In Vegas. Again. PCI, Again

I am back from the HP Technology Forum & Expo 2008, taking place this year in Vegas. I was presenting in one of the breakout sessions after Howie Mandel's Thursday morning closing general session.

To be honest, my audience was a "little" smaller. Maybe it was the topic (or the presenter :-) but I was actually surprised from the number of attendees, all working for well known companies that are still in the process of compliance, determining the PCI scope or taking the risk of not being compliant. We are focusing on section 6.6 (and we should, just to remind you all, it goes into effect on June 30, 2008.), but there are plenty of organizations that are also trying to solve the other "challenging" topics. Here's the citation from the PR: 

The PCI Data Security Standard (DSS) provides an actionable framework for developing a robust payment card data security process including preventing, detecting, and reacting to security incidents. However, several requirements mandated by the PCI DSS such as tracking and monitoring cardholder data, rendering stored cardholder data unreadable, and application security pose considerable challenges for most organizations. Mr. Besser will discuss the three most difficult PCI DSS requirements, the pitfalls to avoid in trying to meet them, and best practices for making sure you pass a PCI Audit. He will also cover the recently published PCI DSS update titled, Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified, which goes into effect on June 30, 2008.

So, What have I learned: 

1. Many organizations are still not 6.6 compliant.
2. Some organizations continue to store sensitive authentication data such as PIN CVC2/ CVV2/ CID.
3. Few are still unaware of the full scope of PCI.

I guess that we still have a lot of work to do...