 So with further ado, here's the PCI Compromising Controls and Compromising Security Talk. All right, it's before noon, so good morning. Thanks for coming out. My name's Jack Daniel for those that don't know me. For those that do, you may be wondering where the sock puppets are. Last time I saw them, they were drunk on the beach at B side, so this is not one of my sock puppet talks. PCI at DEF CON. What the hell has the world come to? It's noon on Sunday at DEF CON, and people are interested in this, and I don't think I have to read this. This is changing the security industry. Those of us that care about security, those of us that like to play with stuff, this compliance thing is getting into everything we do. And PCI is the poster child for it. It's global. It has a significant impact on a lot of things. And so you can extrapolate this to HIPAA, Sarbanes-Oxley, in different firm forms, but we're going to pick on PCI because it's fun. In Nevada State Law. But still, it is PCI at DEF CON, and it does seem like a sign of the end times, you know, Six Horsemen of the Apocalypse here. Actually, seven, but we'll get to that in a moment. Who are we? James Arlen McHuriel, I'm sure most of you know him. Dr. Chevacan was not able to join us in person, but his books here. Any time you think Anton should comment, just say, buy my book. It's actually a good book, but he's been involved in this since meeting with Joshua Corman, me, Alex Hutton, Martin McKay, and Mr. David Shackleford. So usual disclaimers. We don't speak for our employers, clients, customers, spouses, siblings are offspring. My dog will back me up. But that's just, she gets truck rides and that's it. Opinions are our own. Facts are as we see them. We aren't lawyers, et cetera. And should anyone on the panel be a QSA, they are not your QSA. Maybe not. And I would actually comment that if there's a QSA or two on the panel, they might be your QSA. At least for a few of you. So discussions. These typically deteriorate into cliches. Any discussion. Somebody inevitably says don't throw the baby out of the bathwater. If I have one word for that, don't make me say, much less so, tub girl. So if this becomes a slug fest, I'm going to moderate this, but I'm going to be the salt because we do have some people with different opinions. So here we go. This started with, it's going on, but Josh Corman made some comments that lit some people up. And we've had an ongoing discussion that's coming to almost a year. And the standard questions are, is it PCI or security? Is it really versus security? At some levels PCI actually hampers security for the advanced. PCI also advances security for the people that aren't doing what they should be in the first place. I work for a firewall vendor. There are people that have rudimentary things because they're required to. But there's the other end of that. And we have pretty pictures to point to that. And it has an impact on all of us. It has an impact on what it costs to use your credit card. It has an impact on what it costs to buy things somewhere where they have to be PCI compliant. It has an impact on whether or not you have fraud charges on your card. So there's the obligatory first boring bell curve slide. And then there's Mr. Corman. Okay. So this thing basically started when Chris Hoff and I were doing a bunch of roundtables with CISOs. And we were doing them for two days on virtualization as a disruptive technology. Cloud computing as a disruptive technology. Dean reprimarization mobility. We're basically showing how traditional security architectures were ill-suited for a rapidly changing compute environment. We weren't even talking about bad guys. And we kind of did a tabula rasa project and drew on the whiteboard. If you could start over what security controls would you keep, which ones would you toss, you know, we'd just carry behind this comet trail of dead technologies that do a really, really bad job. And what would it look like? So at the end of the day, someone raised their hand and said, oh my god, I don't need to buy that anymore. I don't need to buy that anymore. And some other guy stood up in the back room and said, PCI still makes me buy that crap. So the next morning, after lots of caffeine, I think two japa chinos, I said, PCI is the devil. And I got a standing ovation from like 200 CISOs. And it was really a joke, right? But when Anton and Martin heard it, they wanted to exercise the demons. And we started a pretty adult-informed and cluful debate, because people basically hate PCI for a visceral reason. Or they love PCI and they're a fanboy and they write books about it. Or just to be clear, by adult, he does not mean pantsless. That's right. We were miles and miles apart. Some of us don't like PCI but make a living at it. That's true. So the bottom line was we're having all these food fights and they're not helpful, right? It's just the echo chamber. So we wanted to have adult-informed debate. And what happened was the people who tended to like it saw a dull curve. So now I don't call it the devil. I call it the no child left behind after security. Because there is, in fact, a distribution, right? You have the people who do nothing. And that's basically where PCI has been very helpful. The negligent. They would do absolutely no security for that card data, or are they not forced and fined to do so? But then you have a lot of people that were doing security well before we could spell PCI. And they are not... They're non-flust by this. They can get extra budget. They got distracted, right? So you have the negligent, the advanced, and a lot of people in the middle. And what we found is the people who were famed was really describing a different segment, the people who must be forced to do something. And the people who were upset with it killing innovation or redirecting budget were the people in the middle or on the higher end. Now, Martin really enhanced this view because it's more like this. Martin. I did. Yeah? Well, we've had the conversation many times. And I think Josh just kind of summed it up that there really are two distinct groups of people. And as he said, there's the majority of the people that I see as a QSA that are... have a rudimentary security system, have rudimentary controls in place, but there are still things that would be