Thursday, February 20, 2020
The PCI Security Standards Council (PCI SSC) released new guidance on Feb. 20, 2020, aimed at addressing the unique needs of enterprise-scale organizations. Information Supplement: PCI DSS for Large Organizations, was produced by the 2019 Special Interest Group (SIG). Drawing from direct experience at large companies, SIG members provided recommendations for managing PCI DSS assessments across multiple business units and third-party service providers.
Mauro Lance, PCI SSC senior vice president and operating officer, noted that SIGs play a key role at the council and represent a cross-section of experts from the front lines of payment security. Their knowledge helps industry stakeholders apply PCI standards to their organizations, he stated.
"PCI Special Interest Groups bring together experts from across industries and around the world to address the topics that are most important to their payment security efforts," Lance said. "This knowledge sharing is one of the best examples of industry collaboration. Some of our most popular resources are products of these groups' work. And their value is not just limited to the output they produce – feedback from SIGs over the years has influenced updates to the PCI standards themselves."
Gary Glover, vice president of assessments at Security Metrics and SIG contributor, observed that organizations must evolve as they grow in order to implement and maintain PCI DSS across an enterprise. "It's easy to get lost in the forest when dealing with compliance of a large complex organization," he said. "This informational supplement provides some common ground to start from and addresses some of the business situations that are common to large organization compliance efforts."
SIG contributor Paul Curtis, enterprise compliance project management officer for FedEx Services, agreed, stating, "By participating in a SIG, you soon discover you are a part of a worldwide community of Security and Compliance Professionals. You learn from a variety of intelligent people who are involved in every facet of the PCI community. It was rewarding to be able to share lessons learned during more than a decade of working in the compliance field at a large company."
Lacey Johnson, senior technical program manager at Akamai Technologies and SIG contributor, said the experience of working with PCI community members from all over the world was an interesting experience that provided an opportunity to share ideas and create a deliverable that will be read by thousands. "Large organizations have many challenges, but the primary challenge, in my opinion, is a people one," she said. "How do you determine ownership? Who is responsible for what part of the PCI story? What do they need to know about payment card security and what don't they need to know?"
Creating the information supplement was a collaborative effort that brought together security experts with varied backgrounds and specializations, according to Lance Johnson, executive director at the PCI SSC. Noting that collaboration is central to the council's mission and work ethic, he said, "It takes organizations around the world lending their input and perspectives to the standards development process. It takes people from small companies and large companies using PCI SSC Programs and training to build and share knowledge for understanding and applying security standards and best practices."
The supplement provides guidance on a range of business issues and is designed to help leaders of large organizations navigate the ever-changing payments industry landscape. Insights include how to manage acquirer and payments industry channels, mergers and acquisitions, and the regulatory environment. Additional topics include roles, responsibilities and ownership of PCI DSS functions; education and awareness; and how to manage, maintain and sustain PCI DSS compliance.
For additional information and a complete copy of Information Supplement: PCI DSS for Large Organizations, visit blog.pcisecuritystandards.org/new-guidance-pci-dss-for-large-organizations.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
