Wednesday, June 27, 2012

P2PE, SIGs, and Other News from the PCI Council

The PCI Council issued their latest Participating Organization newsletter today, June 27.  There is some interesting news here on several fronts that may have an effect on a number of schools.  Here are some of the details.

As most of you know, NACUBO is a Participating Organization in the PCI Security Standards Council.  As one of your representatives, I get a copy of the newsletter and try to share with you -- NACUBO members -- all the latest.  

One of the more interesting pieces of news dealt with the emerging technology, Point to Point Encryption (P2PE).  Tomorrow, June 28, the Council will list both the new P2PE Program Guide and the latest Self-Assessment Questionnaire (SAQ) for P2PE merchants.  I am particularly interested in seeing the SAQ P2PE (or whatever it will be called) to see what it includes.  My guess is that it will focus on requirements 9 (physical security, particularly the POS devices) and 12 (policies).  In fact, there is a good chance that those will be the only requirements.  We'll all see soon.

The P2PE Program Guide will be of great interest to me as a QSA (and part of a P2PE QSA firm!).  This document will list the submission and listing process for P2PE solution providers.  Keep in mind that the only P2PE solutions approved and listed by the PCI Council will count, and only merchants implementing those approved solutions will be able to use SAQ P2PE.  In fact, approved solutions are the only ones you should be considering.

Another important announcement is the opening of the nomination process for 2013 Special Interest Groups (SIGs).  This year, there are  three SIGS -- ecommerce, cloud computing, and risk analysis.  Each SIG is finalizing its report for release later this summer.  Participating Organizations (and QSAs, too!) can nominate topics for a SIG.  My guess is there will be a limit again next year, and I doubt there will be more than three.  If you have any suggestions and your school is a PO, please make them to the Council.  If your school is not a PO, then forward your suggestions either to me ( or my colleague Tom Davis (, and we'll see if we can toss it in the hopper.

Lastly, the Qualified Integrator and Reseller (QIR) program is getting started.  If you have a payment application that is installed or maintained by a system integrator or reseller, this program is important to you.  Make sure your installer or integrator or reseller is trained by the PCI Council and approved.  This program makes sure you get what you pay for: your PA-DSS application installed properly and according to the vendor's PA-DSS Implementation Guide.  It's your money and your risk, and I personally am a huge fan of this program.  It won't rid the industry of the bad players, but it may help you find the good ones.

Lastly, if you missed the Council's guidance on implementing mobile payments, you can click here to download a copy.

No comments:

Post a Comment