considered basic and common sense that are not there. They just either haven't had the budget, they haven't had the time for whatever reason. There's lots of controls in place that for years they've never had the time to put. And that's the people in the first hump there that really just have to have some sort of lever to get management to give them the money to actually secure the enterprise. And that's... Even though I don't like everything about PCI, that's one of the best things I see about it is it's an opportunity for people to use as a lever against management. On the other hand, if you really look at PCI, I'm the one person, your managers, fear more than hackers. Think about it. I'm the one who can come in and say, you know what? I don't think you're compliant here. Therefore, you're going to have to end up paying an extra half a cent per transaction, or you're going to have to pay an extra percent per transaction because you didn't mark the checkboxes. It's not perfect, but it has done a lot of changes and made people get that money and get those resources. Do you have any thoughts on this, Jamie? Well, let's see. We've created a system that requires that you pay extra money in order to solve a problem that isn't your problem. Does anyone know what that's called in the law? Exploring. Exploring. Racketeering. There's a specific set of laws that are designed to prevent that. Is that Canadian or US law? That's everybody's law. Here's the deal. You've got a situation in which a bunch of people with lots of money are making the suggestion that 100,000 merchants are going to do a better job at securing the credit card transactional system than the three credit card companies can do. Come again? It's an insane solution to a very, very simple problem. I want everybody in the room to spend just a few minutes thinking about what usury is. There's a legal definition for it. The legal definition for it does not include something that I think is very apropos these days. I want you to think about the spread between the overnight interest rate and what you pay on your credit card interest rate. The average in North America is over 20% for credit card interest. The average overnight rate is under 1.5% of 1%. When you follow the money, you can't find it. 20% interest, nearly 20% interest is disappearing into covering the costs of the credit card transactional system which was designed in the 50s has yet to be significantly updated. There's a problem there. Why is it up to all of us to solve it? Jack, they're quiet. They might be thinking. I don't have to think. I've got a checklist and if I fill it out, it's solved. I'm going to hijack this for just a second because this is a point that somebody that's not on this panel but has been involved in the conversation brought up about that thought and checklist which is Andy Ellis who some of you may know. He has a security off-job CSO for Akamai and he observed that a lot of us, at least those of us that are on the admin side that made it into the security world, something went wrong. We moved up the food chain from doing desktop support to being network or systems admins or if you're like me in small business you were network and systems admin and something went wrong, something got popped. You became involved in security. You became the security guy. You know the system nuts and bolts up. You got in that entry-level security position and moved up. That entry-level security position is now somebody that's out of community college with a two-year accounting degree because they need to audit a checklist. So now where do we get those entry-level people we've broken this path and I don't know that that's universally true but after thinking about it and talking to some other people that's absolutely true. I should have said at the beginning we're going to try to hold questions to the end but while you're standing there you have something. Good morning, thank you. You're assuming that the problem you describe is the problem that the card companies are trying to solve and what they're really trying to do is shift the perception, the liability to the merchants, the acquirers, everybody else because otherwise if they take control of the system and there's a failure people lose confidence in the card system itself. Now they can point to individual merchants, processors, whatever and say we have this great standard and they failed to meet it, they were not compliant at the time of the breach and so they're protecting themselves and their system. Wait, wait, so you mean a financial institution or a group of financial institutions made a conscious decision to transfer risk so that they can maximize their profits? Isn't that amazing? But the risk... Apologies for interrupting, carry on. So did you just call PCI a faulty financial instrument? Is that the analogy? Well, I didn't phrase your name at the toxic mortgage, sir. Okay, so because you pointed at me when you said that I don't want to run the entire audience through the history of the credit card system and the number of times that they've done risk transfer all down one level. When they started, when they began the process of creating the quid pro quo that turned the credit card into the instrument of world economics and they are the de facto world currency. But let's be serious even that risk transference wasn't really the main reason behind PCI. That was kind of nice for them but for the PCI councils or the credit card companies at least in my opinion it was really all about keeping the government out of their business. It's basically a way of saying look, we're doing something we're trying our best to make sure that this is secure and that your transactions are taken care of and kept secure. Mr. President, stay away from us. We don't want to see you. We don't want to see Congress. Thanks, bye. I was just going to say we have a really scary situation. Dave Shackleford has been quiet for several minutes and we need to resolve that. That's absolute madness. So let me just, I'll just call kind of the bullshit on the conversation. We can all clap and go yeah, eff the man, whatever, right? But yeah. But what's the debate? Are we going to change any of that? We can sit here and talk shit all day long. We're not going to change that. So the question is do we need a better