According to a recent Information Security and SearchSecurity.com survey, 78% of security professionals said that the recession has raised the urgency of  PCI DSS compliance and 88% of security professionals said assessments and audits are tougher this year than last. The combination of fewer resources and strained budgets caused many companies to take their eye off of compliance and now they are paying the price – scrambling to keep pace with the changing requirement and facing tougher audits.

The initial regulation for PCI DSS compliance was somewhat lax and disjointed, but now in year four of the PCI compliance wave, the PCI Standards Council is cracking down on lax assessors and continuous changes to the regulation spurs new questions and challenges.

Case in point: Mastercard just changed the game for Level 2 Merchants stating that they must hire a PCI-approved auditor to complete an annual onsite data security assessment by Dec. 31, 2010 – marking the end of the days of self-assessments. Not to mention the wireless security changes calling for all merchants using Wired Equivalent Privacy (WEP) wireless encryption standard to convert to Wi-Fi Protected Access (WPA) standard by June 30, 2010.

So, how can you keep pace with the changing regulation, pass your next audit and strengthen your overall security posture? Attend our PCI Forum to discover tactical advice on how to meet the requirements of PCI and integrate PCI into your overall compliance program.  Independent experts, Diana Kelley, partner at SecurityCurve, and Ed Moyle, manager at CTG review the changes between 1.1 and 1.2, how to address compensating controls (and how the definition of compensating controls has changed in the last year), application security requirements (requirements 6 and 6.6) and the steps you must take now to keep your organization compliant throughout 2009 and prepare for 2010.  

Remember, passing your audit last year doesn’t give you a free pass this year! Don’t be left flat-footed – attend this essential event and receive the latest information on PCI DSS, advice on how to meet today's PCI challenges and how to prepare for on-going compliance in an unstable economy.

Admission is free but seating is limited. Apply today!

Session 1: PCI Setting the Stage for Success

Compliance is a necessity for all organizations in the payment process, but how far do merchants need to go in addressing PCI requirements? In this session, Diana Kelley and Ed Moyle walk you through the payment lifecycle; the role of issues, acquirers, merchants and service providers; and the who, what and why of the PCI assessment process. Attend and dive deep into how to scope the cardholder data environment appropriately to reduce the audit surface and reduce costs, and get an explanation of compensating controls and when to use them. Return to the office with straight answers to the following questions:

• Who has to comply with PCI DSS?
• Which companies have to validate the requirements?
• What does the assessment process entail?
• What does it mean to scope the audit environment for improved efficiency?
• When, where, and how to use compensating controls?

Session 2: The PCI Audit: Requirements 1- 6

In this session, Moyle and Kelley review the first six requirements for PCI while addressing changes between 1.1 and 1.2. Learn strategies for defining physical and technical boundaries that help reduce the scope of PCI assessment, saving time, energy and resources.

They explain how to institute a preliminary gap analysis to show where you might be deficient in your audit and how to use the results of the gap analysis to locate potential compensating controls. Save your company money by understanding when implementing compensating controls is sufficient for achieving compliance and when purchasing new solutions is necessary. Review the documentation, procedural and technical implementations for each of the first six requirements:

• Requirement 1: Firewalls
• Requirement 2: Vendor-supplied defaults
• Requirement 3: Protect stored data
• Requirement 4: Network encryption
• Requirement 5: Anti-virus software
• Requirement 6: Develop and Maintain Secure Systems and Applications

Session 3: Software Security for Compliance, PCI and Beyond

PCI 6.6 has been the subject of some confusion for merchants trying to interpret the requirements and how to secure Web-facing applications. In this session, Kelley explains web-application security, PCI requirements 6 and 6.6, the PA-DSS and why creating secure code is essential to protecting assets. She provides an explanation of how security can be woven throughout the software development lifecycle and explains some of the most common web application security vulnerabilities.

Session 4: The PCI Audit: Requirements 7 - 12

Ed Moyle and Diana Kelley continue their deep-dive of PCI audit and the PCI requirements by reviewing requirements 7-12. They show you the documentation, procedural and technical implementations for these requirements and conclude with a list of top recommendations for successfully meeting PCI:

• Requirement 7: Restrict Access to Cardholder Data
• Requirement 8: Authorization and Authentication
• Requirement 9: Restrict Physical Access
• Requirement 10: Track Access
• Requirement 11: Test Security Systems and Processes
• Requirement 12: Policy, and Recommendations for success.