What is the PCI Dream Team?

You don’t have to spend too much time researching the world of PCI DSS compliance to hear of the “PCI Dream Team.” So who are they, and what do they do?

The name “PCI Dream Team” is a somewhat tongue-in-cheek name for a group of 4 senior QSAs and security consultants. Collectively they’ve been in the payments security space for a long time, have extensive experience with lots of different clients, and have seen lots of different environments. This is an enthusiastic group of security professionals.

Periodically the PCI Dream Team host panel sessions, where they accept questions around PCI compliance from the audience, and answer them. These sessions are mostly done through webinar platforms like Brighttalk, but they’ve also started to do live sessions at industry events such as the (ISC)2 Security Congress, and Secure360.

From my perspective, these events provide two distinct key values:

  1. they provide an opportunity to ask some challenging questions to experienced QSAs, and listen to the guidance offered on various topics;
  2. perhaps even more valuable, they provide the opportunity to hear how multiple QSAs can have significantly different answers to the same question on a challenging topic.

The PCI DSS is often thought of as being quite a prescriptive standard, and in some cases it is: the rules on password complexity, change frequency, and history, are pretty clear cut. But many areas are much more open to interpretation, particularly when they touch on the issue of scoping.

PCI scope exists where there are card numbers present, or wherever something could impact the security of the Cardholder Data Environment. Listening to the discussion between veteran QSAs on these corner-case topics really illustrates how the PCI DSS is actually much more subjective than you might at first think. It’s also good for reinforcing how involving your QSA early on in discussions of new solutions can really streamline your on-site assessment later.

Who are the members of the PCI Dream Team?

There are 4 regular members of the PCI Dream Team. They are:

Where can I listen to recordings of the PCI Dream Team?

Most of the sessions held to date are available on the Brighttalk site.

Not sure if you want to spend several hours talking to some guys talking about PCI DSS? Are you a member of (ISC)2 or ISACA, or some other organization that issues professional certifications, and you need to get training credits to remain in good standing? If so, time spent listening to these should could towards those hours – just be sure to download the certificate after you’ve listened to a session.

Note that these are listed in reverse order. The most recent, and potentially relevant, are at the top of the list.

Contacting the PCI Dream Team

The PCI Dream Team actively solicit feedback and questions for future sessions and webinars. They can be contacted by emailing pcidreamteam@gmail.com

Leave a Reply

Your email address will not be published. Required fields are marked *