Card data security risks for online merchants or those operating payment schemes via cloud computing will get much attention next year from the Payment Card Industry Security Standards Council.
The PCI council, which manages the PCI data security standard, chose cloud computing, e-commerce security and risk management as topics special interest groups will address after a process in which nearly 500 of the council's 650 participating organizations voted on the three most pressing security matters facing the payments industry, the council announced Tuesday.
Topics chosen this year for study indicate "a thirst for clarity" among participating organizations regarding the complexities of keeping data secure in a cloud-computing environment or through online merchandising, says Bob Russo, PCI council general manager.
The council's risk group "will explore best practices for merchants and providers regarding risk-based assessments, essentially for knowing cardholder data risks early in the process of operating their business," Russo says.
When each special interest group ultimately establishes recommendations within the next year, the council will establish new security standards at the end of 2012, concluding a three-year cycle emphasizing feedback and study, Russo says.
The council created a new process for establishing the areas of study for 2012 in hopes it could help special interest groups establish deadlines and more clearly define goals, Russo says.
"In the past, any participating organization could propose a special interest group topic of study, and if the PCI council board approved it, that participating organization would run its own [study group]," Russo says. "Wonderful things got done with that process, but it needed to be more succinct and not be allowed to just meander along."
Knowing all volunteers in a special interest group "have day jobs" and often take a long time to organize meetings or come to a consensus on recommendations, the council established the new format, Russo says.
In previous years, changing technology or differences of opinion among the group members would cause the charter of the special interest group to change, or results would not be quite what the group had intended, Russo says.
"Now we have a really good process in place with a specific timetable," Russo says.
Past special interest groups have established data-security recommendations on wireless security, EMV chip-and-PIN, virtual computer environments and advanced encryption.