Luke
Vander
Linden:
As
listeners
of
the
R&H
ISAC
podcast
know,
I’m
Luke
Vander
Linden,
Vice
President
of
Membership
and
Marketing
at
the
Retail
and
Hospitality
ISAC,
and
I’m
the
co-host
today
because
we
have
another
host
with
us,
Alicia
Malone.
Alicia.
Alicia
Malone:
Hi,
Luke.
It’s
so
great
to
be
with
you
today.
I’m
Alicia
Malone.
I’m
the
Senior
Manager
of
Public
Relations
at
the
PCI
Security
Standards
Council.
And
this
is
a
special
episode
indeed
because
this
is
actually
the
first
time
we’ve
done
a
co-host
opportunity
with
a
third-party
stakeholder.
So,
we
are
so
excited
to
be
here
today.
Luke
Vander
Linden:
Yes,
we’re
excited
too,
and
we
hope
this
goes
well.
I
think
it’s
good.
It’s
going
to
be
good
to
work
with
you.
Alicia
and
I
have
each
brought
a
guest
of
our
own
to
this
segment.
My
guest
is
Tony
James,
Director
of
Cybersecurity
at
a
long
time
R&H
ISAC
member,
Target.
Who
did
you
bring,
Alicia?
Alicia
Malone:
I
have
Kandyce
Young
with
me.
She
is
the
manager
of
data
security
standards
at
the
PCI
Security
Standards
Council.
Luke
Vander
Linden:
Excellent.
Welcome
to
you
both.
The
rollout
of
PCI
DSS
v4.0,
is
something
that’s
been
in
the
works
for
a
while,
but
if
you
haven’t
been
paying
attention
to
it
yet,
frankly,
there’s
no
time
like
yesterday.
So,
just
as
a
means
of
setting
the
stage,
we’ve
seen
a
significant
increase
in
POS
malware
just
over
the
last
two
or
so
years,
right?
And
I
know
at
least
in
our
sharing
communities,
we’ve
seen
increased
interest
in
skimming
activity
overall,
but
more
specifically
around
tactics
like
using
cloned
cards
and
getting
cashiers
to
bypass
chip-enabled
security.
And
of
course,
they’re
creating
cloned
cards
using
stolen
card
data
captured
via
skimming
devices
installed
inside
of
gas
pumps,
ATMs,
point
of
sale
devices.
So,
I
guess
Tony,
let’s
start
with
you.
I
guess
these
and
other
threats
are
what
PCI
DSS
v4.0
is
trying
to
address.
Tony
James:
Yeah,
yeah,
thanks
for
having
me,
folks.
Definitely,
PCI
DSS
v4.0
addresses
some
of
these
concerns
and,
as
a
retailer,
we’re
definitely
seeing
some
of
those
risks
related
to
digital
skimming.
And
like
you
said,
trying
to
force
beyond
the
chip-enabled
readers
in
the
stores.
It’s
actually
cool,
one
of
the
things
that
Target
rolled
out,
and
it’s
actually
open
source,
is
a
tool
called
Easy
Sweep
to
help
some
of
those
team
members
for
any
retailer
that
wants
you
to
check
those
gas
payment
devices,
the
point
of
interaction
devices,
to
actually
ensure
that
there
are
no
skimmers
or
digital
shimmers
in
there
as
well.
And
so
that’s
something
we’ve
worked
on
to
help
both
Target
and
the
industry.
Beyond
that,
digital
skimming
is
definitely
a
concern.
We’ve
also
open-sourced
a
tool
called
Merry
Maker
that
anyone
can
download
and
leverage.
Feel
free
to
reach
out
as
we
can
provide
some,
the
Git
repo
and
stuff,
to
just
access
that
and
see
how
it
would
work
for
your
organization
to
protect
against
digital
skimming.
These
are
probably
two
of
the
most
prevalent
payment
security
related
issues
that
retailers
are
facing
these
days.
And
that’s
what
we’ve
tried
to
help
the
industry
and
provide
those
solutions
that
can
work
for
everyone.
