Monday, November 21, 2011

SIGs for 2012

The votes are in, and the three Special Interest Groups for 2012 are:

  • Cloud
  • eCommerce Security
  • Risk Assessment.

The selection of eCommerce Security is very good news for all Higher Ed institutions (see previous post here). I ranked the eCommerce SIG as the top priority for Higher Ed, so it is good to see it on the list. Now we should get some detailed guidance on how best to implement hosted order pages, shopping carts, and dedicated payment workstations.

Tuesday, November 1, 2011

PCI 2.0 Comment Period Now Open

Hard as it may be to believe, PCI 2.0 is no longer all that "new." In fact, starting today, November 1, the official comment period is now open. That means I want to hear from you on your experiences with PCI 2.0.

Both PCI DSS and PA-DSS have a three-year lifecycle. It has now been one year since both standards were aligned and version 2.0 became effective at the start of 2011. That means we are entering the comment phase where your experiences are important. Keep in mind that while the version has a three-year lifecycle, there are provisions for regular updates to reflect the experience of merchants, service provider, and vendors.

NACUBO, in partnership with the Treasury Institute, is a Participating Organization (PO) in the PCI Council. Tom Davis of Indiana University and I represent NACUBO - and by inference you - at Council meetings and deliberations. Therefore we want to hear what your experiences have been with PCI 2.0 so we can assemble our comments and get them to the Council.

There are a couple of things to understand. First, NACUBO gets to make five comments. That is, we can request clarification or changes or whatever to five PCI requirements. Tom is working the EDUCAUSE angle, and I am asking for comments through the Institute's blog. Maybe somebody can even post something on the PCI listserve? (hint, hint.)

I would like to ask you to organize your thoughts, experiences, and feedback on PCI 2.0. You can send comments directly either to me ( or Tom ( If your school is already a Participating Organization, then be sure to get your whole PCI team together and have your voice heard. After all, that is one of the reasons you are paying to be involved in the Council.

Both of us, along with NACUBO and the Treasury Institute, look forward to receiving your comments.

Straight Talk on Tokenization

Are you looking at tokenization as a way to reduce your PCI scope? My guess is that you or at least some of your campus merchants are, and therefore you will want to be as up-to-date as you can especially with the recent PCI Council guidance on tokenization and PCI scoping.

Many campus merchants are considering various tokenization strategies (or at least their software and service providers are pitching tokenization to them). As I've written before (see here, and here), tokenization has a lot of benefits. It also has some things you need to be careful of, and definitely some things you need to know before you go signing any contracts with token providers.

On Thursday, November 3 I will be participating in a tokenization webinar entitled: Straight Talk on the New PCI Tokenization Guidelines -- A QSA's Viewpoint. The webinar is sponsored by Intel (which also sponsored some of my tokenization research and the Tokenization Buyer's Guide). I will discuss tokenization in general, some of the different approaches, and which implementation might be best for which types of merchants.

If you are interested, you can register using this link. Yes, there will be a description of (i.e., pitch for) Intel's product offering at the end, but the majority (my part) is vendor agnostic and explores both third-party hosted and internal solutions.

If you are considering tokenization, you may want to have a listen. If you can't make the live webinar, I'm guessing they will have a recording available.