The Payment Card Industry Security Standards Council intends to zero in on e-commerce, cloud computing and risk management.
Those three topics emerged as most pressing in voting by nearly 500 of the council’s 650 participating organizations, the council announced Nov. 15.
The topics indicate “a thirst for clarity,” Bob Russo, PCI council general manager, tells ISO&Agent Weekly.
When participating organizations used feedback sessions to ask for more guidance on early detection of data risks in their payment processes, the council choose risk management as an area of study, Russo says.
“That group will explore best practices for merchants and providers regarding risk-based assessments, essentially for knowing cardholder data risks early in the process of operating their business,” Russo says.
After each special interest group makes recommendations in the next year, the council will establish new security standards at the end of 2012, concluding a three-year cycle emphasizing feedback and study, Russo notes.
The council created a new process for establishing the areas of study for 2012 in hopes it could help special-interest groups establish deadlines and define goals, Russo says.
“In the past, any participating organization could propose a special-interest group topic of study, and if the PCI council board approved it, that participating organization would run its own [study group],” Russo says. “Wonderful things got done with that process, but it needed to be more succinct and not be allowed to just meander along.”
The council established the new format knowing that the volunteers in special-interest groups “have day jobs” and often take a long time to organize meetings or come to a consensus, Russo says.
The new process calls for council board to narrow the ideas gathered from feedback periods to seven topics, of which participating organizations would vote to establish a consensus of the top three, Russo says.
“When the volunteers are set for the special-interest groups, the council will use its resources to manage the process to keep it moving along,” Russo says.
In previous years, changing technology or differences of opinion among the group members caused the charter of the special interest groups to change, or results would not be quite what the group had intended, Russo says.
“Now we have a really good process in place with a specific timetable,” he adds.
The council accepts volunteers for each special interest group through the end of November. The groups meet in December to establish goals and starts working on those goals in early 2012, Russo says.
Past special interest groups have established data-security recommendations for wireless security, EMV chip-and-PIN, virtual computer environments and advanced encryption.
Any of the council’s participating organizations may volunteer for a special interest group by sending an email to sigs@pcissc.org by Nov. 30, the council said in a press release.
