Vote Now: Why Retailers Really Should Help Select PCI SIGs

Written by Walter Conway
October 26th, 2011

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

This is a good week for every retailer’s IT, security and business departments, because they will have a relatively rare chance to sharply influence PCI issues. The PCI Council’s Special Interest Group (SIG) nominees for the coming year are coming up, and these folks have a key vote. The reason is that the Council has a short list of seven proposed SIGs, only three of which will be selected. Which three are chosen is solely based on the votes of Participating Organizations. Whichever nominees the Participating Organizations decide to support with their vote, it will need to be done quickly: Online voting starts this week and ends November 4.

There are two changes to the SIGs this year. One change is that a Council staffer will lead the SIG (previously, the chair was a member of the PCI Council’s Board of Advisors). The other change is that each SIG must complete its work in one year. In years past, SIGs could—and sometimes did—run indefinitely, becoming a source of frustration for everyone. The changes should mean each SIG is focused on delivering results.

A SIG brings together a broad spectrum of PCI stakeholders, including merchants, processors, vendors and QSAs. Volunteers from these organizations work together with PCI Council staff to clarify a PCI requirement or to develop guidance on a particular subject. SIGs produce a written document with their findings and guidance, which the Council publishes for use by by merchants, processors and QSAs. Previous SIGs have addressed issues such as wireless networking, virtualization, the EMV standard and, most recently, tokenization and point-to-point encryption.

The PCI Council offers several opportunities for Participating Organization feedback. Few of these opportunities, however, are as concrete as this one: Participating Organizations will not just advise, they will actually select the winning SIGs. Therefore, retailers should weigh their choices carefully.

Following is an overview of the seven candidate SIGs in the order in which they were covered at the PCI Community Meeting. Each one is worthy of a SIG. However, because participants can only pick their favorite three (in order), the selection process may generate some discussions within Participating Organization:

  • Administrative Access to Systems and Devices. This SIG would clarify how to comply with Requirement 2.3, which requires encrypting all non-console administrative access. Although this proposal got a number of comments, there may be more important candidates.
  • How to Write a Risk Assessment. This SIG aims to help with Requirement 12.1.2 by offering guidance beyond that offered by ISO 27005 and NIST 800-30. In particular, the SIG plans to develop approaches for larger Level 1 and 2 merchants, in addition to smaller Level 4s, who may have very different needs. As a QSA who sees risk analyses of widely varying comprehensiveness and thoughtfulness, I am hoping this SIG makes the cut.
  • Patch Management. Requirement 6.1 requires critical patches to be installed within 30 days, a daunting task given the frequency of patches from application and operating system vendors and the need to analyze and test the patches before they are installed. The SIG would offer guidance on ways to meet this requirement (or even modify it?), which is a source of pain in many IT organizations. My guess is that this one will get a lot of support from the IT operations crowd.


3 Comments | Read Vote Now: Why Retailers Really Should Help Select PCI SIGs

  1. Steve Sommers Says:

    Based on my experience, if all the SIG’s run like the tokenization SIG was, I’m not sure the point. They either ignore the feedback and do what they want anyway or only pay attention to the big payers (I’m not sure?).

  2. Adrian Lane Says:

    Steve’s right – it’s a ‘token’ gesture. Seriously, it’s great the sponsoring orgs will get a voice, but that’s a tiny consolation prize. I like the 1 year requirement for completion, but if the PCI council can fold a SIG and ignore the advice of the merchants-vendors-providers, there’s not much value being provided.

  3. Andrew Barratt Says:

    Its just a shame the QSA’s can’t vote on the SIGS. We constantly get asked “whats the SIG going to be about?” I think its really important to have QSAs involved in the SIG from inception so that strange ambiguities can be avoided in the wording of papers issued by SIGs.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.