. Can you tell us a little bit about what what an ASV scan is and how it's why it's different from other types of vulnerability scans?
I I'll try. I I am I'm not an expert on this area, but what I would say is one of the things the council does do is is we approve assessors as well, a range of assessors to try and ensure that we have high quality assessors that we've trained them to understand the standards and understand what we're looking for. With the ASVs and and as well as some of the evaluation laboratories, we take that forward into a higher level because we want to make sure that they've got the right capabilities.
So for an organization to become a PCISV, they have to go and and and do a an an assessment and an evaluation to we have some test pieces set up that they have to find all the flaws with.
And if they can, that's brilliant. We go, okay. You know, you're doing this properly. And if you can't, well, I, you know, guys, you need to do a little bit more work before you come on board. And, really, what we're doing with the with the ASV is is this we're we're doing the vulnerability scans. We're going to check all of the IP ranges. We're trying to make sure that we can see whether an organization has got all the right security features in place, whether they've got open ports everywhere, whether they've got patching, whether they're using outdated or unsupported software.
And and, certainly, you know, when we saw all the attacks, the MageCal attacks, that that was related to, you know Yeah. Unsupported or insecure software. So it is a really important part of the overall security assessment.
When when when there's a breach in our forensic investigators go in, it's usually they will say, this wasn't, you know, this is how they came in. They they could find their way in because this was open. This hadn't been patched. This was unsupported.
ASV scans are gonna find that. Now the other thing as well is that the scanners never stay they it's like the score never stays. The passing score doesn't stay the same forever because the longer something's in in place, the more criminals learn about it. So the level of technology and tech and and expertise they need to overcome certain things diminishes.
So maybe what was good enough one year, you may find if you suddenly start failing that we've updated the scoring required and suddenly what was acceptable is no longer acceptable. So sometimes that's why you suddenly start failing or, you know, you see there's a problem. But it it is important because this is how the criminals attack people. This is how they're getting in, the weaknesses.
And so it's a really good way of doing it. Now one of the problem of being in lockdown for two years is that for many organizations that had to shut up because one of our requirements is you have four passing scans, you know, in in a row. Right. It can be difficult to do four when you are shut down for for a period.
Yeah. It's getting less now as we're coming through this. But if you have problems because you literally were closed because of lockdown, do talk to your assessors. Do talk to your to your acquirers, and and we can work this through.
You know? Hopefully, going forward, we'll get all those scans together, and we'll we'll have it nicely in place. But, you know, we did understand and appreciate that lockdown threw everything into a mess, and we're still we're still in the recovery part of that.
But you know, I I really like that about PCI because there is that element of reasonable grace that that the PCI standards offer, that you don't see in some of the other standards.
And and I really value that, personally as an assessor.
We we we we we try to appreciate you know, we will be harsh, but, you know, we understand there are certain situations that that the last thing is is the COVID is is created.
One thing I would add about the ASV scans and DSS four and SAQs, we'll bring it all together Okay. Is that we have brought into the SAQs the requirement for quarterly scans, and that might come as a bit of a surprise for the smaller merchants, especially if they don't really understand what that that means to them and what they're supposed to do with that information.
And I think that's where we're going to rely on a bit of help from you as the assessor community. We're gonna rely on a bit of help from our acquirer community. And I think from our own side, we'll be providing more more support and guidance and information around this because, again, small merchants may not understand why this has suddenly come in. It is so important. The small merchants are often the ones that don't do this updating and patching and using the correct software, and they are getting breached. So it's a way for them to help improve their security, but they need to know what to do when it when they fail because they probably haven't got the technical skills to know what that means. So they're probably gonna need that extra bit of help and support from the acquirers, from the assessor community, from the ASV people to to help them know what they need to do as a result of a fail.
And and it asked us as well in that.
I think that that also speaks again to choosing service providers that are PCI DSS, certified because they will have more knowledge towards helping the merchant in this in this ecosystem of, you know, the programs that that exist. You know, if you choose somebody to do vulnerability scans that is not an ASV listed, provider, that it is not already part of PCI DSS, then when something goes wrong, and they find a vulnerability, they can't help the merchant as much as someone can who's already part of the program.
Yep. Yes.
So I'm gonna stick a little bit with the idea that that being listed, being being, approved by the the, you know, PCI a PCI program, and go to p two p e. This is point to point encryption is one of my favorite ways that, merchants take payments. I I wish everybody who did face to face payments would stick to p two p e. I think it's a fantastic, solution for thwarting the bad guys.
But one of the it's also one of the most frustrating things because I I often run into resellers who tell these small merchants, oh, it is P2PE.