Kandyce
Young:
That’s
really
good,
Tony.
I
think
because
PCI
DSS
from
its
inception
was
really
about
fostering
the
broad
adoption
of
consistent
data
security
measures
all
around
the
world.
So,
the
new
version
of
PCI
DSS,
we
needed
to
make
sure
that
it
evolved
to
align
with
the
evolution
in
payments,
right?
So,
a
lot
of
the
areas
that
the
new
version
focuses
on,
you
know,
flexibility
to
implement
technology,
but
also
meeting
the
security
needs
of
the
payments
industry,
tackle
those
exact
items
that
you
discussed.
Because
we
had
open
RFC
comments
for
our
stakeholders,
we
got
over
6,000
comments
about
how
organizations
are
looking
to
better
secure
their
environments
and
what
we
need
to
do
to
help
them
achieve
those
better
security
practices.
So,
with
all
of
those
comments,
that
really
drove
the
evolution
and
the
focus
we
have
on
PCI
DSS,
right?
So,
we’ve
got
stronger
encryption,
more
complex
authentication,
and
the
e-commerce
skimming
that
you
mentioned.
So,
prevention
and
detection
are
key
aspects,
as
well
as
anti-phishing
support,
because
we
know
a
huge
social
engineering
tactic
is
phishing.
And
so,
we’ve
brought
in
the
technical
and
awareness
components
to
really
drive
that
home
to
support
our
stakeholders.
Alicia
Malone:
So,
Kandyce,
for
retailers
who
are
new
to
PCI
DSS
v4.0,
what
should
they
do
to
start
implementing
it
in
their
own
payment
environments?
Kandyce
Young:
The
first
thing
I
would
say
is
read
the
standard.
I
mean,
we’ve
got
an
extensive
amount
of
guidance,
best
practices,
and
we
really
drill
down
into
the
why
and
provide
a
lot
of
examples.
I
mean,
that’s
why
the
standard
itself
has
become
about
three
times
the
size
that
it
was
in
version
3.2.1,
not
because
of
the
new
requirements,
but
because
the
feedback
from
our
stakeholders
told
us
that
they
wanted
clarification,
they
wanted
additional
context,
and
so
we
provided
that
in
the
standard.
So
read
that
to
really
help
you
understand
the
requirements,
new
and
updated,
and
how
they
impact
your
organization.
So,
we’ve
included
several
new
concepts
that
I
think
organizations
should
really
look
at
when
they’re
starting
to
implement.
So,
the
Customized
Approach,
right?
That
is
a
new
way
to
meet
PCI
DSS
requirements
to
really
help
support
innovation
in
the
industry.
We’ve
got
targeted
risk
analysis,
right?
So,
we’ve
done
away
with
the
formal
organization-wide
risk
assessment
and
we’re
looking
at
requirements
and
the
specific
controls
that
address
security
concerns,
and
looking
at
how
the
business
addresses
their
risk
to
help
mitigate
the
impact
of
any
of
those
issues.
So,
we’ve
got
network
security
controls,
as
well
as
we
have
the
general
term
of
third-party
service
providers,
or
TPSPs
as
we
call
them,
to
really
wrap
in
general
support
for
the
service
provider
and
merchant
communications.
So,
I’d
say,
you
know,
look
into
the
targeted
risk
analyses
to
really
help
understand
how
you
can
meet
those
requirements
to
help,
let’s
say,
determine
the
frequency
you
want
to
check
for
systems
not
at
risk
for
malware
in
your
system.
Well,
we
offer
flexibility
to
do
that.
So,
make
sure
you
perform
the
targeted
risk
analyses
and
go
to,
I
think
it’s
requirement
12
that
offers
details
on
how
to
properly
perform
that.
Another
thing
I
would
say
is
don’t
let
your
version
3.2.1
controls
slip.
I
mean,
stay
strong
with
your
existing
controls
because
we
know,
yes,
it
is
a
point
in
time
assessment,
but
the
goal
is
to
make
sure
we
perform
security
as
a
continuous
process
throughout
the
entire
year.
