The Green Sheet Online Edition
January 09, 2012 • Issue 12:01:01
PCI SSC rolls out new SIGs
Editor's Note: For further thoughts on formation of PCI SSC SIGs, specifically the need for a SIG devoted to small and midsize merchants, see "SMBs: Security must become serious," by Bill Farmer, The Green Sheet, Dec. 26, 2011, issue 11:12:02.
In November 2011, the PCI Security Standards Council (PCI SSC) held a first of its kind election. Nearly 500 council members from around the world voted on topics for special interest groups (SIGs) in 2012. The results were: cloud computing, e-commerce security and risk assessment.
These topics were the top finishers on a list of seven issues put before members as possible subjects for SIGs. The seven topics were trimmed from a list of 13 subjects suggested by the PCI SSC community.
SIGs provide an opportunity for member organizations and individual council members to share their business and technical expertise in the global effort to apply Payment Card Industry (PCI) Data Security Standard (DSS) and related security standards to specific industries or technological issues.
SIGs recommend changes, clarifications or improvements to PCI security standards and the programs supporting those standards. Any PCI organization or individual member may take part in a SIG. All are encouraged to join the discussion.
PCI SSC General Manager Bob Russo told The Green Sheet the specific objectives for each of the new SIGS are currently being decided. Russo said the council would be more concise about the objectives when the SIGs begin meeting in January 2012.
Generally speaking, the cloud SIG will look at the risks and security challenges of storing cardholder data in a cloud network. "There is a good opportunity here to build on the virtualization guidelines delivered by a previous SIG on the topic earlier [in 2011]," Russo stated.
The e-commerce SIG will help merchants and service providers understand how to work online securely. "E-commerce is a different beast than brick-and-mortar security, so we are excited to explore new best practices and guidance in this area," Russo noted.
The risk assessment SIG will "explore developing best practices and recommend methodology for merchants, service providers and [qualified security assessors] when it comes to performing risk based assessments applicable to cardholder data," Russo said. "Output of this SIG may further the efforts initiated with the council's Prioritized Approach document from several years back and help organizations understand how to mitigate the biggest risk first."
Topics to recycle
Russo said those topics not chosen for SIGs this year would not be discarded. The council will continue to hold these ideas for consideration for future SIGs.
"What has emerged from the SIG process ... is that we know our stakeholders want more on mobile [and] additional guidance on point-to-point encryption and cloud technologies," he said. "While cloud will be looked at in the SIGs, the council is also committed to providing additional guidance to these other important topics."
Russo noted PCI SSC staff members will chair SIGs to help remove bias while pushing the discussion forward and help ensure work is completed on time.
"We have everyone's best interest in mind - our mission is card security - we will ensure that any guidance or output does not cater to one specific group, but benefits the broader payments landscape as a whole," he said.
Russo expressed satisfaction with the interest and participation in the SIGs. "The benefits of having a large participant base (and we had hundreds of companies participate on previous SIGs) is that we have a wide range of industries and perspectives to add.
"The result is a great amalgamation of all of this knowledge that can help aid folks in almost any industry."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.