PCI Security Standards Council®

Special Interest Groups

Special Interest Groups (SIGs) are community-driven initiatives that focus on payment security challenges related to PCI Security Standards.

2018 SIG Election Results

Thank you to Participating Organizations that voted in the SIG election. Participating Organizations chose these as 2018 SIG projects:

Involvement in Special Interest Groups is a great way to provide your expertise to the PCI SSC and develop practical payment security resources for the industry.

If you are interested in participating in one of these SIGs, let us know by emailing sigs@pcisecuritystandards.org

The SIGs will kick off in early 2018 – stay tuned for more information on these initiatives.

2018 Special Interest Group (SIG) Proposals FAQ

Who can form a SIG? How can I propose one?

Any Participating Organization (PO), Qualified Security Assessor (QSA), Approved Scanning Vendor (ASV), and PCI Council Member* are invited to propose a Special Interest Group during an open proposal period that runs between 19 July and 16 August 2017.

To propose a SIG, stakeholders must complete the web-based form found here. If you have any specific questions about the SIG proposal process, please email sigs@pcisecuritystandards.org.

* PCI Council Members is defined as PCI SSC Staff, Payment Brands, Affiliate Members or Strategic Members.

What are some of the areas that SIGs have covered in the past? What topics are appropriate for SIG projects?

Special Interest Group (SIG) initiatives focus on specific payment security challenges that the PCI community wants guidance on addressing. Recent SIG topics include:  Securing E-Commerce and Third-Party Security Assurance.

SIG work may provide clarification on specific requirements within a PCI Standard, examine how PCI Standards work within any given industry or environment, or any other area that supports the Council's mission of raising awareness and increasing adoption of PCI Standards. Since the PCI SSC is focused on providing tools and resources to secure payment card data within the current payment system, and must also operate within a strict anti-trust framework, a focus outside of the current payment system is beyond our scope and would not be an appropriate topic for a PCI SSC SIG project.

Who will lead the SIGs?

A PCI SSC representative will chair, lead and project manage SIG work. This collaboration will free SIG volunteers to focus on contributing subject matter expertise, without responsibility for logistical matters. This also ensures greater alignment between SIG volunteer contributions and PCI SSC direction.

How will SIGs be chosen?

Ultimately, SIGs will be chosen directly by the Participating Organization membership (including Strategic and Affiliate Members) that represents merchants, financial institutions and payment processors - the organizations that are implementing PCI Standards.

At the close of the submission period on 16 August, the PCI SSC will review and consolidate proposals, and SIG candidates will provide presentations for review via the PO portal.

An election via the PO portal will open Monday 16 October and run through Friday 27 October, 2017. Organizations will be able to select and prioritize at least two and maximum of three SIG proposals. The Council will share results in early November, after the voting concludes, and work with the selected groups to create a charter prior to the commencement of the new SIGs.

Cloud Selected as 2017 SIG Topic

Thank you to Participating Organizations that participated in the SIG project selection process. Participating Organizations chose to update the PCI DSS Cloud Computing Guidelines as the focus of our 2017 SIG initiative!

Involvement in Special Interest Groups is a great way to provide your expertise to the Council and develop practical payment security resources for the industry.

The new group will commence in April and the deliverables are expected to be published at the end of 2017.

If you are a Participating Organization, QSA, ASV or Affiliate Member, and would like to join this SIG, please click the ‘Register’ button below and complete the interest form.


2017 Project: Cloud Computing Guidelines


Provide guidance on the use of cloud technologies and considerations for PCI DSS requirements in cloud environments.

The original Cloud Computing Information Supplement was published in 2013 to provide security guidance on various cloud implementations and how such implementations may impact PCI DSS requirements. The document also discussed how security and PCI DSS responsibilities are often shared between cloud service providers and their customers.


The objective of the Cloud SIG is to review and update the existing Information Supplement. SIG participants will identify the specific subject areas to be updated or added to the document.  Considerations may include:

  • Exploring new cloud architectures and service models and changes in previously documented cloud service models.
  • Identifying opportunities to enhance security when migrating to cloud technologies.
  • Updating risks and security challenges to be considered when cardholder data environments utilize different cloud technologies.
  • Clarifying how PCI DSS requirements can be applied to cloud technologies to address the identified risks and challenges.
  • Updating guidance for cloud customers and cloud providers on their respective security and PCI DSS responsibilities.
  • Expanding guidance on how to achieve isolation between in-scope and out-of-scope virtual components.

In accordance with the Payment Card Industry Security Standards Special Interest Groups (SIGs) Rules of Engagement, a PCI SSC representative will chair, lead and project manage the SIG’s work. This SIG chair will assist to drive consensus among SIG members and will also help to ensure alignment between SIG volunteer contributions and PCI SSC direction. The SIG Chair, other PCI SSC participants, and SIG members (including Participating Organizations, payment brand participants, QSAs and ASVs) will work together collaboratively to accomplish the SIG objectives.


The participants are expected to provide expertise in security aspects of Cloud Computing and to actively participate and contribute to the end deliverable. There will be standing calls for the Cloud Special Interest Group, the timing, and frequency of which will be determined during the initial SIG meeting. Participants should allow time to attend meetings and additional time to draft and/or review documents, in accordance with their desired level of participation.

Draft and final versions of the paper will be written by PCI SSC staff and/or SIG members, per individual SIG member’s desired degree of participation.


2016 Project: Best Practices for Safe E-Commerce

The Best Practices for Securing E-commerce guidance document was published on 31 January 2017