Text size Increase Font-SizeDecrease Font-SizeReset Font-Size

Special Interest Groups

2015 SIG Results

Through the election process, the Participating Organization community chose Effective Daily Log Monitoring and Managing Shared Responsibilities with Third Party Service Providers as the two projects to pursue as the next PCI Special Interest Groups in 2015. Both new Special Interest Groups commence in January and the deliverables are expected to be published at the end of 2015.

If you are a Participating Organization, QSA, ASV, or Affiliate Member, and would like to join one of these SIGs, please click the ‘Register’ button below to sign up.

2015 SIG Projects

Purpose
Provide guidance and techniques to improve daily log monitoring to meet PCI DSS requirements, including available tools and examples/evidence from recent breaches.

Background
Evidence of breaches has been found in merchant logs. The details were extremely difficult to find due to the high volume of logged events.
The log collection and daily reviews are required by the PCI DSS. The logs collected from merchants can be huge, at the peak of the day, with some organizations seeing over 50,000 events per second. This makes it time consuming and often difficult to accurately review and monitor those logs to meet the intent of PCI DSS.

Purpose
The objectives for this SIG are the following:

  • Provide guidance and techniques to improve daily log monitoring to meet both PCI DSS requirements as well as other business considerations.
  • Provide guidance on the types of tools that can be used to assist in the aggregation and review of required logs.
  • Provide examples/evidence of how log entries can assist in identification of potential breaches.
  • Provide guidance on implementing correlation and monitoring methods for logs.

Deliverables & Timeline
Listed below is the deliverable expected for the Guidance on Effective Daily Log Monitoring SIG and the respective duration:

  • Information Supplement – Daily log monitoring guidance and the expected duration of 9-12 months commencing on January 22, 2015.

Purpose
Develop guidance on how to accurately report shared responsibilities between assessed entities and their third party service provider(s) to ensure the understanding of the scope of the services provided, as well as both parties' shared responsibilities.

Background
Merchants rely on third party service providers to be PCI DSS complaint. With this, third party service providers may have multiple entities that are assessing their networks.
The assessment reporting and services performed by multiple entities causes a gap in reporting as well as the lack of understanding of the scope of services.
To improve the level of assurance of concurrent assessments between assessed entities and their third party service provider, an alignment needs to occur with responsibilities, reporting, and scope of services.

Objectives
The objective for this SIG is the following:

  • Develop guidance, with a focus on monitoring and maintaining security, on how to accurately report shared responsibilities between assessed entities and their third party service provider(s) to ensure the understanding of the scope of the services provided, as well as, both parties shared responsibilities

Deliverables & Timeline
Listed below is the deliverable expected for the Shared Responsibilities SIG and the respective duration:

  • Information Supplement – Shared Responsibilities guidance and the expected duration of 12 months commencing on January 8, 2015.

2014 SIG Projects

Purpose
The purpose of this SIG is to update the PCI DSS Information Supplement: Requirement 11.3 Penetration Testing document released in 2008.

Status
The Penetration Testing Guidance SIG is working to finalize the Information Supplement and targeting publication in Q1 2015. For more information on the SIG's Terms of Reference please visit the PO Portal.

Status
The Best Practices for Implementing a Security Awareness Program SIG Information Supplement was published in October 2014. Please visit the Documents Library on our website to review the published document.

2013 SIG Projects

Status
The PCI DSS V3.0 Best Practices for Maintaining PCI DSS Compliance SIG guidance document was published in August 2014. Please visit the Documents Library on our website to review the published document.

Status
The Third-Party Security Assurance SIG guidance document was published in August 2014. Please visit the Documents Library on our website to review the published document.

Special Interest Group participants have made significant contributions to the development of Council Standards, tools and educational resources over the years. The Council recognizes and thanks the many SIG volunteers and their contributions. Outcomes of SIG collaboration and PO participation to date include:

For more information about PCI SSC SIGs, please review the questions on this page or feel free to email us at sigs@pcisecuritystandards.org.

SIG Frequently Asked Questions

Any Participating Organization (PO) Qualified Security Assessor (QSA), Approved Scanning Vendor (ASV), and PCI Council Members are invited to propose a Special Interest Group during an open proposal period that ran between 2 June and 7 July, 2014.

If you have any specific questions about the SIG proposal process, please email sigs@pcisecuritystandards.org.

A PCI SSC representative will chair, lead and project manage SIG work. This collaboration will free SIG volunteers to focus on contributing subject matter expertise, without responsibility for logistical matters. This also ensures greater alignment between SIG volunteer contributions and PCI SSC direction.

Ultimately, SIGs will be chosen directly by the Participating Organization membership that represents merchants, financial institutions and payment processors - the organizations that are implementing PCI Standards.

After the close of the SIG proposal period, a selected list of proposals will be drawn up by PCI SSC. This process is aimed at consolidating any overlapping proposals and ensuring shortlisted proposals are focused on areas the Council can commit to supporting in the coming year.

Presentations from POs, QSAs, ASVs, and PCI Council Members on selected SIG proposals will be given at the North American and European Community Meetings. After the Community Meetings, Participating Organization Business Contacts will vote via an electronic ballot to determine which proposals will be supported by PCI SSC.

Topics covered by SIG collaboration and PO participation to date include the following and are available in the Documents Library

SIG work may provide clarification on specific requirements within a PCI Standard, examine how PCI Standards work within any given industry or environment, or any other area that supports the Council's mission of raising awareness and increasing adoption of PCI Standards. Since the Council is focused on providing tools and resources to secure payment card data within the current payment system, and must also operate within a strict anti-trust framework, a focus outside of the current payment system is beyond our scope and would not be an appropriate topic for a PCI SSC SIG project.


Back to Top

The PCI Security Standards Council (the "Council") provides a variety of tools, questionnaires, guidance, FAQs, training resources and other materials and information to assist organizations seeking to achieve compliance with its standards (the "Standards"). Third party products and services are also available, but the Council does not endorse or recommend any such third party products or services, and advises all organizations seeking to achieve compliance to become familiar with the Standards and related requirements before purchasing third party products or services. Ultimately, all applicable requirements must be met in order to achieve compliance, regardless of whether or what third party products or services are used.