checklist? Or do we need better auditors? Do we need some controls around how it gets done? I mean I guess the question is you said it at the beginning Jack. We're talking PCI today. How many of you have been dealing with compliance crap for a long time? All of you, right? Every one of you. I mean I can literally remember when socks got created and as a technical guy, you know, my stomach just churned because I'm like creating these mounds of paper that meant nothing. And so the thing is, those aren't going to go away. So what can we do to make the thing better? I mean the government's going to stay involved. The industry entities are going to stay involved. And I'll pause there. I thought you actually brought something. I'd kind of like to know. You don't have to, Steph Kahn. I'd like to know the mix of the audiences. How many people are pen testers in the audience or involved in the assessment? Cool. How about people that are just compliance wonks one way or another have gotten sucked into compliance as a career? Nobody's raising that. Just as many as claim they know how to penetrate things. How about general purpose network or systems admin folk? We have an interesting mix and you're all interested in PCI. I mean, I'm a packet monkey and I've been turned into a compliance guy because of what Dave said. This stuff, you can't get away from it. You cannot get away from it. So where do we go? Well, I mean, we can't keep screaming into the darkness, right? You can't just be pissed off that this is here. What we should be pissed off about to Dave's point is the content, right? So what that checklist looks like sucks. The average skill set is going down in a lot of the QSA. Some of the QSA shops are downright corrupt. They'll fail you and then sell you the passing grade. So it's really not about getting into a system. It's really about, you know, we're going to have some sort of compliance process. It's structure and content and the content sucks. The reason we have grandma on the end there and I didn't have to make fun of the PCI council, they did it themselves. That's the PCI rocks video on YouTube and if you haven't seen it yet, you need to experience this. Polarity ensues. The reason Anton isn't here. We pick up some acid in the hall while you're here this weekend and watch that because it might make sense in that context. One of the reasons Anton may not be here that we can speculate is because we made him promise that if we get accepted, he would do an interpretive dance to the PCI video. But the bottom line is that grandma there is the antivirus grandma. And we have our oldest control. Antivirus. Antivirus, that's right. But what we've codified is we're making sure people span on the digital dozen, right? The dirty dozen. And if you look at that list, it's firewall. How many of you guys would we stop firewall? IDS, not even IPS. I mean, the Gartner Magic Geometry leader for IPS got a 14% score after they tuned for two days in the NSS test labs. But I have a compensating control for that. Well, it's going to be compromised. But these things are, they're not useless, but they're really long in the tooth. And what we have is an incredibly static set of controls and best practices designed several years ago that never change, right? Well, it gets worse. Now we're coming up with 1.3 or 2.0 of the PCI DSS. They're going from a two-year lifecycle to a three-year lifecycle. They're trying to make it so that everything is going to be along the same date time. We are not expecting to see major changes from 1.2 to 1.3. We're not seeing a lot of new information. So how do we use this tool? I mean, really, PCI is an assessment, I'm sorry, a compliance tool, instead of just something we have to check boxes off. And that's one of the problems we have, is that we keep thinking of it as a checklist instead of a tool to make management do what we want. I mean, if we had changes, look at all this, the great ToxySoft black hat in these sides of the DEF CON. Look at all these people dropping new research. Do you think any of that research is going to affect the standard? Well, it certainly isn't going to make it into October. And the next chance to do so is three years from now. But we do have reliable guidance on how to secure our virtual and cloud infrastructures. And this being scoped the way it is actually secures our entire infrastructure because, no, wait, all they care about is MagStrake data. Wait, why are we using MagStrakes? That goes back to our 50s technology idea. So there's one of the issues, is we have something that isn't going to do a good job. There's an argument I got into over the Massachusetts 201CMR17. It's the law that was enacted after TJX came out. We had to breach disclosure law that required the state to push out a law or a set of guidelines which had some sort of penalty if you didn't follow them, although there's no enforcement, does that sound familiar? For how to protect your systems. And it got watered down and watered down and watered down. And I stood up in a hearing and said, you know, this is garbage. What you should do is just jack the fines through the roof and let risk take its place because anybody can work, we can talk their way around any of these, you know, encryption, it's just a horrible rule. And somebody got up after me and said that if you make a good faith effort at this, and I threw up a mouth a little bit because if the business has made a good faith effort in security, we wouldn't be here. But on the flip side, having worked in small and mid-sized businesses all my life, there's a series of problems. If I don't make payroll on Friday, then it's all over. And in security, we are notorious for losing sight of that. If we don't make payroll, if we don't do X if we're publicly traded, so there really is this heavy financial constraint. And if PCI frees up budget, and at first, that seemed like a really good idea. And I think we've now crossed the line with some of the people where they're really being held back. And there's some other things when we're talking, you brought up the quality of people. Those of you that have dealt with external scans or QSAs who maybe weren't skilled or ethical or either one, you know what I mean? Let me ask you a question really quick. Hey, this is probably as honest a group of people in a room