And
even
if
you
do
complete
an
SAQ,
which
I
know
some
of
the
retailers
do,
still
review
the
guidance
and
the
standard
because
it’s
equally
applicable.
We’ve
included
considerably
more
guidance
in
the
standard
that
may
not
have
made
its
way
to
the
SAQ,
so
make
sure
you
read
both
documents
in
their
entirety.
Luke
Vander
Linden:
So,
Target,
ahead
of
the
game
as
usual.
So,
Tony,
when
you
were
implementing
this,
what
was
the
biggest
realization
that
you
came
to
and
how
did
you
start?
Tony
James:
Yeah.
So
honestly,
our
biggest
realization,
Luke,
was
not
to
overthink
it.
So,
where
Kandyce
said,
read
the
standard
first,
I
totally
agree.
I
was
going
to
say,
I
completely
agree
that
it’s
the
right
place
to
start.
A
lot
of
people
jump
right
to
looking
at
webinars
or
asking
industry
experts.
And
I’m
going
to
get
to
that.
That
is
absolutely
something
you
should
do,
but
first
understand
the
impact
it
has
to
your
organization.
Kandyce
said
it
really,
really
well
there
that
the
first
thing
is
to
read
that
and
understand
how
it
impacts
you
because
oftentimes,
if
you
jump
right
to
what
other
people
are
saying,
you’re
going
to
be
focused
on
the
wrong
things.
A
great
example
would
be
digital
skimming.
For
us,
like
that
is
a
huge
new
component
in
PCI
DSS
v4.0.
It’s
not
as
impactful
actually
to
Target.
We
already
had
a
solution
in
place.
It
was
a
risk
in
the
industry
that
we
were
facing,
and
we
had
a
solution
there
that
we
could
just
say,
okay,
that’s
our
thing
now.
It’s
not
a
significant
impact
to
us.
It’s
still
super
important.
A
lot
of
evidence
we’ll
have
to
gather.
It’s
a
new
thing
but
it’s
not
necessarily
going
to
be
a
huge
obstacle
or
a
huge
new
thing
for
us
to
attain.
There
are
other
things
in
there,
multifactor
authentication
or
authenticated
scans.
Those
are
definitely
new
in
the
industry
and
also
somewhat
new
to
Target.
And
so,
there’ll
definitely
be
some
lift
there,
but
that
might
not
be
the
case
for
other
organizations.
I’ve
definitely
talked
to
some
peers
out
there
who
have
said,
“You
know
what?
I
already
was
doing
multifactor
twice,
so
it’s
not
a
big
deal.”
That
totally
makes
sense.
But
if
you
just
look
at
what’s
happening
in
the
industry
and
what
they’re
talking
about,
you
might
be
focused
on
the
wrong
things.
So,
read
the
standard
first.
Alicia
Malone:
Kandyce,
do
you
have
any
tips
on
how
companies
can
prepare
for
this
transition?
Kandyce
Young:
Yeah,
most
definitely.
In
addition
to
reading
the
standard,
we
did
publish
a
Summary
of
Changes
document.
And
so
that
is
really,
really
helpful
to
give
you
an
idea
of
what
was
in
3.2.1
versus
how
it’s
kind
of
been
modified
in
version
4.
And
it
also
includes
a
full
list
of
all
of
the
new
requirements
added
to
the
standard
and
when
they
will
be
effective.
So
that
is
the
first
resource
that
I
would
say.
And
actually,
as
Tony
was
mentioning,
you’re
prioritizing
your
remediation
activities,
right?
He
was
already
meeting
certain
requirements.
So
now
they’re
able
to
have
the
opportunity
to
reallocate
resources
to
maybe
other
areas
where
they
may
not
necessarily
be
meeting
the
appropriate
controls
for
PCI
DSS
v4.0.
It’s
important
to
have
that
understanding
first,
right?
To
be
able
to
kind
of
reallocate
those
resources.
I
would
say,
preparing
for
the
transition,
another
thing
is
understand
the
validation
options,
right?
Because
as
I
touched
on,
we
have
the
Customized
Approach,
right?
