The consortium behind the Payment Card Industry Data Security Standard is preparing to launch two more special interest groups that will add supplemental guidance to the standard, even as two of its existing groups are lagging months behind schedule.
The PCI Security Standards Council (SSC) announced this week that it has kicked off the effort to solicit topics for new special interest groups (SIG) -- SSC-led committees that study specific issues or challenges with Payment Card Industry Data Security Standard (PCI DSS) compliance and build supporting supplemental guidance to help organizations that comply with or support compliance efforts for the standard.
Companies that have paid to be members of the SSC and PCI Qualified Security Assessors (QSAs) have until July 7 to submit SIG ideas by filling out the form on the SSC website. Members and assessors will vote on the proposals in November and the two top vote-getters will be selected as SIGs to be developed in 2015.
Though the submission period lasts only about a month, the council said it promotes the submission process among its members throughout the year.
"Historically, we've had very strong participation and given this is the implementation year for DSS 3.0, we anticipate this will again be the case this year," said the SSC in a statement. "However, if for some reason we didn't get proposals we would certainly extend the length of the submission period, as these are community-driven projects."
The SSC has sponsored numerous SIGs in recent years, resulting in supplementary guidance in areas including EMV, wireless, virtualization, tokenization, risk assessment, e-commerce and cloud computing.
However, the beginning of the 2015 SIG selection process will mark the third set of special interest groups operating concurrently. Two SIGs, focused on penetration testing and security awareness programs, are meeting this year and are scheduled to release guidance toward the end of 2014.
The SSC's 2013 SIGs, which were slated to be completed by now, have not yet released their results. A SIG focused on third-party security assurance to supplement DSS requirement 12.8, led by SSC project manager Elizabeth Terry, was slated for completion earlier this year. Meanwhile, a SIG on best practices for maintaining PCI DSS compliance, led by SSC standards manager Mark Mrotek, was expected to be completed in 2013.
According to the SSC, both SIGs have been delayed due to additional group feedback and discussion this month on the guidance documents. The SSC expects both SIGs to complete their work mid-summer and present their findings at the group's community meetings this fall.