In order to better manage SIGs, the council will oversee the process of developing guidance and possibly modification to its standards in three new areas: cloud computing, e-commerce security, and risk assessment.
The cloud computing initiative will examine the security risks of using the cloud to store and process credit card information and what steps can be taken to secure that data. The e-commerce security initiatives will study the special requirements of handling and securing credit card data online. The risk assessment initiative will develop best practices and recommend methodologies when it comes to risk-based assessments of card holder data.
These topics were selected by PCI participating organizations from a group of 13 initiatives proposed by the organizations for further examination by SIGs. The 13 were narrowed to seven, which then were voted on by 500 of the more 650 PCI participating organizations. “This was great participation”, Russo explained.
Participating organizations were allowed three votes on the seven topics. Successful project proposals were submitted by CyberSource, HyTrust, Sense of Security, SISAInformation Security, the UK Cards Association, Trend Micro, and TSYS.
Previously, SIGs were set up at the initiative of participating organizations without direct oversight by the council and sometimes tended to “meander” in their work, Russo related. The SIGs “decided what they would do and what their deliverable would be, whether it would be something added to our Frequent Asked Questions, or a guidance document, or suggesting updates to the standards. They went on their merry way and [the council] acted as a secretariat for them until they delivered something to our standards group and our technical working group”, Russo explained.
The PCI Council has changed the procedure so that there is a window of time for participating organizations to submit requests for SIGs. During the summer, the council asked participating organizations to submit their proposals for SIGs, and 30 ideas were submitted, Russo said.
The PCI Council is acceptin volunteers to participate on the SIGs. Those interested should send an email to the council before Nov. 30 indicating their interest. Following this, council SIG leads will convene each group to formalize the group charter and scope of the work project. This will be shared with the PCI community by the end of the year, with SIGs expected to start work in the beginning of 2012. SIGs will have a year to complete their work.
“People with the council will be in charge of running the special interest groups, as opposed to someone from a participating organization. That way we are absolutely sure that the meetings are happening on a regular basis, that if there are tasks that need to be performed, that they are being performed in a timely manner. If there is someone on the interest group who is supposed to perform a task, someone on the council will monitor to make sure it is getting done”, Russo said.
In addition, the SIGs will have a clear charter, which will delineate the scope of the SIGs work, the timetable, and the expected end result. This is a distinct change from the previous way SIGs operated, he noted.