As you may have heard on the grapevine 2-sec's SIG proposal for Third Party Security Assurance was accepted and we are currently working with the PCI SSC to flesh out plans for improving service provider engagement guidance and influencing the outcome of PCI DSS v3.0, to help better serve and secure the payments community.
Control 12.8 was subject to a large amount of feedback made to the council over the past year and the community has long been duped by vendors/service providers whom maintain their offerings are “PCI DSS Compliant”, yet have little or no validation to back this up until negotiations hit the contract stage and just seem to get signed off anyway.
Any ideas or feedback as to what you'd like to see the SIG doing would be much appreciated, especially any case studies or examples where 12.8 has gone wrong and how it could be better improved.
To facilitate discussion we have created a thread in the following LinkedIn group. This group is limited to PCI Professionals only and membership moderated to ensure high quality, relevant discussion:
http://www.linkedin.com/groups/PCI-DSS-Professionals-1174827/about
Do get in touch if you would like any further information – tim.holman@2-sec.com