E-Commerce Guidelines. This SIG is in response to the desire of many merchants to outsource their E-Commerce payments and reduce their PCI scope. The problem is that there are so many different options (e.g., hosted order page, shopping carts, APIs linking to a processor) and possible configurations that merchants may not receive the scope reduction benefits they expected. This QSA believes E-Commerce implementation guidance or a buyer’s guide would be quite valuable to large and small retailers alike.
PCI in the Cloud. The informal name for this SIG is “Virtualization SIG v 2,” because it would extend the work of the earlier Virtualization SIG. The objective is to pull together the work of existing standards bodies to address the “we are compliant in the cloud” versus “you can never be compliant in the cloud” arguments. As noted in the presentation at the PCI Community Meeting, much of the research exists; what is missing is putting that information in a PCI context. My guess is SIG one, too, will get a lot of support.
Small Businesses and PCI. This proposed SIG recognizes both the lack of PCI compliance in small merchants and their increased vulnerability to a credit-card breach. Its objective is to identify the barriers to compliance and how the Council can communicate with this broad audience who is focused more on the next sale than security. Although the need is real, it seems that card acquirers, processors or even trade associations are each better positioned take on this market research than the PCI Council. I would be surprised if many Participating Organizations support this proposed SIG.
Managing Hosted Service Providers. This SIG aims to provide merchant guidance on how to use a hosted service provider and assign responsibility for PCI requirements (e.g., retailer, service provider, processor) based on different service offerings. The SIG hopes also to address the inconsistency whereby a merchant can be PCI compliant while depending on a service provider that is not compliant. However, an audience question at the recent Community Meeting echoed my own thoughts: Isn’t this topic already covered in Requirement 12.8?
The PCI Council sent to each Participating Organization a link to the video of the presentations on each proposed SIG. Today might be a good time to speak with your representative and take a look at the videos (they are only about 10 minutes or less each) before considering your vote. Each Participating Organization votes for a first, second and third choice, and the three SIG nominees getting the most votes will be funded for 2012. Voting ends November 4, though, so don’t wait too long to decide or the opportunity may pass you by.
I don’t know of too many standards or regulatory bodies that allow their constituents to decide what topics should be explored and where additional guidance is desired. It would be a shame if retailers did not consider their business and technical needs together and have their voices heard.
What do you think? I’d like to hear your thoughts. Do you agree with my thoughts on the SIGs? What are your choices? Either leave a comment or E-mail me at wconway@403labs.com.
-Marc
October 27th, 2011 at 3:08 pm
Based on my experience, if all the SIG’s run like the tokenization SIG was, I’m not sure the point. They either ignore the feedback and do what they want anyway or only pay attention to the big payers (I’m not sure?).
November 1st, 2011 at 3:23 pm
Steve’s right – it’s a ‘token’ gesture. Seriously, it’s great the sponsoring orgs will get a voice, but that’s a tiny consolation prize. I like the 1 year requirement for completion, but if the PCI council can fold a SIG and ignore the advice of the merchants-vendors-providers, there’s not much value being provided.
November 2nd, 2011 at 3:31 pm
Its just a shame the QSA’s can’t vote on the SIGS. We constantly get asked “whats the SIG going to be about?” I think its really important to have QSAs involved in the SIG from inception so that strange ambiguities can be avoided in the wording of papers issued by SIGs.