A Thing
The Green SheetGreen Sheet

Monday, December 19, 2011

PCI SSC rolls out new SIGs

In November 2011, the PCI Security Standards Council (PCI SSC) held a first of its kind election. Nearly 500 council members from around the world voted on topics for Special Interest Groups in 2012. The results were: cloud computing, e-commerce security, and risk assessment.

These topics were the top finishers on a list of seven issues put before members as possible subjects for SIGs. The seven topics were trimmed from a list of 13 possible subjects suggested by the Payment Card Industry (PCI) Data Security Standard (DSS) community.

SIGs are an opportunity for member organizations and individual council members to share their business and technical expertise in the global effort to apply PCI DSS and related security standards to specific industry or technological issues.

SIGs recommend changes, clarifications or improvements to PCI security standards and the programs supporting those standards. Any PCI organization or individual member may take part in a SIG. All are encouraged to join the discussion.

General objectives

PCI SSC General Manager Bob Russo told The Green Sheet the specific objectives for each of the new SIGS are currently being decided. Russo said the council would be more concise about the objectives when the SIGs begin meeting in January 2012.

Generally speaking, the cloud SIG will look at the risks and security challenges of storing cardholder data in a cloud network. "There is a good opportunity here to build on the virtualization guidelines delivered by a previous SIG on the topic earlier [in 2011]," Russo stated.

The e-commerce SIG will help merchants and service providers understand how to work online securely. "E-commerce is a different beast than brick-and-mortar security, so we are excited to explore new best practices and guidance in this area," Russo noted. The risk assessment SIG will "explore developing best practices and recommend methodology for merchants, service providers and [qualified security assessors] when it comes to performing risk based assessments applicable to cardholder data," Russo said. "Output of this SIG may further the efforts initiated with the council's Prioritized Approach document from several years back and help organizations understand how to mitigate the biggest risk first."

Topics to recycle

Russo said those topics not chosen for SIGs this year would not be discarded. The council will continue to hold these ideas for consideration for future SIGs.

"What has emerged from the SIG process … is that we know our stakeholders want more on mobile [and] additional guidance on point-to-point encryption and cloud technologies," he said. "While cloud will be looked at in the SIGs, the council is also committed to providing additional guidance to these other important topics."

PCI participation

Russo noted PCI SSC staff members will chair SIGs to help remove bias while pushing the discussion forward and help ensure work is completed on time. "We have everyone's best interest in mind – our mission is card security – we will ensure that any guidance or output does not cater to one specific group, but benefits the broader payments landscape as a whole," he said.

Russo expressed satisfaction with the interest and participation in the SIGs. "The benefits of having a large participant base (and we had hundreds of companies participate on previous SIGs) is that we have a wide range of industries and perspectives to add. The result is a great amalgamation of all of this knowledge that can help aid folks in almost any industry." end of article

Editor's Note: If you're interested in further discussion of SIGs, "SMBs: Security must become serious," by Bill Farmer, Chief Executive Officer of Mako Networks, will be published in The Green Sheet, Dec. 24, 2011, issue 11:12:02. In it, Farmer makes his case for the need to create a SIG dedicated to small and midsize businesses.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Facebook
Twitter
LinkedIn
2024 2023 2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing