You don’t have to spend too much time in the world of PCI DSS compliance to hear of the “PCI Dream Team.” So who are they, and what do they do?
The name “PCI Dream Team” is a somewhat tongue-in-cheek name for a group of 4 senior QSAs and security consultants. Collectively they’ve been in the payments security space for a long time, have extensive experience with lots of different clients, and have seen lots of different environments. This is an enthusiastic group of security professionals.
Periodically the PCI Dream Team host panel sessions, where they accept questions around PCI compliance from the audience, and answer them. These sessions are mostly done through webinar platforms like Brighttalk, but they’ve also started to do live sessions at industry events such as the (ISC)2 Security Congress, and Secure360.
What’s to learn?
From my perspective, these events provide two distinct key values:
- they provide an opportunity to ask some challenging questions to experienced QSAs, and listen to the guidance offered on various topics;
- perhaps even more valuable, they provide the opportunity to hear how multiple QSAs can have significantly different answers to the same question on a challenging topic.
The PCI DSS is often thought of as being quite a prescriptive standard, and in some cases it is: the rules on password complexity, change frequency, and history, are pretty clear cut. But many areas are much more open to interpretation, particularly when they touch on the issue of scoping.
PCI scope exists where there are card numbers present, or wherever something could impact the security of the Cardholder Data Environment. Listening to the discussion between veteran QSAs on these corner-case topics really illustrates how the PCI DSS is actually much more subjective than you might at first think. It’s also good for reinforcing how involving your QSA early on in discussions of new solutions can really streamline your on-site assessment later.
Who are the members of the PCI Dream Team?
There are 4 regular members of the PCI Dream Team. They are:
Where can I listen to recordings of the PCI Dream Team?
We maintain a local index of publicly available PCI Dream Team sessions. This list will be updated as new sessions become available.
Contacting the PCI Dream Team
The PCI Dream Team actively solicit feedback and questions for future sessions and webinars. They can be contacted by emailing firstname.lastname@example.org
You can keep up with their activities on Twitter by searching for the hashtag #pcidreamteam