Monday, December 19, 2011
These topics were the top finishers on a list of seven issues put before members as possible subjects for SIGs. The seven topics were trimmed from a list of 13 possible subjects suggested by the Payment Card Industry (PCI) Data Security Standard (DSS) community.
SIGs are an opportunity for member organizations and individual council members to share their business and technical expertise in the global effort to apply PCI DSS and related security standards to specific industry or technological issues.
SIGs recommend changes, clarifications or improvements to PCI security standards and the programs supporting those standards. Any PCI organization or individual member may take part in a SIG. All are encouraged to join the discussion.
PCI SSC General Manager Bob Russo told The Green Sheet the specific objectives for each of the new SIGS are currently being decided. Russo said the council would be more concise about the objectives when the SIGs begin meeting in January 2012.
Generally speaking, the cloud SIG will look at the risks and security challenges of storing cardholder data in a cloud network. "There is a good opportunity here to build on the virtualization guidelines delivered by a previous SIG on the topic earlier [in 2011]," Russo stated.
The e-commerce SIG will help merchants and service providers understand how to work online securely. "E-commerce is a different beast than brick-and-mortar security, so we are excited to explore new best practices and guidance in this area," Russo noted. The risk assessment SIG will "explore developing best practices and recommend methodology for merchants, service providers and [qualified security assessors] when it comes to performing risk based assessments applicable to cardholder data," Russo said. "Output of this SIG may further the efforts initiated with the council's Prioritized Approach document from several years back and help organizations understand how to mitigate the biggest risk first."
Russo said those topics not chosen for SIGs this year would not be discarded. The council will continue to hold these ideas for consideration for future SIGs.
"What has emerged from the SIG process … is that we know our stakeholders want more on mobile [and] additional guidance on point-to-point encryption and cloud technologies," he said. "While cloud will be looked at in the SIGs, the council is also committed to providing additional guidance to these other important topics."
Russo noted PCI SSC staff members will chair SIGs to help remove bias while pushing the discussion forward and help ensure work is completed on time. "We have everyone's best interest in mind – our mission is card security – we will ensure that any guidance or output does not cater to one specific group, but benefits the broader payments landscape as a whole," he said.
Russo expressed satisfaction with the interest and participation in the SIGs. "The benefits of having a large participant base (and we had hundreds of companies participate on previous SIGs) is that we have a wide range of industries and perspectives to add. The result is a great amalgamation of all of this knowledge that can help aid folks in almost any industry." 
Editor's Note: If you're interested in further discussion of SIGs, "SMBs: Security must become serious," by Bill Farmer, Chief Executive Officer of Mako Networks, will be published in The Green Sheet, Dec. 24, 2011, issue 11:12:02. In it, Farmer makes his case for the need to create a SIG dedicated to small and midsize businesses.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
