Vote Now: Why Retailers Really Should Help Select PCI SIGs

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

This is a good week for every retailer's IT, security and business departments, because they will have a relatively rare chance to sharply influence PCI issues. The PCI Council's Special Interest Group (SIG) nominees for the coming year are coming up, and these folks have a key vote. The reason is that the Council has a short list of seven proposed SIGs, only three of which will be selected. Which three are chosen is solely based on the votes of Participating Organizations. Whichever nominees the Participating Organizations decide to support with their vote, it will need to be done quickly: Online voting starts this week and ends November 4.

There are two changes to the SIGs this year. One change is that a Council staffer will lead the SIG (previously, the chair was a member of the PCI Council's Board of Advisors). The other change is that each SIG must complete its work in one year. In years past, SIGs could—and sometimes did—run indefinitely, becoming a source of frustration for everyone. The changes should mean each SIG is focused on delivering results.

A SIG brings together a broad spectrum of PCI stakeholders, including merchants, processors, vendors and QSAs. Volunteers from these organizations work together with PCI Council staff to clarify a PCI requirement or to develop guidance on a particular subject. SIGs produce a written document with their findings and guidance, which the Council publishes for use by by merchants, processors and QSAs. Previous SIGs have addressed issues such as wireless networking, virtualization, the EMV standard and, most recently, tokenization and point-to-point encryption.

The PCI Council offers several opportunities for Participating Organization feedback. Few of these opportunities, however, are as concrete as this one: Participating Organizations will not just advise, they will actually select the winning SIGs. Therefore, retailers should weigh their choices carefully.

Following is an overview of the seven candidate SIGs in the order in which they were covered at the PCI Community Meeting. Each one is worthy of a SIG. However, because participants can only pick their favorite three (in order), the selection process may generate some discussions within Participating Organization:

  • Administrative Access to Systems and Devices. This SIG would clarify how to comply with Requirement 2.3, which requires encrypting all non-console administrative access. Although this proposal got a number of comments, there may be more important candidates.

  • How to Write a Risk Assessment. This SIG aims to help with Requirement 12.1.2 by offering guidance beyond that offered by ISO 27005 and NIST 800-30. In particular, the SIG plans to develop approaches for larger Level 1 and 2 merchants, in addition to smaller Level 4s, who may have very different needs. As a QSA who sees risk analyses of widely varying comprehensiveness and thoughtfulness, I am hoping this SIG makes the cut.

  • Patch Management. Requirement 6.1 requires critical patches to be installed within 30 days, a daunting task given the frequency of patches from application and operating system vendors and the need to analyze and test the patches before they are installed. The SIG would offer guidance on ways to meet this requirement (or even modify it?), which is a source of pain in many IT organizations. My guess is that this one will get a lot of support from the IT operations crowd.
  • E-Commerce Guidelines. This SIG is in response to the desire of many merchants to outsource their E-Commerce payments and reduce their PCI scope. The problem is that there are so many different options (e.g., hosted order page, shopping carts, APIs linking to a processor) and possible configurations that merchants may not receive the scope reduction benefits they expected. This QSA believes E-Commerce implementation guidance or a buyer's guide would be quite valuable to large and small retailers alike.

  • PCI in the Cloud. The informal name for this SIG is "Virtualization SIG v 2," because it would extend the work of the earlier Virtualization SIG. The objective is to pull together the work of existing standards bodies to address the "we are compliant in the cloud" versus "you can never be compliant in the cloud" arguments. As noted in the presentation at the PCI Community Meeting, much of the research exists; what is missing is putting that information in a PCI context. My guess is SIG one, too, will get a lot of support.

  • Small Businesses and PCI. This proposed SIG recognizes both the lack of PCI compliance in small merchants and their increased vulnerability to a credit-card breach. Its objective is to identify the barriers to compliance and how the Council can communicate with this broad audience who is focused more on the next sale than security. Although the need is real, it seems that card acquirers, processors or even trade associations are each better positioned take on this market research than the PCI Council. I would be surprised if many Participating Organizations support this proposed SIG.

  • Managing Hosted Service Providers. This SIG aims to provide merchant guidance on how to use a hosted service provider and assign responsibility for PCI requirements (e.g., retailer, service provider, processor) based on different service offerings. The SIG hopes also to address the inconsistency whereby a merchant can be PCI compliant while depending on a service provider that is not compliant. However, an audience question at the recent Community Meeting echoed my own thoughts: Isn't this topic already covered in Requirement 12.8?

The PCI Council sent to each Participating Organization a link to the video of the presentations on each proposed SIG. Today might be a good time to speak with your representative and take a look at the videos (they are only about 10 minutes or less each) before considering your vote. Each Participating Organization votes for a first, second and third choice, and the three SIG nominees getting the most votes will be funded for 2012. Voting ends November 4, though, so don't wait too long to decide or the opportunity may pass you by.

I don't know of too many standards or regulatory bodies that allow their constituents to decide what topics should be explored and where additional guidance is desired. It would be a shame if retailers did not consider their business and technical needs together and have their voices heard.

What do you think? I'd like to hear your thoughts. Do you agree with my thoughts on the SIGs? What are your choices? Either leave a comment or E-mail me at [email protected].