PCI 2.0: Still Compromising Controls and Compromising Security

Presented at DEF CON 19 (2011), Aug. 6, 2011, 4 p.m. (50 minutes)

Building on last year's panel discussion of PCI and its impact on the world of infosec, we are back for more- including "actionable" information. Having framed the debates in the initial panel, this year we will focus on what works, what doesn't, and what we can do about it. Compliance issues in general, and PCI-DSS in particular, are driving security in many organizations. In tight financial times, limited security resources are often exhausted on the "mandatory" (compliance) at the expense of the "optional" (actual security). We will focus on the information needed to reconcile these issues, and encourage the audience to continue the discussion with us.


  • Dave Shackleford - @daveshackleford
    Dave Shackleford is a SANS Analyst, instructor and GIAC technical director. He has consulted with hundreds of organizations in the areas of regulatory compliance, security, and network architecture and engineering. He's worked as CSO for Configuresoft, CTO for the Center for Internet Security, and has also worked as a security architect, analyst, and manager for several Fortune 500 companies.
  • Martin McKeay - @mckeay
    Martin McKeay is the host and author of the Network Security Blog and Podcast. He is a well known expert in the field of PCI and has worked as a QSA for over four years; he's seen the security compliance can encourage, as well as the lengths people will go to in order to avoid implementing real security. He is an advocate for PCI and compliance while recognizing it's limitation, a dichotomy that sometimes threatens his sanity.
  • Alex Hutton - @alexhutton
    Alex Hutton likes risk, critical thinking, and data. He writes for newschoolsecurity.com dub cloud.com, and Verizon's security blog.
  • Joshua Corman - @joshcorman
    Joshua Corman is the Research Director for Enterprise Security at The 451 Group and founder of RuggedSoftware.org. A passionate advocate for the security practitioner, he is known for his candor, intellectual honesty, and willingness to challenge the status quo - tackling topics like his 7 Dirty Secrets of the Security Industry and Is PCI the No Child Left Behind Act for Security?
  • James Arlen / Myrcurial - @myrcurial   as James Arlen
    James Arlen , CISA, sometimes known as Myrcurial is a cyber-security cyber-consultant usually found in tall buildings wearing a cyber-suit, founder of the Think|Haus hackerspace, columnist at Liquidmatrix Security Digest, Infosec Geek, Hacker, Social Activist, Author, Speaker and Parent. He's been at this security game for more than 15 years and loves blinky lights and shiny things. Cyber.
  • Jack Daniel - @jack_daniel
    Jack Daniel is old, and has a Unix Beard, so people mistakenly assume he knows stuff. He still makes no attempt to correct this gross misunderstanding. Jack has proven himself to be an inciteful moderator on compliance topics. He has many years of network and systems administration experience, and a bunch of letters after his name. Jack lives and breathes network security as Product Manager for Tenable.
  • Panel