But the merchant doesn't know enough to know how do I check and make sure it's listed. And and being being P2PE and PCI means it's listed. It's not just some, you know, p p two p e adjacent.
Yeah.
So, can you tell me a little bit about the p two p e program, why having a listed suit solution is important?
No. Absolutely.
So point to point encryption is as the name says. It it the the card data is encrypted as soon as it enters into the payment terminal, and it remains encrypted till it reaches a point where it can be securely decrypted.
So we've run this for a number of years, and and, essentially, the the the sort of three parts to this, you've got your encryption part with your which is your PTS approved approved PTS POI device. You've got your approved decryption point, which is your PTS, PCI HSM. And then you've got the the the application and the software running, which will be approved as part of the point to point encryption process. So for a merchant, this is a really fantastic way to get rid of cardholder data from your face to face environment. It's encrypted in the terminal.
Most of the terminals now that are available because it's been in that standard for quite a number of years, and most of the terminals in use today will do that encryption securely. So we can we can know we can do it securely, and then it's encrypted through your merchant environment till it gets to either a third party or to your acquirer. So having that approved solution, and you can visit our website, our new website, and and look it up quite easily, means that we validated that the data is secure, that there there aren't the key because, basically, it's like it's like your house is you can lock the door, but if you leave the key hanging on the handle, then somebody can unlock the door.
And it's the same with cryptography. If you leave the keys around, then the criminals can decrypt it. And and, again, so as part of that process, we're going to make sure that all of the encryption process is correct. All of the technology used for encryption is meeting our standards.
And and, again, this is another area where key lengths change every now and then as the criminals get better. So we're going to validate everything's done, the key loading process, the key management process. There's a whole raft of things that we're doing in the background to make sure that when that data is encrypted, no one can do anything with it until the right people with the right method of a decrypting can do it.
Right.
So for for a small merchant, this is brilliant because it's an easy solution for the acquirer or their reseller to provide them, validate it to their validate it as an approved solution.
And then you you can you can pretty much relax. You know, it's gonna be good. Now for for other organizations, encryption can can is is very helpful.
And so you sometimes see other organizations wanting to encrypt certain aspects of of their data, of their payment data within their systems. And suddenly, you see these other alternatives or these non validated or, you know, encryption solutions.
Now they're okay, but you're not entirely sure what you're getting. So, you know, it's best to go with the approved solution from us because you know how it's going to be used. The other thing as well is is that one of the options we provided within our PTPN solution is to allow merchant decryption. So some large merchants want to decrypt the data in their data center for various reasons.
So we've got a process that says, okay. We can validate that. We can validate that you do that decryption securely, and you do a re encryption securely against all of that key management process that I talked about. And so we provide a better solution for those merchants.
So, again, it's it's a way of giving you confidence. We're back to this. Is your third party provider validated, or are they just doing it themselves? And and it is all back to that.
You know, if you're wanting this, you these are the questions. I think, again, you said it earlier, Jen. Merchants are are you know, they should be asking these questions. They shouldn't be afraid to ask questions of of of their suppliers of their vendors.
It's like, show me the money. You know? Show me that you've got an approved solution. Show me that, mister service provider, you are a validated service provider.
You know, don't be afraid. If you don't understand, reach out.
Yeah. I I just had a consulting engagement just two months ago where they they literally bought just four hours of consulting so I could make sure that their third party vendor that was offering them a p to p e solution was actually offering them a p to p e solution because they didn't have that knowledge internally to verify. And you know what? They weren't being offered a p to p e solution.
And and so I did upset a few people by saying, no. This is no.
But but but Well, there are I mean, the the the important thing there, there is a lot of choice.
Don't Yeah. People feel that, no. I'm gonna be forced to this solution that's gonna be really expensive. No.
I I can't remember. I think the last time I looked, we had about a hundred solutions available globally. Yeah. So it's not that you've got one or two.
No. There's quite there's quite a few.
Wide range for you.
Yeah. Absolutely. And and I think that there's a lot of it's interesting when you see different groups in different industries. I think that's one of my favorite parts about being an assessor is I get to go and see how people conduct business in so many different ways depending on what it is they're they're doing.
And and they each require kind of different payment solutions, because they're sometimes it's like a a fuel pump out in the middle of nowhere and sometimes it's it's, you know, online pay, payments for for, you know, massive amounts of of online sales. So it really runs the gamut knowing what how you do business. As you said earlier, knowing how you do business helps you know kind of what applies the requirements. And if you're a smaller business, having that SAQ kind of short that cut that for you is is a really valuable part, I think, of the standard set.
You know? And and and you you've actually raised a really important point because we've talked about the standards.
