Indian infosec firm wins PCI SIG focus proposal for 2012

Proposal for the PCI special interest group (SIG) focus from SISA information security was among the three winning entries in the PCI SIG 2011 elections.

The payment card industry security standards council (PCI SSC) announced the results of its election to decide the focus areas for the PCI special interest group (SIG) initiatives during year 2012, on Tuesday. Bengaluru-based information security consultancy SISA Information Security’s proposal for risk assessment as an SIG focus area has been selected among the winning entries. The selection process consisted of over 500 votes cast to prioritize among seven shortlisted topics. Other topics around which SIGs will be planned are cloud and e-commerce security.

SISA claims to have become the first Asian infosec firm to break into what has been an exclusively Western preserve. Dharshan Shantamurthy, chief consultant and CEO, SISA Information Security expects the Indian infosec community to receive significant visibility on the global scale as a result of this development.

This is the first SIG election to be held by The PCI council. Previously, SIG initiatives were decided by the PCI board of advisors. A decision was made this year to directly address the needs of the community and the payment card industry, says Shantamurthy.

SISA’s paper on risk assessment was selected from a host of international applications. After culling down the received nominations to 13 and eliminating overlaps, seven papers were chosen. These were subjected to voting by the participating organizations. SISA won a majority community vote of 72% for its proposal.

The SIG will be led by a PCI council member, and SISA is expected to play an active role in the group’s development. However, Shantamurthy says that he does not have visibility on the specifics of SISA’s role. The SIG’s next plan is to invite risk assessment experts from participating global organizations to champion its cause.

The SIG document is expected to focus on structured risk assessment, and not meant to supersede the standard. “This will hopefully translate to savings in time and money for organizations, in addition to increasing the PCI standard’s focus on risk,” adds Shantamurthy.

Read more on IT risk management