And
so
that
is
really
to
help
support
cutting
edge
technology
that
organizations
may
be
using.
But
it’s
really
important
that
if
you’re
going
to
embark
on
that
journey
of
the
Customized
Approach,
start
it
as
early
as
possible
because
there’s
an
additional
documentation
and
support
required
to
really
help
to
not
only
implement
but
maintain
and
secure
those
innovative
controls.
So,
we’ve
got
quite
a
few
blog
posts
on
this
very
topic,
the
Customized
Approach,
on
our
website.
So,
I
would
say
that
is
a
great
reference
to
look
at
it
for
organizations
wanting
to
understand
a
little
bit
more
about
that.
And
I
would
say
document
your
steps
and
inventory
your
components
because
it’s
often
overlooked.
Establishing
policies
and
procedures,
sometimes
they’re
quite
time
consuming
and
you
may
not
know
you’re
missing
steps
until
your
assessor
lets
you
know,
right?
So,
in
order
to
support
the
ongoing
consistent
implementation
of
these
security
controls,
document
and
inventory,
because
part
of
the
new
standard,
you’ve
got
to
inventory
bespoke
and
custom
software,
cryptographic
cipher
suites,
trusted
keys
and
certificates
used
to
protect
PAN
that’s
in
transit.
So,
we’ve
got
a
few
materials
on
our
website
to
really
help
support
this
transition.
So
those
are
the
things
I
would
say
to
start
with
helping
this
transition.
Kandyce
Young:
Tony,
I
know
you’ve
got
some
things
to
say
about
that.
How
have
you
guys
really
helped
to
prepare
for
this
transition?
I
know
you
engage
quite
a
few
trusted
experts.
Tony
James:
We
did,
and
so
I
appreciate
that,
Kandyce.
Yeah,
I
think
you
nailed
it
in
saying
that
the
first
thing
to
do
is
to
understand
what
is
right
for
you
in
digging
and
even
understanding
what
the
different
ways
to
validate
your
compliance
are.
So,
the
first
step
for
us
really
was
after
we
understood
the
requirements,
I
think
the
document
you
referenced
there
where
you
can,
you’re
talking
about
what
the
big
changes
were
is
great.
What
we
did
then
was
actually
look
back
at
version
3.2.1
for
what
requirements
had
changed
and
compare,
like
what
was
it
that
changed
within
their
requirements?
We
could
really
know
like,
is
it
just
a
wording
change
that
was
significant?
Is
it
a
brand
new
requirement?
What
was
it
about
that
clearly
changed?
That
helped
us
drive
how
big
a
deal
it
really
might
be.
And
once
we
really
understood
which
some
of
the
biggest
requirements
were,
I
know
that
the
Council
does
a
great
job
saying
there’s
like
64
new
requirements.
And
for
us,
it’s
64
plus
then
nine
or
so
that
were
significant
changes.
So,
we
have
75
new
or
significantly
updated
requirements
that
really
applied
to
us.
The
key
then
was
understanding
how
big
a
deal
are
those
and
really
categorizing
those
and
then
talking
to
those
trusted
experts.
We’ve
started
going
down
this
path.
This
is
what
we
think
the
big
changes
are.
Are
we
missing
anything?
And
that’s
where
you
engage
your
QSA.
That’s
when
you
engage
some
of
your
benchmarking.
Some
of
you
might
know,
I
have
a
number
of
groups
that
I
benchmark
with,
both
within
Retail
and
Hospitality
ISAC,
and
I
have
a
couple
other
benchmarking
groups
that
I
facilitate
myself
just
to
make
sure
that
we
are
really
aware
of
what’s
going
on
in
the
industry
and
what
other
people
are
saying
about
these.
I
would
say
there
were
about
74
other
requirements
that
we
nailed
and
then
there
was
one
like,
oh,
that’s
an
interesting
point
that
someone
brought
up
and
I
forget
which
one
it
was.
But
it
was
just
really
helpful
for
us
to
realize
that
we
were
pretty
much
on
point
for
everything
and
then
there’s
one
new
thing
that
we
missed.
