Card data security risks for online merchants or those operating payment schemes via cloud computing will get much attention next year from the Payment Card Industry Security Standards Council.
The PCI council chose cloud computing, e-commerce security and risk management as topics special interest groups will address after a process in which nearly 500 of the council’s 650 participating organizations chose through a vote the three most pressing security matters facing the payments industry, the council announced Nov. 15.
Topics chosen this year for study indicate “a thirst for clarity” among participating organizations regarding the complexities of keeping data secure in a cloud-computing environment or through online merchandising, Bob Russo, PCI council general manager, tells PaymentsSource.
When participating organizations used feedback sessions to ask for more guidance related to early detection of data risks in their payment processes, the council created risk management as an area of study, Russo says.
“That group will explore best practices for merchants and providers regarding risk-based assessments, essentially for knowing cardholder data risks early in the process of operating their business,” Russo explains.
When each special interest group ultimately establishes recommendations within the next year, the council will establish new security standards at the end of 2012, concluding a three-year cycle emphasizing feedback and study, Russo adds.
The council created a new process for establishing the areas of study for 2012 in hopes it could help special interest groups establish deadlines and more clearly define goals, Russo says.
“In the past, any participating organization could propose a special interest group topic of study, and if the PCI council board approved it, that participating organization would run its own [study group],” Russo says. “Wonderful things got done with that process, but it needed to be more succinct and not be allowed to just meander along.”
Knowing all volunteers in a special interest group “have day jobs” and often take a long time to organize meetings or come to a consensus on recommendations, the council established the new format, Russo says.
The new process calls for all ideas gathered from feedback periods to be narrowed down by the council board to seven key topics, of which participating organizations would vote to establish a consensus of the top three, Russo explains.
“When the volunteers are set for the special interest groups, the council will use its resources to manage the process to keep it moving along,” Russo says.
In previous years, changing technology or differences of opinion among the group members would cause the charter of the special interest group to change, or results would not be quite what the group had intended, Russo says.
“Now we have a really good process in place with a specific timetable,” Russo adds.
The council accepts volunteers for each special interest group through the end of November. The groups meet in December to establish goals and start working on those goals in early 2012, Russo says.
Past special interest groups have established data-security recommendations on wireless security, EMV chip-and-PIN, virtual computer environments and advanced encryption (
Any participating organizations of the council can volunteer for a special interest group by sending an email to
What do you think about this? Send us your feedback.
