Published: 10 February 2016
By Andy Harris
The PCI DSS 3.0 theme was as strong as usual with all the reminders that outsourcing doesn't mean outsourcing responsibility for personally identifiable data.
There was more of an examination of the relationship between merchants and their outsourced payments providers. This was reflected in the visits we had to our stand, at this conference more delegates were interested in Third Party Access solutions. During the sessions we had several visits from other vendors asking how we could make their access to customers quicker, more secure and fully compliant.
We listened to an interesting presentation from some Pen testers that revealed that native applications were much more easy to crack than client/server applications, it was mentioned that native apps held credentials in memory and often cached them to file so that users need not remember them. That 'usability' is a serious security flaw that attackers will exploit!
The end-user presentations are a highlight of the PCI conference, it seems a common theme these days that working on security and compliance brings a business clarity that translates into efficient operations and increased profit. The process of analysis of where the core assets lie and how they should be protected helps to reveal inefficient insecure processes. These get fixed, and the business is in better shape.