Then
we
talked
with
our
QSA
after
that
benchmarking
and
watching
the
webinars
and
talking
to
our
peers.
And
that’s
when
I
realized
actually
for
a
couple
of
them,
we
were
over
indexing.
They’re
like,
hey,
you
know,
you’re
saying
this
is
a
big
change
for
you.
Based
on
all
these
things
we
know
about
you
and
the
evidence
you’ve
provided
already
in
the
past,
that’s
actually
probably
not
a
huge
lift.
If
you
just
do
this,
that’s
probably
going
to
be
good
enough
for
us
to
understand
or
meet
this
requirement.
So
that
was
super
helpful
for
us
to
engage
those
two
different
groups
to
make
sure
we
understood
what
the
impacts
were
and
how
it
really
would
impact
us.
Kandyce
Young:
And
you
know
what
else
I
would
say,
too,
which
I
found
through
some
feedback
we’ve
been
receiving
is
sometimes
if
you
are
engaging
or
beginning
with
new
technology
–
like
Tony,
you’re
in
a
great
position
–
but
other
organizations
may
have
had
a
huge
lift
on
some
of
the
technology
that
they’ve
had
to
incorporate
into
their
environments.
And
one
thing
I
would
say,
too,
in
addition
to
trusted
experts,
is
training
your
internal
staff.
So
it’s
important
to
make
sure
that
when
you
add
any
new
technology
to
your
environment,
or
you’re
making
any
updates
in
response
to
PCI
DSS
v4.0,
let’s
say,
making
sure
that
your
staff
is
aware
and
up-to-date
on
what’s
happening
and
they’re
trained
on
that
so
that
if
there
are
any
issues
in
the
future,
you
already
have
in-house
experts
to
help
support
that.
And
I
think
other
organizations
can
maybe
benefit
from
that
knowledge.
I’m
sure,
Tony,
that’s
something
you’re
already
doing
with
your
great
staff,
but
I
think
it’s
so
important
for
others
to
be
aware
that
“hey,
we
want
to
do
cutting-edge
technology.”
That’s
great.
So,
make
sure
we
have
people
on
staff
to
support
us
if
in
fact,
maybe
the
new
technology
is
not
addressing
all
of
the
system
components
it
should
or
it’s
malfunctioning.
So,
make
sure
you
have
that,
those
trusted
experts
internally,
before
the
assessment
begins.
Tony
James:
Yeah,
I
agree.
That
kind
of
brings
me
back
to
the
other
point
you
mentioned
earlier
on
validation
and
using
the
Customized
Approach.
First
of
all,
I
really
want
to
applaud
the
Council
for
implementing
this.
I
know
they
did
a
lot
of
work
with
the
industry
to
understand
what
the
industry
wanted
here
and
how
to
make
it
come
to
life.
And
so,
I
applaud
you
for
making
it
a
reality.
That
said,
I
think
it’s
a
great
point
to
call
out
for
those
of
you
who
haven’t
dug
in
a
lot.
It
will
be
a
lot
of
work.
Don’t
go
in
thinking,
“oh,
great,
I’ll
do
this
Customized
Approach,
and
that’ll
be
less
work
for
me
in
the
end.
And
it’ll
just
make
this
whole
process
easier.”
There’s
some
realization
that
it
probably
could
make
things
easier
for
your
business
or
easier
for
your
technology
experts
at
the
end,
but
there’s
going
to
be
more
pre-work
ahead
of
time
working
with
your
QSA
and
working
internally
to
understand
exactly
what
those
controls
are,
doing
that
targeted
risk
assessment
as
you
referenced,
and
preparing
to
evaluate
a
control
that
you’re
creating
to
meet
this
requirement.
I
want
to
make
sure
everybody
is
really
aware
of
that;
that
it’s
a
great
option,
but
it
does
not
mean
lots
less
work.
Kandyce
Young:
You’re
so
right,
Tony,
because
I
think
the
Customized
Approach
was
really
developed
for
risk
mature
organizations
that
have
a
strong
framework
and
strong
resources.