I think as we'll probably get. Just guessing. How many of you are brave enough or are possibly willing to raise your hand and say you have benefited from PCI? There's got to be a few. Oh yeah, there are. Look at that. There are in fact a fair number of folks in this room that would say we've benefited. Is it budget? Is it better security? Is it better living through checkboxes? Jobs, jobs, jobs, rock and roll, right? So honest people. Let's look at the other side of it. How many people have had projects turned down because they're not PCI related or because, and really think it's because they were not PCI related, not because your manager was just giving you a solid excuse? Yeah, I mean this is a really important point. So far we've been talking about the tonality of the design, but I mean from my purview and my last job I did this massive market survey and we basically counted 70 different security product markets with their own compound annual growth rates, right? 70. And that's way too many, right? It's an abject fail that we needed 70 to begin with. But if you look at which ones are required by PCI, there's nine of them. So what happened was the economy took a nosedive. You saw nine winners and a whole lot of losers. And a lot of my clients at the time, now a lot of my new clients, they're basically saying, look, I go to my boss, I want to do a DLP project or a network forensics project or this or that, and their boss says, will I be fined if I don't do it? If the answer is no, then you don't get the budget. So it's not that there's no spending beyond those nine, but most of those nine, as I said before, are old, busted, stuff near retirement. And a lot of the newer, more modern projects for a new, more modern adversary or for revolutions in virtualization or cloud or whatever you're going to do differently as your business has changed, if you won't be a fine, you basically don't get a budget. So, you know, I mean, it scares me because what that does is it financially rewards laggard technologies and it financially disincents innovative folks here trying to do startups, trying to do bootstraps, VC-based, whatever. And if there's no buyer for this innovative stuff or if it's only that small secondary double hump, it's not that there's no market. It's that if you're on that list of nine, you're eating at the buffet table in the banquet hall. And if you're not on that nine, then you're begging for scraps in the streets. So I'm concerned about the long-term impact of too much money being spent on really old stuff at the cost of us focusing on what we used to try to do, even if we did a bad job, try to figure out the biggest risks in our environment and mitigate them to the best of our ability. That's not the conversation anymore. It's we fear the odd her more than the attacker. I've got another quick question. Just kind of along the same lines, right? So, like, how many of you folks generally agree? I'm like the question-asking guy on the panel, right? But, you know, generally, we don't have any answers up here, so we might as well ask a question. Yeah, I'm throwing it out, right? I mean, again, but I mean, generally speaking, wouldn't most of you agree that, you know, exploitable vulnerabilities, aside from physical types of vulnerabilities are typically code-related? Yeah. I mean, generally speaking, it's the code. So how the hell do you get to a web application firewall and a really thorough code review being equivalent? Thrill code review? Well, is that required? No, no, no, wait on. I mean, that's what I'm saying. You know, enter PCI, you know, if I'm an uneducated, non-security background auditor coming through with the checkbox, I can take either one, check you off. Great. Hey, I was going to try to avoid jumping in. I thought a lot of this myself and moderate, but the code review. So here's one of the things about PCI that drives me nuts, and that's it. It's that code review versus web. And it's not what it says. It doesn't say you can't have both, but the way it's framed, and it's largely just misinterpretation, and that's part of what we've been trying to do in the past year is get people to think about it, get people educated. But people have now decided because they only need one, they only have to budget one, and the people that work in web app security hopefully would agree with me that if you want to secure your web apps, you're going to make your code as clean as possible, and you'll probably put a WAF in front of it just in case you miss something dumb. And then you find something. Yeah, yeah, you can temp rugged later. And you go to that web app firewall, it's just like we do on the network side, you go to your IDS, you go to your web app firewall and you say, hey, I got this problem, and until the code gets fixed, I've got to make sure this doesn't get through. You put them together, they're a complimentary technology. PCI, intentionally or otherwise, sets them up as competing. And there are several other places where the things that just get back and forth and... Yeah, I'm hoping we get to this with Alex, but no. He was starting up his mouth, so... When Alex says something, and then we have a gentleman... Yeah, this nice gentleman's been standing there. Yeah, he's got something important to say. Yeah, go ahead. Good morning. I think that when we talk about PCI, we need to talk at two levels. One is what we're forced to do at the bank or merchant or service provider level. But I think you're missing a larger point, which is the PCI council level. I agree with the gentleman who said that the fundamental driver for PCI is that the credit card companies want to transfer risk and liability down a level or two. And at the same time, they're trying to say that they are autonomous, and therefore they're making an independent standard like ISO or whatever. But at the same time, they have a symbiotic relationship with their business partners, which are the banks and the merchants. And how many times have we seen a vulnerability like with TJ or whatever or Hanford, which results in discussion about a new control, they put out a draft comment or some draft guidance, and all of a sudden, when it becomes real, it gets watered down because there's been negative feedback. Oh my God, it's going to be too expensive or it's going to be too