I started to write a detailed feedback post on the 2010 PCI Community Meeting in Orlando that I attended last week, but realized that there were far more intelligent people than myself already posting, so I’m going to keep my commentary to impressions and general feedback and provide some links to posts that should prove useful for those that are interested in some of the details that came out of the meeting (and what’s coming in PCI / PA 2.0).
To begin with, the entire attitude of the meeting this year …

OK - so I’m on a plane this afternoon (for the 4th week in a row - my wife loves me right now!) heading to Orlando - it’s time for the PCI Community Meeting!
Last year blogging was unofficially encouraged, but there really wasn’t all that much to blog about - this year should prove a bit different given the release of the updated standard.  I’ll try to put together a post or two on relevant and interesting information (that I’m allowed to share), but I’ll also be the moderator on …

The Council is hosting a couple of ‘open mic’ webinars for industry stakeholders on the 8th and 9th of December.  They are trying to update the industry following the Community Meeting and get some feedback or questions….
These are typically reserved for Participating Organizations, but for this round they are opening it up to the broader industry…  Here’s the link:
PCI Council Webinar Release

OK - this is the feedback on the Community Meeting that I had mentioned although it really turned into a philosophical post about what your PCI partners should really be doing for you (hint: being a partner).
This one’s over at the NetSPI blog as well (I swear that I’m still going to be posting over here on a more regular basis, but, since NetSPI’s doing a good job with the blog, I’m going to blend my posts between the two blogs…).  Any feedback is going to have to come here, …

If anyone is heading out to the PCI Community Meeting in Las Vegas next week and wants to connect, let me know (best way to connect is via email. Several of us from NetSPI are heading out to participate in the meeting and I’m looking forward to an informative meeting.
I’ll be at the meeting Tuesday through Thursday evening so let me know. I’ll also try post after getting back from the meeting with anything interesting or useful that I find out. One of the other …

This was actually the first time that I saw Bruce speak (which is odd since we live in the same metro area) and I must say that I’ve somewhat avoided him as I’m not a big fan of the whole celebrity-like, hyped-up thing (I still haven’t seen Forrest Gump and probably never will), but I thought this was a really good talk and I found myself pleasantly surprised.

Bruce Schneier: The Future of the Security Industry: IT is Rapidly Becoming a Commodity from David Bryan on Vimeo.

Thanks to David Bryan for getting these up!  Here’s another video from the event - this one is the presentation on OpenSAMM - interesting and also very much geared towards development of security applications.  I think this is a great approach, but I have to admit that the practicality is something that I wonder about…

Pravir Chandra: Software Assurance Maturity Model (OpenSAMM) from David Bryan on Vimeo.

Here’s a video of Seth Peter, NetSPI’s CTO, presenting to the Minnesota OWASP chapter’s annual half-day conference…

Seth Peter: The Developers Guide to PCI DSS and PA-DSS Requirements from David Bryan on Vimeo.

Seth Peter, NetSPI’s CTO participated in a webinar on Preventing Multi-Vector Attacks with Eric Schultze from Shavlik.  When two very technical security CTOs get together there is a concern (a legitimate concern) that things are going to be unmanageably technical, but it actually turned out to be a great event.  It was very conversational and did a very good job of highlighting some of the concerns involved in dealing with sophisticated attacks.
With that said, it might not be the sort of content that you are going to want to ask …

The webinar that NetSPI put on with VeriFone is up on the VeriFone webex repository.  It requires registration, but they have been very careful with the use of the registration information that they have gathered, so I’m not concerned about it.
The webinar was built to answer some questions for merchants in particular, so this isn’t an overly technical presentation, but it should help shed some light on how PA-DSS differs from PABP and why retailers and online merchants should care about the standard.  It also showcases some of VeriFone’s solutions …