They
can
really
associate
or
provide
strong
resources
to
help
support
the
implementation,
but
also
the
long-term
efficacy
of
those
controls.
Because
you’re
right,
there’s
a
lot
of
documentation
involved.
But
for
organizations
that
want
to,
you
know,
do
some
sort
of
modern
malware
protection
or
anything
else
that’s
really
exciting
with
evolving
their
network
segmentation,
then
there’s
certainly
a
space
to
do
that.
Alicia
Malone:
A
question
for
both
of
you,
and
I’ll
start
with
Kandyce
on
this.
What
is
the
most
important
thing
that
you
want
retailers
to
take
away
from
this
podcast
regarding
PCI
DSS
v4.0?
I
know
that
our
timeline
is
getting
closer,
and
I
wondered
if
you
could
just
speak
to
that,
Kandyce,
and
some
of
the
really
important
things
that
they
need
to
know
going
into
this.
Kandyce
Young:
Well,
start
now,
right?
So,
PCI
DSS
v3.2.1
retires
on
31
March
2024.
So
that
is
right
around
the
corner.
So,
after
this
date,
it’s
PCI
DSS
v4.0
assessments.
We
do
have
some
additional
best
practice
requirements
that
are
now
future-dated,
and
those
will
take
effect
on
31
March
2025.
But
it’s
important
that
you
perform
your
gap
assessments,
so
you
know
where
you
have
those
gaps
and
controls,
so
you
are
prepared
to
adopt
those
new
controls
that
come
into
effect
in
2025
well
in
advance
of
your
assessment
date,
right?
So,
prepare
for
the
assessment
before
you
undergo
the
assessment.
Get
organized,
be
informed
about
controls
and
the
gaps
in
your
controls,
and
your
practices.
So,
we
say
that
early
planning
and
proper
investment
are
critical
to
your
success.
And
finally,
I
will
say,
I
will
plug,
we
collaborate
with
the
industry
on
a
regular
basis
and
that’s
how
we
thrive.
That’s
our
foundation.
So,
if
you’d
like
to
collaborate
with
us,
you
can
become
a
Participating
Organization.
And
that
really
gives
you,
as
an
industry
stakeholder,
the
opportunity
to
be
involved
in
the
direction
of
our
standards,
as
well,
it’ll
give
you
the
opportunity
to
join
our
Special
Interest
Group
that
we’re
working
on
right
now
about
scoping
and
segmentation
for
modern
network
architectures.
So,
your
voice
will
be
heard,
and
your
expertise
will
become
a
part
of
the
guidance
to
the
payments
industry.
So
those
are
the
things
I
think
retailers
can
take
away
from
our
talk
today.
Luke
Vander
Linden:
Kandyce,
I
think
that’s
great.
The
best
laid
plans
though
of
mice
and
men
often
go
astray.
So
Tony,
what
would
you
say
if
you’re
running
late?
What
should
you
do
next?
Tony
James:
So,
I
think
the
first
thing
to
do
is
really
engage
in
that
gap
assessment
quickly.
I
talked
a
lot
about
what
we
did
from
a
gap
assessment
standpoint,
and
that’s
where
I
would
focus.
And
it’s
similar
to
kind
of
what
Kandyce
was
asked
there
too.
So
where
should
I
start?
What
should
I
do?
It
really
is
three
things:
it’s
read,
plan,
and
communicate.
So
read
it,
understand
it,
talk
to
the
experts
in
your
organization.
You’ll
have
subject
matter
experts
throughout
your
organization,
talk
to
them
and
understand
the
impact
to
you.
Gather
details
about
what
you
and
those
other
experts
outside
of
your
organization
might
think
are
the
biggest
impact.
Make
your
plan.
So,
plan
for
what
you’re
going
to
do,
how
you’re
going
to
do
it,
what
your
timelines
look
like,
and
what
you
need
to
accomplish.
By
what
dates?
Cause
there’s
different
dates.
Some
things
are
due
in
2024,
some
are
due
in
2025.
So,
prioritize
that.
And
finally,
we
haven’t
talked
about
this
one
enough:
communicate.
