I started to write a detailed feedback post on the 2010 PCI Community Meeting in Orlando that I attended last week, but realized that there were far more intelligent people than myself already posting, so I’m going to keep my commentary to impressions and general feedback and provide some links to posts that should prove useful for those that are interested in some of the details that came out of the meeting (and what’s coming in PCI / PA 2.0).
To begin with, the entire attitude of the meeting this year …

The link to the article on StorefrontBacktalk is below (thanks Evan) - this is really interesting.  It appears that VISA is providing an extension to ExxonMobil on the July 1st, 2010 PA-DSS deadline…
This implies two things (as far as I can see):

That the deadline everyone was wondering about is legit - why would ExxonMobil feel the need to negotiate an extension with VISA unless the deadline was going to mean something and VISA was going to enforce it at some meaningful level?
If you are big enough, VISA is going to …

The Council is hosting a couple of ‘open mic’ webinars for industry stakeholders on the 8th and 9th of December.  They are trying to update the industry following the Community Meeting and get some feedback or questions….
These are typically reserved for Participating Organizations, but for this round they are opening it up to the broader industry…  Here’s the link:
PCI Council Webinar Release

Every business day I have multiple conversations with software vendors regarding PA-DSS. Some of these vendors are currently being pressured by important clients to address PA-DSS validation. Some are looking at their strategic product investments over the next 18 months including technology, features enhancements, marketing, etc. and are building PA-DSS into their operational model. These two groups are actively moving forward with the PA-DSS validation process. NetSPI is helping them with potential changes to process, documentation, and (if needed) code to make certain that their applications are going to successfully …

This morning I had an interesting thought - I want to offer up something to anyone that is reading this blog and may have some questions regarding the Payment Application Data Security Standard (PA-DSS.) 
This is an invitation to a ‘passive PA-DSS Q&A session’.  The reason I am calling this ‘passive’ is that this is not going to be a live session - if you have questions regarding the PA-DSS, what certain requirements mean, or how your particular situation affects it’s applicability to you, post it in the comments and …

The webinar that NetSPI put on with VeriFone is up on the VeriFone webex repository.  It requires registration, but they have been very careful with the use of the registration information that they have gathered, so I’m not concerned about it.
The webinar was built to answer some questions for merchants in particular, so this isn’t an overly technical presentation, but it should help shed some light on how PA-DSS differs from PABP and why retailers and online merchants should care about the standard.  It also showcases some of VeriFone’s solutions …

It’s good to see a ‘vendor’ understanding that providing a secure solution is extremely valuable to the retail community…
VeriFone Takes Lead in Securing Card Payments with PA-DSS
Will Only Provide PA-DSS Audited Payment Applications in Initiative that Supports New Rules Governing PCI Compliance for All Levels of Merchants
VeriFone Takes Lead in Securing Card Payments with PA-DSS - MarketWatch.

This is an article on Storefrontbacktalk that think everyone should see…  PA-DSS is a very misunderstood situation at the moment and has a LARGE number of software vendors suddenly scrambling for certification.
Their scrambling successfully (or unsuccessfully) is going to have real impact on the PCI standing and security posture of the entire retail community.  There are currently only 16 consulting organizations in the US that are performing this work and, as my employer (NetSPI) was one of the first 8 on the list, we are heavily focused on this aspect …

Thanks to the guys at Payments News
The PCI Security Standards Council is putting on a webinar to help explain how the various PCI standards fit together. Here’s the link to the press release (which has a link to the registration site.)
A Perfect Fit: Understanding the PCI Security Standards

This article is interesting (as is the blog) particularly given the fact that a number of large retailers still don’t seem to take a holistic view of their security situation…  I used to be involved in a number of very large payment terminal deployments (and our company went through the key encryption certification process) and we were working with getting retailers to move to security debit terminals years ago….
I have my feelings regarding the mystery merchant, but we’ll have to see if I’m right when they (hopefully) step forward…
StorefrontBacktalk - …