Actually, the council is so much more than the standards. And one of the things that our community is brilliant at with working with us is actually providing guidance documents. Each year, we run what we call our SIG program. And this invites our organizations, our community to submit ideas of of areas they would like to have more guidance.
And, again, this is often because there's within the DSS, the how a how an airline approaches it is totally different to how a multilane retailer does. And and for those who who operate in call centers, there's different challenges. And so over the years, our special interest groups, our SIGs, have generated some fantastic guidance documents which have been written by the community.
So they're written in a language people understand Right.
To help them and their friends and and the community understand how this how DSS applies in this particular area. So we've done call center guidance. We've done ecommerce guidance. We've done cloud guidance.
We've got our containerization guidance. Don't ask me. I'm sorry. That one went to, you know, in the cloud.
And that's just about to be released. But Good. The important thing is our community put forward suggestions to us, and then they vote on it, and then they work on the guidance. And that is a really critical part of of of what makes me really proud is that if we don't just do the standards, we have a lot of support and information and guidance.
And people should go on the website and look because, generally, some people have you know, other people in that sector will have been involved. There may well be some supporting document that's gonna be able to help you in that area, and that's really good.
Absolutely. And that that seems to lead us to the the the topic that we mentioned earlier. Part of your duties include educational efforts. So what else is available for individuals and organizations in the area of PCI education?
Oh, great great transition into that.
We've we've updated our website. So we've got a new website that hopefully is easier to to get around. I know one of the key things we introduced was we've got a load of little icons just just below the the the sort of main banner which says, what do you want to do? It used people used to struggle to find things.
We we had we have so much information. We just weren't always good at being able to point people to it. So, hopefully, now there's these boxes that says, I want to. I want to find a document.
I want to find the information. I want to ask a question, and and that's gonna be easier. But behind that, we do a lot of training. You said that yourself.
You've done the you know, you've recently done your assessor training for version four. So we're doing training to transition our assessor community so they understand version four, and we'll be able to assess against that. We also do training for our community. So we do, awareness training.
We do BCI professional training, which is aimed at individuals in organizations.
We train individuals in companies to the same level as the assessor. We call that our internal security assessor training. So there's a lot of opportunities for organizations and for people to to get involved with council. And then, of course, we're coming to our big events of the year, which we have you know, we're we're back in person for the first time in in in three years. We're super excited. Our community meetings are coming to Toronto in September and Milan in October, and and I can't wait to see everyone.
I can't either. Are you okay.
In person.
Are you part like, are you in charge of those? Like, are you the one that do are you the reason they're great, Jeremy? Tell me.
Absolutely not. No. The reason they're great is because we have a whole team of people working like heck behind the scenes. And we're also fortunate that a lot of organizations submit some really fantastic speaking suggestions.
So we're able to you know, we get so many that we can really pick and choose the ones which we think are gonna to the sort of store you know, to the to what we're talking about at that event. So there are great opportunities. But for me, as much as anything, it's just mixing. Yeah.
The opportunity to come and meet and talk to people who who have different approaches to to solving problems, or they're in the same sort of sector and you you you have similar problems. You can discuss and share information about how to solve them, and there are assessors there that can help. The council's there to help. The brands are there to help.
So it's a great it's a fantastic get together of the community. And like I say, I'm super excited that we're back in person this year, and I can't wait. And for the first time, by the way, one thing for the first time, usually, we restricted entrance to just our community, so our participating organizations, assessors, ISA, etcetera. This year, for the first time, we're actually allowing organizations who are not participants, not some participating organizations, individuals to be able to buy a ticket.
So that's equally exciting. So it's, yeah, should be a busy, busy event. Really looking forward to seeing everyone in Toronto.
That's amazing. Alright. Well, before I end the call, is there anything that we've missed? Anything that you wanted to bring up before we we close?
Do you know, I think we've had a real good discussion here, Jen, and I've just enjoyed having a chat. And, now I think I think do visit the website. There is so much to see, and do sign up and come to the community meetings and talk to me in person because, honestly, I enjoyed talking to everyone in person. It's so much fun.
And and I just wanna reemphasize that. That website, there's so much people ask me questions that I'm like, well, let me take you to the website and show you the document that show you the guidance, show you the information. It it's there. It's searchable. People can find answers that they need there. And, I I think you guys have done just an excellent job on on the website.
I'd better say I'd better say the web address cause we've talked about it.
Oh, yeah. It's not to it's not to it's not to it's fine.
Yes. I know. I'll get told off if I didn't say that.
It is www.pcisecuritystandards.org.
Excellent. Thank you so much. Thank you. Alright.
Thank you very much, Jen.
Alright. It's good. Very good to talk to you. Take care. Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left.
If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
