Presentation title: PCI DSS 3.0: A Primer on Preparing for the Change presented at BsidesDFW2013 2013

by Branden R. Williams,

Summary : PCI DSS is now ready for the next iteration of its standard, version 3.0. By the time the conference rolls around, people will have been able to review it for a few months, but how will it translate into action for the community? What new questions have come up and what new products areas are either obsolete or flourishing?
As companies start preparing budgets for FY2015, they need to know how the new requirements in PCI DSS 3.0 impacts the puts and takes to the bottom line. What technology or service can they cut from their operations? What new capital or operational expenses will they need in order to comply? What business decisions might be made about the payment strategy in general as technologies like Mobile and Cloud impact how we consume and deliver services? How do I manage my QSA (or my internal auditors) to minimize the impact to my company when dealing with the changes in the standard? These are the strategic questions we will answer in this short session.
As a former Board of Advisor member, QSA, and advisor to companies big and small on PCI DSS, changes in the standard always bring out lots of questions about how to proceed. The document itself is large and cumbersome, and most companies just want a few key goals they can manage toward to move into compliance with the new standard. As someone who has served in the community for over nine years, attendees will get real answers to real problems—not the standard answer provided by the Council of “It’s up to your assessor.
This short session will highlight the changes in PCI DSS 3.0, include some free tools for tracking progress against those changes (and the standard overall), and provide tips for big and small companies on how to further reduce the impact of PCI DSS with strategic adjustments in their company."