Tamaño del texto Aumentar el tamaño de la letraDisminuir el tamaño de la letraRestablecer el tamaño de la letra

Special Interest Groups

2015 SIG Proposals

Any Participating Organization (PO) Qualified Security Assessor (QSA), Approved Scanning Vendor (ASV), and PCI Council Members are invited to propose a Special Interest Group during an open proposal period that runs between 2 June and 7 July, 2014

To propose a SIG, stakeholders must complete the web-based form found here. If you have any specific questions about the SIG proposal process, please email sigs@pcisecuritystandards.org.

A PCI SSC representative will chair, lead and project manage SIG work. This collaboration will free SIG volunteers to focus on contributing subject matter expertise, without responsibility for logistical matters. This also ensures greater alignment between SIG volunteer contributions and PCI SSC direction.

Ultimately, SIGs will be chosen directly by the Participating Organization membership that represents merchants, financial institutions and payment processors – the organizations that are implementing PCI Standards.

After the close of the SIG proposal period on 7 July 2014, a selected list of proposals will be drawn up by PCI SSC. This process is aimed at consolidating any overlapping proposals and ensuring shortlisted proposals are focused on areas the Council can commit to supporting in the coming year.  

Presentations from POs, QSAs, ASVs, and PCI Council Members on selected SIG proposals will be given at the North American and European Community Meetings. After the Community Meetings, Participating Organizations will vote via an electronic ballot to determine which proposals will be supported by PCI SSC. 

Topics covered by SIG collaboration and PO participation to date include the following and are available in the Documents Library

SIG work may provide clarification on specific requirements within a PCI Standard, examine how PCI Standards work within any given industry or environment, or any other area that supports the Council’s mission of raising awareness and increasing adoption of PCI Standards. Since the Council is focused on providing tools and resources to secure payment card data within the current payment system, and must also operate within a strict anti-trust framework, a focus outside of the current payment system is beyond our scope and would not be an appropriate topic for a PCI SSC SIG project. 

2014 SIG Results

Through the election process, the Participating Organization community chose Penetration Testing Guidance and Security Awareness Program: Best Practices for Implementing a Formal Security Awareness Program, as the two projects to pursue as the next PCI Special Interest Groups, in 2014. Both new Special Interest Groups commence in January and the deliverables are expected to be published at the end of 2014.

If you are a Participating Organization, QSA, ASV, or Affiliate Member, and would like to join one of these SIGs, please click the ‘Register’ button on the top of this page to sign-up online.

2014 SIG Projects

Purpose
The purpose of this SIG is to update the PCI DSS Information Supplement: Requirement 11.3 Penetration Testing document released in 2008.

Background
The PCI DSS Information Supplement: Requirement 11.3 Penetration Testing was released in 2008 and should be updated to account for changes in technology and new attack vectors. Clarification on what constitutes an effective penetration test in order to comply with PCI DSS Requirement 11.3 is also needed. Because environments will vary significantly, techniques for penetration testing types, depth, and complexity will also vary. Updated guidance on penetration testing will also assist assessors in determining whether an implemented methodology meets the intent of requirement 11.3.

Objectives
The objective of the Penetration Testing Guidance Special Interest Group is to update the existing Information Supplement: Requirement 11.3 Penetration Testing from 2008 and include the following:

  1. Develop best practices and recommendations for penetration testing activities
  2. Consider authenticated testing conditions for various roles to ensure that access to cardholder data is restricted to the privileges assigned to the role
  3. Develop guidance on creating reporting templates and reporting language
  4. Develop best practices for a penetration testing report checklist
  5. Document illustrative case studies

Approach
In accordance with the Payment Card Industry Security Standards Special Interest Groups (SIGs) Rules of Engagement, a PCI SSC representative will chair, lead and project manage the SIG’s work. This SIG chair helps drive consensus between SIG members and also helps to ensure alignment between SIG volunteer contributions and PCI SSC direction. The SIG chair, other PCI SSC participants, and SIG members (including Participating Organizations, payment brand participants, QSAs and ASVs) will work together collaboratively to accomplish the SIG objectives.

Participation Requirements and Contact Information
SIG participation is open to any PCI Participating Organization, QSA, ASV company and PCI Council Members. Participants should allot time to attend regularly scheduled meetings as well as additional time to draft and/or review documents, in accordance with their desired level of participation. Draft and final versions of the paper will be written by SIG members and PCI SSC staff.

SIG Meetings will be chaired by Jen Spencer, PCI SSC Standards Manager.

Meeting coordination and other administrative tasks will be handled by Cynthia Revilla, SIG Program Manager, sigs@pcisecuritystandards.org.