complex. When you look at PCI, when you try and look at everything at that, the risk of making the complex simple, we really only have three issues, and I'm kind of getting into slides and stuff later, but that's all right. The first issue is, is it the right thing for the card companies to do? Well, like it or not, unless you go to your congressman, and actually they're going to be able to buy the votes better than you can, so you're screwed anyway. But we don't have any control over that, we won't have any control over that. The second is, I'll call it a microcosmic view, right, if you think the difference between microeconomics and macroeconomics. Can PCI, can the DSS, can the various standard documents do exactly what they say they think they can do? In a sense, each document they create is a model, and it says we think that some outcome will arrive if this happens, right? And the third problem is on a kind of a macrocosmic view, right, is are we creating things that will fundamentally change the future in ways that we don't know, okay? And that's because what you're looking at is complex systems, and in fact, the answer to your code review versus web application firewall is it doesn't frickin' matter. It doesn't frickin' matter because if you take and isolate any one control out of a control systems that you use to manage a network or group of systems or whatever you're doing, or creating a product or what have you, you're creating imagine a line, right? In the Verizon data breach report, you'll see that data was encrypted 90% of the time in failures, right? So when there was a breach, hey, they were really compliant with these couple of things, right? So you cannot and so what we do is if we focus on one or two things and we just try and say we have these wonderful almost masturbatory sessions where we get up and we get all angry and crazy what's the outcome? It's anyway, did you have like, this is not to be starchy, but was there a question coming? I have a compensating control. First I want to compliment you on being polite because I wouldn't have said a symbiotic relationship. I think incestuous is a better choice of words. I've been at a QSA re-up and had the tap on the shoulder when I used terms like that so I try not to. Oh, wait, that does point out one thing. The great thing about the council is the transparency. The point is, is that when we talk about new controls, there's an opportunity to really make an advancement in a control and when the control actually comes out it's been watered down to the point where it's even more confusing than it was originally or it doesn't do what it was originally intended and I have concerns about that. If we're going to build a control set that is going to increase in effectiveness, we have to keep up with the times and we have to look at the process by which the control is performed and improve it based on previous experience. I don't see that happening. I actually see it sometimes. You can't put that on the checklist. That's not a checklistable commodity because the QSA is not ever going to be the same. They don't take sorry, not you. They don't take good notes. They don't provide transparency in terms of audit. You've got a bunch of people running around being assessors play auditors who don't have the training. They don't understand what an audit is. They're not licensed to do audits and they're not performing an audit in such a way as it would provide you with any kind of useful experience. We call them audits, but they're not. We call them assessments. Not the people who are getting assessed. They call them audits and they perceive them to have the same value as, you know, the really great audits like the SAS 70 type 2. There's no working papers to speak of. There's certainly not working papers that are transferred year to year from auditor to auditor. There's no comprehension of timeline. There's these point in time assessments that don't tell you what the real state of affairs are. They tell you what the state of affairs are for that day and that day may be the one day when all the compensating controls work because Bob, Jimmy and Fred all showed up that day. This is not a system that is geared towards the nature of continuous compliance or the nature of regular auditability or or instant auditability. This is a system that is designed to do exactly and only one thing and that's to create the appearance of it's just wallpaper over that shitty dump. There's not much else you can say for it. A couple of observations on this one that comes up to me regularly in the security space. We're here at DEF CON because we want to know what is out on the front edge. We want to share what we've found and we want to be out on the front edge of exploitability, vulnerability and those of us that are concerned with the defense side we use that to arm ourselves at least intellectually with the battle we're up against. If I have an epiphany sitting here or at B sites when somebody says something and I put my hand up and say if I do this will that stop that? The answer is yes and I'm going to go to market with this idea. If I'm lucky and it needs a checkbox so that I can get money because my credit cards are all tapped out God knows my house isn't worth anything so now I need to get venture money so I get all of that I build a company I get a team of people I put it together I got a product how long? Two years? Two years to market? If I'm doing good? If it's a small product it's 6-8 months but it's a very niche product but let's say two years to market and that's that's great. Now there's something that I can prescribe and put on a checklist you have to have this new technology I get tired of hearing people complain about the fact that the PC has a checklist The point there is that now for it to become part of a compliance mandate it has to be mainstream and a technology or an approach to handling something that is accepted across the industry so that it can be prescribed whether it's a checklist or whatever so we're two now three, formally two now three years out so we're looking at a five-year cycle from one of us having a brilliant idea in this room well not in this room but one of the other rooms and getting something that somebody is likely to tell us we need to defend our systems I'm going to play out if it's