Vote Now: Why Retailers Really Should Help Select PCI SIGsWritten by Walter Conway
A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
This is a good week for every retailer’s IT, security and business departments, because they will have a relatively rare chance to sharply influence PCI issues. The PCI Council’s Special Interest Group (SIG) nominees for the coming year are coming up, and these folks have a key vote. The reason is that the Council has a short list of seven proposed SIGs, only three of which will be selected. Which three are chosen is solely based on the votes of Participating Organizations. Whichever nominees the Participating Organizations decide to support with their vote, it will need to be done quickly: Online voting starts this week and ends November 4.
There are two changes to the SIGs this year. One change is that a Council staffer will lead the SIG (previously, the chair was a member of the PCI Council’s Board of Advisors). The other change is that each SIG must complete its work in one year. In years past, SIGs could—and sometimes did—run indefinitely, becoming a source of frustration for everyone. The changes should mean each SIG is focused on delivering results.
A SIG brings together a broad spectrum of PCI stakeholders, including merchants, processors, vendors and QSAs. Volunteers from these organizations work together with PCI Council staff to clarify a PCI requirement or to develop guidance on a particular subject. SIGs produce a written document with their findings and guidance, which the Council publishes for use by by merchants, processors and QSAs. Previous SIGs have addressed issues such as wireless networking, virtualization, the EMV standard and, most recently, tokenization and point-to-point encryption.
The PCI Council offers several opportunities for Participating Organization feedback. Few of these opportunities, however, are as concrete as this one: Participating Organizations will not just advise, they will actually select the winning SIGs. Therefore, retailers should weigh their choices carefully.
Following is an overview of the seven candidate SIGs in the order in which they were covered at the PCI Community Meeting. Each one is worthy of a SIG. However, because participants can only pick their favorite three (in order), the selection process may generate some discussions within Participating Organization:
- Administrative Access to Systems and Devices. This SIG would clarify how to comply with Requirement 2.3, which requires encrypting all non-console administrative access. Although this proposal got a number of comments, there may be more important candidates.
- How to Write a Risk Assessment. This SIG aims to help with Requirement 12.1.2 by offering guidance beyond that offered by ISO 27005 and NIST 800-30. In particular, the SIG plans to develop approaches for larger Level 1 and 2 merchants, in addition to smaller Level 4s, who may have very different needs. As a QSA who sees risk analyses of widely varying comprehensiveness and thoughtfulness, I am hoping this SIG makes the cut.
- Patch Management. Requirement 6.1 requires critical patches to be installed within 30 days, a daunting task given the frequency of patches from application and operating system vendors and the need to analyze and test the patches before they are installed. The SIG would offer guidance on ways to meet this requirement (or even modify it?), which is a source of pain in many IT organizations. My guess is that this one will get a lot of support from the IT operations crowd.