News

< NEWS

Blog Post: Your Vote Counts

Next week the polls close, and the votes will be tallied. Come 2013, the issues that matter most to us all will be addressed by a consortium of great minds dedicated to addressing the most pressing challenges facing us today.

By Bill Farmer

But instead of the US Presidential Elections, I’m speaking of the PCI Security Standards Council Special Interest Group voting, which closes on Friday, November 9th for PCI Participating Organizations (POs).

Every year the PCI Security Standards Council (PCI SSC) provides an opportunity for POs to leverage their business and technical expertise to collaborate on supporting guidance or special projects relating to the PCI Security Standards by convening Special Interest Groups (SIGs).

The objective for these SIGs is to recommend changes, clarifications or improvements to the PCI Standards and the programs that support them. Each year, a number of possible SIG projects are proposed for further examination and discussion.

The SIG proposals with the most votes from POs make it to a committee stage for evaluation and determining if adjustments need to be made via the PCI Council.

While each PO gets two votes, we at Mako Networks urge our colleagues at other POs to consider using one of your votes to make a difference in the way third-party security is assessed.

We’ve said before, as in our recent whitepaper, that the PCI community and wider payments and security industry need to come together to find a way to help validate third-party security when it comes to PCI DSS compliance. There’s simply too much at stake to leave it to merchants to determine who’s compliant, who isn’t, and accurately assess their risk when it comes to handling cardholder data. By endorsing this SIG proposal, we’ll be able to make headway in ensuring third parties are properly validated, and foster greater transparency when it comes to PCI compliance status among vendors.

The scope of this SIG is to examine PCI DSS requirement 12.8:

12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:

  • 12.8.1 Maintain a list of service providers.
  • 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
  • 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
  • 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually

This SIG will create a set of best practice due diligence steps, applicable prior to and during service provider involvement, which will help assure the security of third parties. We at Mako think this is an excellent idea, and long overdue.

Participating Organizations have until November 9th to place their votes through the PO portal, linked here. Using the drop-down menu on your voting form, select ‘Third Party Security Assurance’ as one of your votes.

Thanks in advance for your consideration on this important matter.