not a checklist where are the measurement scales Okay maybe you're right it is a checklist but the problem is the same people who are complaining about using it as a checklist who are using it as a checklist and not going beyond it are the same people that would have been looking and going where can I find a checklist of best practices the people who are in this room are more experienced who have actually had some time in the field who are risk-based or at least have the experience to know what the risks are are actually going out and trying to go beyond and trying to figure out how your controls can be shaped to meet the PCI requirements instead of just doing what PCI says so that lower level in the earlier slide those are the people who a lot of them are the junior administrators and people who just haven't had the time who are working in a company where it's 200 people and 3 assessments and that's the people who are doing the PCI I think that there's just people keep calling in a checklist and keep complaining about it instead of doing something and using it to push management towards doing something but meta-compliance is hard yes it is it takes thought we cannot let this pass he used the phrase best practices he did it first Owl he did it first second of all this stuff has to be couched instead of whining about it like we're doing on the panel here it's not best practice it's barely good practice we're not even north of negligent yes but at least we're catching the low hanging fruit can we start throwing the phrases out yes so we have raised the bar it was 0 feet high now it's 2 feet high so to be waisted 2 feet of fence I don't know but this has to stay vibrant one of the things is not up in the slide right now with that bell curve again one of the biggest epiphanies we had was early in the debates on your I think it was I was critiquing the efficacy of the security controls because if you look at the digital dozen they're really old and I'm pretty sure anybody in this firm could compromise a fully compliant network because it's not a very high bar and I said you know they can be truly defeated by an amateur attacker I think it was Mike Don who said not if you do them right not if you use them right and I had this like blinding flash to the audience I said wait a second these folks they're responsible and negligent they have to be forced to do something to protect our data and yet we on the same time think they're going to flawlessly execute this stuff so I think 100,000 merchants can do a better job of fixing the system than three car companies so what it is is you know I've been accused of this being a catchphrase but I want the PCI council on the standard to either better wield its power or yield its power and I don't even give up what I mean is if we had figured out a special debate that that community called negligent will only do what they're forced to then you can't get them 80% there or 50% there you need to make that thing really vibrant, really current, really relevant keeping up with evolutions and threat, keeping up with evolutions and technology keeping up with changes in business and it's not doing that so if we want to do it let's do it and if it's just a diffusal of blame and money then let's call it what it is and let's not become lazy and complacent well I'm going to do my audit work and then I'm done I'm going to pretend I'm Dave Shackle for a minute how many of you are looking at tokenization or Indian encryption looking at something like What Heartland or some of the other companies are doing where you can buy a new POS and never actually have access to the credit card any of you out there looking at those not really I mean I look and I see barely a handful of hands coming up if you are not looking at tokenization, at Indian encryption technologies, I hate to tell you you're at the lower end of the bell curve if you're not looking ahead at some of these technologies that he's talking about you're at that low end of the bell curve because you need to be looking ahead and saying what can I do beyond this because it's on you to fix the problem it's on those of us at the bottom end to do two things if we care about security we have to fix the problem and we have to be compliant too don't we have two budgets don't we have a compliance budget and that really big budget to secure our business right but is there money left once you pass the audit so how do we change it how do we put pressure on the PCI council how do we get involved in the SIGs what do we do we're going to shift gears for just a minute because we have we do need to look at how we move forward and not just having an argument and we have some Alex has some thoughts on this and it's good I mean PCI there are a couple of different ways to look at PCI that are outside of just what we've been talking about now so we have folks lying up do you have a quick question or is this comments or it's a little bit of both okay I can wait alright that's fine alright you're quick go for it okay so it's a rigged game right that's what you're saying but how's it rigged so how many people in the room other than QSAs have seen the QA checklist that QAs have to turn into the council raise your hands right why is it that all these other people haven't seen it because it's not published okay so people don't even know the checklist that they have to work against we don't either we get feedback from the PCI council and it changes from day to day sometimes oh yeah well okay so I went to the first merchant training that they gave back in the spring and it was real interesting I think they must have stock and depends or something because that was the answer that they gave pretty much everything well it depends alright so Mike Don who's not here okay so real quick who's kind of spun up about PCI in a negative way versus positive okay so the rest of you are positive or the rest of you are just like pit stains and don't want to rage I used to get real spun up about it you know Anton and Martin and Mike they would have these blog posts and I'd be like what sort of industrial solve until you guys sniffing you know this makes no sense to me at all and then Mike Don was actually good enough to come out and buy some sweet Korean with me and the guy who ran PCI for a large insurance company and so forth