If
you
have
read
it
all
and
know
exactly
what
you
need
to
do
when
you
start
doing
it
all,
but
you
haven’t
told
anybody
in
your
organization,
you’re
not
setting
yourself
up
for
success.
So,
communicate
what’s
going
on
with
version
4.0,
how
it
impacts
you
to
your
organization,
and
communicate
what
those
plans
are
and
what
you
need
from
those
experts.
If
you
want
them
to
do
something
by
a
certain
date,
you
probably
need
to
look
at
perhaps
what
the
organizational
budgeting
timelines
are
within
your
organization
and
work
around
that.
If
you
need
something
done
next
year
and
your
organization
does
budgeting
in
January,
you
want
to
probably
be
talking
to
those
teams
well
before
that
so
they
know
what
budget
to
ask
for
so
they
can
implement
that
in
the
next
year.
So
those
are
the
three
things:
read,
plan,
and
communicate.
Kandyce
Young:
I
wholeheartedly
agree
with
that,
Tony.
I
think
properly
allocating
human
and
technical
resources
and
giving
enough
time
prior
to
implementation,
I
think
is
a
really
key
and
critical
component
to
success
in
meeting
the
new
requirements.
So,
spot
on,
I
agree.
Alicia
Malone:
Kandyce,
where
can
our
listeners
go
for
more
information
about
PCI
DSS
v4.0?
Kandyce
Young:
Well,
you
can
head
over
to
our
website
at
PCISSC.org,
and
we
have
a
PCI
DSS
Resource
Hub
actually,
with
all
the
documents
I
mentioned.
So,
the
Summary
of
Changes
document,
we’ve
got
our
Standard,
we
have
Coffee
with
the
Council,
videos
where
we
have
commonly
asked
questions,
we
have
a
considerable
amount
of
FAQs
because
we
are
receiving
questions
on
a
daily
basis
from
our
stakeholders.
And
so,
when
we
receive
enough
of
those,
we
actually
publish
them
as
formal
FAQs
on
our
website.
And
so
that’s
a
resource
that
we’re
updating
on
a
regular
basis.
We
put
quite
a
few
in
just
last
month.
So
that’s
another
great
resource
to
head
on
to.
And
blog
posts.
We’re
constantly
doing
those.
So
those
are
all
available
on
PCISSC.org.
Luke
Vander
Linden:
That’s
excellent.
And
we’ll
link
to
all
those
resources
as
well
from
our
show
notes
on
our
version
of
this
segment
as
well.
But
I
also
want
to
plug,
this
isn’t
the
last
time
you
can
hear
from
this
group
and
a
couple
more
folks.
We’re
also
hosting
a
joint
webinar
on
this
topic.
That’s
going
to
be
on
25
May
at
3
p.m.
Eastern
time.
And
again,
we’ll
have
links
all
over
the
R&H
ISAC
website
and
we’ll
put
it
in
the
show
notes
as
well.
And
I’m
guessing
you
guys
will
do
that
as
well.
Alicia
Malone:
Absolutely.
We’re
looking
forward
to
that
webinar
as
well,
Luke.
And
I
wanted
to
just
thank
our
guests
today
for
their
insight.
This
is
so
helpful,
and
I
think
this
is
really
great
information
for
the
industry.
Luke
Vander
Linden:
Excellent.
Yes,
thank
you
both
as
well.
And
thank
you,
Alicia,
for
letting
me
co-host
with
you.
I
think
this
worked
out
great.
So
hopefully
maybe
we
can
do
it
again
someday.
Alicia
Malone:
Yeah,
let’s
do
it
again.
This
was
a
lot
of
fun.
Like
what
you’ve
heard?
Subscribe
to
PCI
SSC’s
“Coffee
with
the
Council”
podcast
by
visiting
any
of
the
following
platforms:
Spotify,
Amazon
Music,
Anchor,
Castbox,
Google
Podcasts,
iHeartRadio,
Pocket
Casts,
RadioPublic,
or
Stitcher.
Coming
soon;
Apple
Podcasts.
About Author