To join this SIG and be included on future communications regarding meeting times and responsibilities, please click the ‘Register’ button on the top of this page to sign-up online.

Deliverables and Timeline
The anticipated deliverable is an Information Supplement (or similar guidance document), and the SIG effort is expected to be completed by the end of 2014.

The purpose of this SIG is to provide guidance to organizations looking to implement a formal security awareness program to satisfy PCI DSS Requirement 12.6.

Background
Satisfying PCI DSS Requirement 12.6 requires implementation of a formal security awareness program. This often involves everything from short online modules, day long classes, or internally developed material. Each of these methods is providing a totally different level of knowledge around making personnel aware of the importance of protecting cardholder data.

There are various ways to meet the intent of the requirement leaving many organizations looking for guidance on how to develop their security awareness training.

Objectives
The objectives for the Security Awareness Program SIG are to create an information supplement that includes as least the following:

  1. Develop best practices in organizational security awareness training for protecting cardholder data
  2. Develop best practices for a consistent, uniform approach to provide personnel in various roles the appropriate level of awareness training for cardholder data security
  3. Develop best practices on the type of content and depth of content an organization can use to train personnel to meet the intent of PCI DSS requirement 12.6
  4. Develop a best practices checklist to help organizations manage their awareness training and educate their personnel on the importance of cardholder data security

Approach
In accordance with the Payment Card Industry Security Standards Special Interest Groups (SIGs) Rules of Engagement, a PCI SSC representative will chair, lead and project manage the SIG’s work. This SIG chair helps drive consensus between SIG members and also helps to ensure alignment between SIG volunteer contributions and PCI SSC direction. The SIG Chair, other PCI SSC participants, and SIG members (including Participating Organizations, payment brand participants, QSAs and ASVs) will work together collaboratively to accomplish the SIG objectives.

Participation Requirements and Contact Information
SIG participation is open to any PCI Participating Organization, QSA, ASV company and PCI Council Members. Participants should allot time to attend regularly scheduled meetings as well as additional time to draft and/or review documents, in accordance with their desired level of participation. Draft and final versions of the paper will be written by SIG members and PCI SSC staff.

SIG Meetings will be chaired by Elizabeth Terry, PCI SSC Standards Project Manager.

Meeting coordination and other administrative tasks will be handled by Cynthia Revilla, SIG Program Manager, sigs@pcisecuritystandards.org.

To join this SIG and be included on future communications regarding meeting times and responsibilities, please click the ‘Register’ button on the top of this page to sign-up online.

Deliverables and Timeline
The anticipated deliverable is an Information Supplement (or similar guidance document), and the SIG effort is expected to be completed by the end of 2014.

2013 SIG Projects

Purpose
The purpose of this SIG is to provide guidance to merchants and service providers on best practices for long-term maintenance of PCI DSS compliance.

Status
The Best Practices for Maintaining PCI DSS Compliance SIG is working to finalize the Information Supplement: Best Practices for Maintaining PCI DSS Compliance and targeting a Q3 2014 publication of this document. For more information on the SIG's Terms of Reference please visit the PO Portal.

Purpose
The purpose of this SIG is to provide guidance to merchants, service providers, and banks on third party service provider assurance for PCI DSS Requirement 12.8.

Status
The Third Party Security Assurance SIG is working to finalize the Information Supplement: Third Party Security Assurance and targeting a Q3 2014 publication of this document. For more information on the SIG's Terms of Reference please visit the PO Portal.

Special Interest Group participants have made significant contributions to the development of Council Standards, tools and educational resources over the years. The Council recognizes and thanks the many SIG volunteers and their contributions. Outcomes of SIG collaboration and PO participation to date include:

For more information about PCI SSC SIGs, please review the questions on this page or feel free to email us at sigs@pcisecuritystandards.org.


Volver al principio

El PCI Security Standards Council (el "Concejo") proporciona una serie de herramientas, cuestionarios, orientación, preguntas frecuentes, recursos de capacitación y otros materiales e información para prestar asistencia a organizaciones que buscan el cumplimiento de sus normas (las "Normas"). También hay productos y servicios de terceros disponibles, pero el Concejo no respalda ni recomienda tales productos o servicios de terceros, y recomienda a todas las organizaciones que buscan el cumplimiento de las Normas familiarizarse con las mismas y sus requisitos relacionados antes de adquirir productos o servicios de terceros. En última instancia, se deben cumplir todos los requisitos aplicables a fin de lograr el cumplimiento, independientemente de si se utilizan productos o servicios de terceros o de cuáles sean.
Powered By OneLink