PCI, Compromising Controls and Compromising Security

Presented at DEF CON 18 (2010), Aug. 1, 2010, noon (50 minutes)

PCI at DefCon? Are you on drugs? Sadly, no- compliance is changing the way companies "do security", and that has an effect on everyone, defender, attacker, or innocent bystander. If you think all that 0-day you've heard about this week is scary, ask yourself this: if a company accepts credit cards for payment, which is a more immediate threat- failing an audit or the possibility of being compromised by an attacker? That is one of the reasons "they" do not listen to "us" when we try to improve security in our environments- as real as they are, our threats are theoretical compared to failing a PCI assessment. Systems are hardened against audit, not attack. Sadly, this is often an improvement, but this can also reduce security and provide a template for attackers. This panel will discuss and debate strengths and weaknesses of PCI, expose systemic problems in PCI-DSS, and propose improvements.


  • James Arlen / Myrcurial as James Arlen
    James Arlen, CISA, sometimes known as Myrcurial is a security consultant usually found in tall buildings wearing a suit, founder of the Think|Haus hackerspace, columnist at Liquidmatrix Security Digest, Infosec Geek, Hacker, Social Activist, Author, Speaker and Parent. He's been at this security game for more than 15 years and loves blinky lights and shiny things. Cyber. @myrcurial on Twitter
  • Alex Hutton
    Alex Hutton likes risk, critical thinking, and data. He writes for newschoolsecurity.com dub cloud.com, and Verizon's security blog. @alexhutton on Twitter
  • Martin McKeay
    Martin McKeay is the host and author of the Network Security Blog and Podcast. He is a well known expert in the field of PCI and has worked as a QSA for over three years; he's seen the security compliance can encourage, as well as the lengths people will go to in order to avoid implementing real security. @mckeay on Twitter
  • Anton Chuvakin
    Dr. Anton Chuvakin is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, SIEM, correlation, security data analysis, PCI DSS, security management. @anton_chuvakin on Twitter
  • Dave Shackleford
    Dave Shackleford, Director of Security Assessments and Risk & Compliance at Sword & Shield Enterprise Security, is a SANS Analyst, instructor and GIAC technical director. He has consulted with hundreds of organizations in the areas of regulatory compliance, security, and network architecture and engineering. He's worked as CSO for Configuresoft, CTO for the Center for Internet Security, and has also worked as a security architect, analyst, and manager for several Fortune 500 companies. @daveshackleford on Twitter
  • Joshua Corman
    Joshua Corman is the Research Director for Enterprise Security at The 451 Group and founder of RuggedSoftware.org. A passionate advocate for the security practitioner, he is known for his candor, intellectual honesty, and willingness to challenge the status quo - tackling topics like his 7 Dirty Secrets of the Security Industry and Is PCI the No Child Left Behind Act for Security? @josh_corman on Twitter
  • Panel
  • Jack Daniel
    Jack Daniel is old, and has a Unix Beard, so people mistakenly assume he knows stuff. He makes no attempt to correct this gross misunderstanding. Jack has proven himself to be an inciteful moderator on compliance topics. He has many years of network and systems administration experience, and a bunch of letters after his name. Jack lives and breathes network security as Community Development Manager for Astaro. @jack_daniel on Twitter