We've been busying ourselves with the PCI DSS in one way or another for more than a year now here at SensePost. Its been a frustrating exercise of mixed messages, politics, tokenism, mixed in with a healthy dose of mixed feelings about what the standard offers and whether that's good for anyone at all. Now, finally, we're accredited to do this that and the other under the standard so we feel its time to start speaking our minds on the subject.
First stop: Las Vegas.
We've agreed with Black Hat to present a course called 'Hacking By Numbers - PCI Edition' at this year's show. As you know the PCI DSS is having a huge impact on the security industry. One effect its had is to make annual penetration tests mandatory in some segments and thereby spawn a whole new class of off-the-shelf penetration testers. As SensePost now has both the ASV and QSA accreditations our idea was to offer a pentesting course for people performing tests for the purpose of PCI certification. The approach would be present a *technical* course for beginner penetration testers that focuses on the approach and priorities required by the PCI standard. We want to add some theory about the standard itself and where/how penetration testing fits in.
Beyond just teaching what a 'compliant' penetration test is, this course will focus on teaching real-world Internet attacks focused on really compromising cardholder information. We've even given the course a byline: "Hacking By Numbers PCI Edition - Hack like you mean it".