PCI Security Standards Council®

Special Interest Groups


2017 SIGs: Projects for Consideration

Is there a Special Interest Group (SIG) guidance document you use regularly but wish it had more current information? You’re not alone! We’ve heard this a lot from the community, and that’s why for 2017 instead of requesting proposals for new Special Interest Group topics, we’re asking PCI Participating Organizations and assessors to choose from existing SIG guidance documents to determine which ones the PCI community will update.

Please review the below list of potential 2017 SIG projects. These will be highlighted at the upcoming Community Meetings, and Participating Organizations and assessors will vote for their choices via an electronic ballot in November:

Over the years, the PCI community has come together to create a number of excellent resources to address payment security issues and challenges via our SIGs. We’re looking forward to working with you to extend the life of these with updated material!

Questions? Email us at SIGS@pcisecuritystandards.org.



2016 Project

BEST PRACTICES FOR SAFE E-COMMERCE

If you are a Participating Organization, QSA, ASV or Affiliate Member, and would like to join this SIG, please click the ‘Register’ button below and complete the interest form.

Register

Purpose

Provide guidance and tools for merchants, third parties, and the assessor community on best practices for safe e-commerce.

Objectives

The objectives for this SIG are to produce a guidance document that includes the following:

  • Guidance for merchants, third parties, and the assessor community on the use of encryption and digital certificates for cardholder data transmissions, including use of secure versions of TLS and migrating from SSL and older versions of TLS.
  • Guidance to help merchants and third parties select the appropriate type of public key certificates, including sources of freely-available tools for monitoring and managing their implementations.
  • Guidance to help merchants understand the different e-commerce implementations and how to select the one that both meets their needs and protects cardholder data.
  • Guidance to help determine whether an e-commerce solution securely protects cardholder data and questions to ask e-commerce solution providers.
  • Incorporation of applicable guidance from the existing 2012 SIG document PCI DSS v2.0 E-commerce Guidelines.

In addition, the SIG will provide input into TWG’s 2016 efforts regarding an e-commerce validation framework.

Approach

In accordance with the Payment Card Industry Security Standards Special Interest Groups (SIGs) Rules of Engagement, a PCI SSC representative will provide leadership and project management for the SIG’s work. This SIG chair will assist in driving consensus among SIG members and will also help to ensure alignment between SIG volunteer contributions and PCI SSC direction. The SIG chair, other PCI SSC participants, and SIG members (including Participating Organizations, payment brand participants, QSAs and ASVs) will work together collaboratively to accomplish the SIG objectives.

Elizabeth Terry will be the SIG chair, responsible for completing the day-to-day tasks including but not limited to overseeing the drafting of guidance and presenting issues and updates both internally and to the SIG for their input and comments. The SIG chair is also responsible for coordinating publication of the final document with PCI SSC marketing and communications.

Meeting coordination and other administrative tasks will be handled by Virtual SIG Program Manager, sigs@pcisecuritystandards.org.

Participation Requirements and Contact Information

Participation will include PCI Council Members* and staff, payment brands, volunteer participating organizations, and QSA and ASV companies. The participants are expected to provide e-commerce expertise and to actively participate and contribute to the end deliverable. There will be standing calls for the Best Practices for Safe E-Commerce Special Interest Group, the timing and frequency of which will be determined during the first SIG meeting. Participants should allot time to attend meetings and additional time to draft and/or review documents, in accordance with their desired level of participation.

Draft and final versions of the paper will be written by PCI SSC staff and/or SIG members, per individual SIG member’s desired degree of participation.

Deliverables and Timeline

Listed below is the expected deliverable and timeline for this SIG:

  1. Deliverable: Information Supplement – Best Practices for Securing E-Commerce guidance
  2. Timeline: The expected duration of the SIG is 9-12 months commencing in February 2016.
* PCI Council Members is defined as PCI SSC Staff, Payment Brands, Affiliate Members or Strategic Members. 

2015 Projects

Effective Daily Log Monitoring

Purpose

Provide guidance and techniques to improve daily log monitoring to meet PCI DSS requirements, including available tools and examples/evidence from recent breaches.

Status

The Effective Daily Log Monitoring SIG is working to finalize the Information Supplement and targeting publication in Q2 2016. For more information on the SIG’s Terms of Reference, please visit the PO Portal.

Managing Shared Responsibilities with Third Party Service Providers

Purpose

Provide guidance and techniques to improve daily log monitoring to meet PCI DSS requirements, including available tools and examples/evidence from recent breaches.

Status

The Shared Responsibilities SIG is working to finalize the Information Supplement and targeting publication in Q1 2016. For more information on the SIG's Terms of Reference please visit the PO Portal..

* PCI Council Members is defined as PCI SSC Staff, Payment Brands, Affiliate Members or Strategic Members.

Frequently Asked Questions

Who can form a SIG? How can I propose one?

Any Participating Organization (PO) Qualified Security Assessor (QSA), Approved Scanning Vendor (ASV), and PCI Council Members* are invited to propose a Special Interest Group during an open proposal period that runs between June and July each year.

If you have any specific questions about the SIG proposal process, please email sigs@pcisecuritystandards.org.

Who will lead the SIGs?

A PCI SSC representative will chair, lead and project manage SIG work. This collaboration will free SIG volunteers to focus on contributing subject matter expertise, without responsibility for logistical matters. This also ensures greater alignment between SIG volunteer contributions and PCI SSC direction.

How will SIGs be chosen?

Ultimately, SIGs will be chosen directly by the Participating Organization membership that represents merchants, financial institutions and payment processors - the organizations that are implementing PCI Standards.

After the close of the SIG proposal period, a selected list of proposals will be drawn up by PCI SSC. This process is aimed at consolidating any overlapping proposals and ensuring shortlisted proposals are focused on areas the Council can commit to supporting in the coming year.

Video presentations on selected SIG proposals will be available for review at the North American and European Community Meetings and also on the PCI SSC website. After viewing the videos, Participating Organization Business Contacts will vote via an electronic ballot in the PO Portal, to determine which proposals will be supported by PCI SSC.

What are some of the areas that SIG's have covered in the past? What topics are appropriate for SIG projects?

Topics covered by SIG collaboration and PO participation to date include the following and are available in the Documents Library

SIG work may provide clarification on specific requirements within a PCI Standard, examine how PCI Standards work within any given industry or environment, or any other area that supports the Council's mission of raising awareness and increasing adoption of PCI Standards. Since the Council is focused on providing tools and resources to secure payment card data within the current payment system, and must also operate within a strict anti-trust framework, a focus outside of the current payment system is beyond our scope and would not be an appropriate topic for a PCI SSC SIG project.

Powered By OneLink