Digital Transactions Authoritative, insightful and timely information for payments professionals
n
The PCI Security Standards Council on Tuesday announced the creation of three new so-called special interest groups (SIGs) that will give it input about cloud computing, e-commerce security, and risk assessments. The new SIGs are significant not only for the hot topics that they will address, but also for the election process by which they were created, a process the Council says replaces an unwieldy earlier one.
n
n
The Council oversees the main Payment Card Industry data-security standard (PCI) and the related Payment Application data-security standard (PA-DSS) and PIN Transaction Security requirements (PTS), all applicable to merchants, processors, and card issuers that handle data from general-purpose credit and debit cards. The SIGs draw members from so-called Participating Organizations (POs) of vendors, merchants, financial institutions, and others that register with the PCI Council to give feedback about the security standards. SIGs are large committees that develop recommendations and advice about controversial or high-interest topics related to card security. Earlier SIGs have addressed wireless transactions, virtualization of card data, how PCI relates to EMV chip card technology, and point-to-point encryption.
n
n
Under the old process, a PO at any time could submit an idea for a SIG, and if a member of the Council’s Board of Advisors agreed to act as chairperson, it would be created and largely left alone, according to PCI Council general manager Bob Russo. But some SIGs had 50 or more members, many providing only occasional input, and took up to two years to produce anything tangible.
n
n
“It was a little bit like herding cats,” says Russo. “It took very, very long and you were never sure what you were going to get.” Still, the SIGs managed to “put out a lot of good documents” useful for PCI stakeholders, he adds.
n
n
The Council decided in June to change the process. It asked the POs to submit ideas for new SIGs and received 30. Council-related groups removed duplicates and got the list down to 13, and another culling process generated seven finalist proposals. Advocates for each were given 15 minutes to state their case at the PCI community meetings this fall in Scottsdale, Ariz., and London, followed by an online election by POs of their favorite ideas. “It actually is the first SIG election,” says Russo.
n
n
Nearly 500 POs voted. About a third of the votes came from outside North America.
n
n
Each new SIG will be formally organized by the end of the year with a charter that spells out its mission. Membership won’t be limited, but to ensure that work moves along, a PCI Council staff person will chair each SIG, which is to have no more than a year to produce its recommendations. “The old SIGs did a wonderful job, but this is an improved process,” Russo says.
n
n
Russo anticipates that some of the new SIGs might even get done early, which could make time for creation of new SIGs that would address one or more of the four ideas that didn’t make the final list. Those are: management of software patches, administrative access to systems and devices, PCI issues involving small businesses, and issues regarding hosted, managed application and service providers.
n
n
The new cloud-computing SIG will develop recommendations that build on the virtualization guidelines the Council issued in June. The e-commerce group will address online payments from so-called Level 3 and Level 4 merchants: small e-commerce-only and physical merchants. The risk-assessment group will deal with factors to be addressed as a PCI assessor works with a merchant or processor to determine what data are covered, or within “scope,” ahead of a PCI audit.
n
Besides generating recommendations and advice applicable immediately, Russo expects the SIGs will develop insights that find their way into the next major update of the existing PCI version 2.0. Version 3.0 will be unveiled in late 2013 and take effect Jan. 1, 2014.
n
n
Meanwhile, Russo said he expects the Council to be issuing long-awaited guidelines about another hot topic, mobile payments, by the end of the year.