and it really kind of something clicked and that was it ain't going to change you remember I said that we have three things well right now that's in the hands of politicians and bureaucrats and we're not going to be able to change that second is the right thing to do in terms of securing a network although Allison Miller just tweeted or texted and said you know it's funny it's not a network defense system it's a card defense system she's right and the third thing is the right thing to do on a macrocosmic level and we don't know and we're not even trying to know and so what we need to do basically are stages of grief and we need to get to the point where we're at acceptance right with all deference to Jeremiah who did this first right and I was I feel fine this can't be happening not to me and we saw this you know DSW chose to take the fines for a while I believe anger why me it's not fair how can this happen to me who's to blame you know I'll do anything for a few more years out of bargaining you know well this expenditure for a while you know depression our industry really is probably unevenly distributed through one through four right depending on who the managers are where should we be I think is the point of acceptance and that's kind of where I got to and that's what might click with me alright so I might as well prepare for it so what does acceptance mean to me folks might disagree with me but I believe that you know let's call it DSS I'll just stick with that it's a hypothesis and ET James if you're into logic and science and stuff he has a great book and he says you know basically all the models that we create they're simply hypothesis and they're built to be falsified right you apply scientific method right so you know basically my assertion is we have with how many how many merchants oh 100,000 or so right we essentially have a pretty good sample of networks if you want to think about it in this way we have the ability to establish control groups we can do all sorts of studies we can start doing something that information is proprietary yeah because you see I counsel I hate yeah so I'm trying to copy I could sell that to you if you could buy a copy of all that data it's seriously it's real cheap that's excellent but basically our organizations I know trust my employer puts out a report along with Mike I wrote the PCI section this year and I really think that as we look at our industry we have two great things that we need to measure and figure out right and one is what we need some sort of measurement scale for the strength of the control right it has to be a rational scale it can't be one through ten it can't be you know some ordinal scale we can't multiply peanut butter by jet engine and get fast you know it doesn't work that way even despite what our GRC program say and the second thing is how do we consistently measure a strength of an attack right so if you look at PCI from a pure mind stop being an engineer and say this is a bridge and how can we make the bridge stronger so the next time a big truck comes over it we don't have to worry about it but you actually look at it more as a system or the entanglement of several complex systems we actually have an opportunity and as security professionals and a nascent industry and indeed a proto science for Tom Coon for those of you who are familiar with him we have the opportunity to make a difference for generations beyond because the problem ain't going away whether it's PCI whether it's intellectual property what have you so what we need is some sort of revolution and Jamie's right we don't have transparency but we do have the ability to actually share data get together in groups with ISOCs and so forth anonymize it and get it out there and talk about what we see that's our responsibility that's something we can do besides sit in meetings on a Sunday at DEF CON when we're all fricking hung over and complain about it but math is hard so an interesting point there about security in general PCI in particular and the way we approach it it would be great for us to move towards the scientific method from the rhythm method that we're currently using we would like to close with some thoughts on moving forward but first I'd like to give this patient gentlemen a chance to throw something at us I forgot the rotten fruit this morning sir first full disclosure on the QSA I agree with Mr. Arlen I agree with Mr. Arlen that it is getting it's transferring risk merchant response it's tokenization which is again getting rid of risk right so moving it somewhere else PCI as a standard is not going to help companies that don't take security seriously to begin with right so any company that goes through an approach is at a checklist or does business with a QSA that sees this as a checklist approach it's not going to help them it never has never will 10 years ago the stuff that's in PCI I was telling companies that I worked for to do it right PCI at least gets them to do some of this stuff is it the best that we have don't know it can be better certainly but if you're working with a QSA and the QSA is sticking the checklist you need to get better QSA and as for technologies QSA can QSAs can approve technologies as it were that don't fit the requirements antivirus for example PCI doesn't say anything about application whitelisting but you can use that instead of antivirus and it's a much more effective control so if you're working with a QSA you can't think outside of the checklist they get a QSA we need to wrap up we'll try to get to your questions so just hang on just a moment I'd like to let me put my thought out on wrapping up then we'll give it to the panel what I would like to come out of this my goals and expectations are low I would like people to have an informed opinion about what PCI is doing for and to you and then have an informed conversation that may mean that you can address the PCI working groups it may mean that you can just inform your managers or your employees of what it does and doesn't mean who wants to kick off so ultimately every security conversation should end up talking about the zombie apocalypse right yes so a point of frustration is that this space changes constantly I said it before we have a static approach to a dynamic problem I would just love us to become completely intolerant