At the Special Interest Group (SIG) session at this year’s PCI Community Meeting, a number of presentations were made regarding the potential PCI SIG topics that will be addressed in the coming year.
The session was structured where the people that created the SIG proposal presented the reason for their proposal and then took questions from the session attendees regarding their proposal.
The PCI SSC received 31 proposals for SIGs this year. Of those, 13 made a short list and seven were selected as finalists to be voted upon.
The SIG finalist topics for 2011 are:
- Administrative Access to Systems and Devices
- Guidance on Risk Assessments
- Level 3 and 4 e-Commerce Merchant compliance guidance
- Hosting and Managed Service Providers Guidance for Small Business
- Cloud Technology v2.0 – a follow on to last year’s SIG
- Patch Management
- Small Business PCI Compliance Guidelines
Once a similar session is held at the European Community Meeting, the PCI SSC will announce the SIG voting period. Participating Organizations (PO) will then vote on the SIG proposals and on November 4, 2011 the PCI SSC will announce the SIG winners.
Once the winners are announced, QSAs, ASVs, and POs can apply to be members of the SIG of their choice through December 2011. With that said, here is my take on this year’s SIG topics.
Administrative Access to Systems and Devices
This SIG is to be created to develop an Information Supplement that explains the options organizations have to comply with PCI DSS requirement 2.3 for securing non-console access to systems and devices.
This is a regular topic of discussion at almost every organization trying to comply with the PCI standards. Based on the number of questions requirement 2.3 generates, there are a similar number of possible solutions. This was probably one of the better SIG proposals presented in my opinion.
Guidance on Risk Assessments
This SIG is to be created to develop an Information Supplement to guide merchants and service providers in what should be the result of a proper risk assessment, not create another risk assessment methodology or framework.
While such an Information Supplement is an admirable ideal, anyone that has ever tried to use OCTAVE, NIST 800-30, ISO 27005 or any other risk assessment framework, you understand why this SIG is a losing proposition.
The problem with every risk assessment methodology or framework I have ever seen is that, while they will identify an organization’s risks, they are unwieldy and take too much effort to get to those answers, if the organization even gets to answers. As a result, most risk assessments are either never completed or are so out of date by the time they are delivered, they are useless.
This is a problem that the various governance focused standards bodies and professional associations really need to address. In my opinion, until these governance organizations address the shortcomings of the risk assessment process and develop a more manageable process, this SIG should be put on a back burner.
Level 3 and 4 e-Commerce Merchant Compliance Guidance
The purpose of this SIG is to develop a checklist that will guide Level 3 and 4 merchants to understand their options of using e-Commerce solutions. The people presenting this SIG proposal made a very good argument that most small merchants have no idea of how ISPs/ASPs provide e-Commerce solutions, let alone what they need to ask these third parties in regards to PCI compliance.
I have to say, given the interactions I have had over the years with various third party service providers, such a checklist would not only serve Level 3 and 4 merchants, but would also provide the third parities with an idea of what their responsibilities are when it comes to PCI compliance.
Hosting and Managed Service Providers Guidance for Small Business
This SIG would develop a checklist for small business on what to look for regarding hosting and managed service providers. This SIG is not as focused on a particular level of merchant, but is meant to provide guidance to all merchants.
It is also focused on all types of third party services, not just e-Commerce solutions providers. In my opinion, this SIG should be combined with the previous SIG.
Cloud Technology v2.0
This SIG is to be a follow on to last year’s original Cloud SIG. It would develop another Information Supplement regarding hybrid Clouds.
Cloud computing is such a problem these days because even IT personnel do not understand “The Cloud,” let alone non-IT personnel. And it certainly does not help when there are all of the Cloud solution vendors that further obfuscate the definition issue by having their own take on what “The Cloud” is and is not. As a result, almost any third party solution can get classified as a Cloud solution.
The problem I had with this SIG presentation is that they really did not define what was meant by a “hybrid Cloud.” Not that you should blame them as I do not think the industry could define this term. As a result, I am skeptical as to the value of this SIG.
This SIG would create an Information Supplement on patch management. For QSAs, we have already been given guidance on this topic. As a result, this SIG should be handled very quickly as all they need to do is write the Information Supplement and disband. Why the PCI SSC could not create this Information Supplement is beyond me.
Small Business PCI Compliance Guidelines
This SIG presentation seemed to cover a lot of the ground covered by the Level 3/4 merchant e-Commerce SIG. The twist here was to develop an Information Supplement or guide for small businesses to guide them through the PCI compliance process.
In my opinion, what might be a better way to address this issue would be to produce one or more videos that small business owners could watch over the Internet to educate them on PCI compliance. The program could be modularized based on the type of merchant, so they would only have to view those topics relevant to their business.
Those are the SIG proposals for this year. It was a tough session to cover as there was a lot of information to cover in the 15 minutes that the presenters were allowed. So I apologize ahead of time if I misunderstood anyone’s proposal. Hopefully in the next couple of weeks the presentations will get posted to the PCI SSC Web site so that they can be downloaded.
Cross-posted from PCI Guru