and impatient being stuck at good I don't even think the standard is good anymore it's gotten very stale but let's just say it's good can we please start talking about what better and best look like there's a zombie uprising right now I'm not going to defend myself in a straw house or a stick house I'm going for the brick shithouse but the point is we've been stuck on this conversation for years now and it does not look like they're going to change so if they're not going to lead the way then you need to but there are improvements being made I mean you look at somebody like a company like this who is actually now starting to come back to the acquiring banks and say we don't want you to make the merchants we don't want you to require the merchants to retain credit card information and actually Visa is starting to make moves to say we require that you can't have your merchants retain credit card information and I think that's really where we need to do Jamie is perfectly correct in saying that it's a risk transference and there's no reason for merchants to have all this information to get rid of it if you don't have a data retention that says as soon as we can get rid of it it's gone then you're just keeping stuff that says putting you at risk and that's one of the main things is I'm tired Jamie next I want you to push I want you to push back against all of this crap because you can see that it's crap I want you to say it's not good enough it's not enough to just really be compliant nobody wants to live in a house that's built to minimum building code standards why the hell are our computers the same way why are these machines no longer deterministic why are these systems predicated upon failure rather than predicated upon success there's no reason that we should still be using a system that is entirely built to service the needs of one of those old fashioned shik shik machines rather than something that is real time current, capable and useful it's time for the system to be upgraded PCI 2.0 should be the death of the 16 digit system because it's time you should be going to your congress critters or if you're in another country whatever you use for congress critters and you should be instructing them to do the damn right thing deal with the usury problem deal with the racketeering problem the quick pro quo for being a world currency is acting like a mature adult instead of a petulant four year old with fantasies of how the universe works and I want you to channel out a motion and push back in a rational logical and transparent manner and that is to your comments sir you've got responsibility too if you think compensating control is sweet great, publish it put it out there, I got the fricking new school of security blog, it's all there right, so do it become rational use your minds my gosh, you're a bunch of geeks use your minds as a weapon but do it in a scientific method it's hard to follow a statement like use your mind as a weapon but you have a weaponized mind so let's hear what you have to say kung fu action I want to get a little more tactical because no offense dudes but that's like let's all dance and sing and influence the politicians and good luck but hypothetically and I'm not disagreeing I think it's messed up just like everybody in this room does but my philosophy is more what can I do right in front of my face what kind of things can I do right now you got most people I'm not allowed to go the hell away okay, I'm down with that but what if you could use that opportunity to improve security in your organization that's as much up to you as the fight the power kind of rub that you just heard from my co-panelist so that's the first thing the second thing is get a qsa that is not just completely full of shit that so I'm a qsa right? feels like an AA meeting welcome dude I have a very long background technically so I was sitting through the qsa training and it was crap it was three days of one spiral bound book that told me the right things to say when asked x, y and z questions and I took the test and it was shit it was easy everyone of you could pass it whether or not you had any real involvement in the auditing world or not so here's what you can do today based on the thing I just said use this as an opportunity get a qsa that is good interview them ask them hard questions read their blog great we're gonna go to you we only have a couple of seconds this is part of an ongoing conversation I invite you to find us continue the conversation tell us we're full of crap we already know that this all started on twitter and you can find all of us on twitter and with that we'll see how many we can get in so um for all the folks complaining that PCI is a checklist yeah get over it it's like going to the amusement park you must be this high to ride it's a minimum standard um this is a case of business negotiation I'm sorry where's your measuring scale for whether it is a minimum or maximum standard sorry you said it's a minimum standard how do you know that it is a minimum how do you know it's not a maximum have you met any kind of compliance that is not a minimum standard no you don't have a measurement scale it's like you have practices in order to say this is best or minimum if you don't need it you get fined or you can't participate it's a minimum standard I don't know what's the way we use tools I live in Massachusetts Lynn Ladder it's completely covered with labels and they get sued if people misuse their tool um PCI is misused for security and they are they're using it for things it wasn't designed for one more quick observation the reason we haven't made it through the five stages of grief is because this is a business negotiation retailers through for example retail federation have an opportunity to fight back and influence and change the standard and depending on your perspective you might be fighting to water it down or you might be fighting to make it more clear so that's why we're in it and yes we need to be fighting to make it better more clear etc and by the way I completely agree we need to get the heck away from Pan and other published data and things that are printed on cards that we use to identify ourselves thank you all very much we want to make sure the next group gets up on the stage so thank you all we will be taking questions