2023-06-29 GSWG Meeting Notes

Meeting Date

The GSWG meets bi-weekly on Thursdays at 11:00-12:00 PT / 18:00-19:00 UTC. Check the ToIP Calendar for meeting dates.

Zoom Meeting Link / Recording

Attendees

Drummond Reed 
Scott Perry
Neil Thomson
Keerthi Thomas

Steven Milstein

Kyle Robinson

Sully Perella

Ashley Rhéaume (Deactivated)
Mary Lacity
Judith Fleenor 

Main Goal of this Meeting

Understand the opportunity to create a governance framework for dual-stack interoperability.

Agenda Items and Notes (including all relevant links)

TimeAgenda ItemLeadNotes
5 min
  • Start recording
  • Welcome & antitrust notice
  • Introduction of new members
  • Agenda review
Chairs
  • Antitrust Policy Notice: Attendees are reminded to adhere to the meeting agenda and not participate in activities prohibited under antitrust and competition laws. Only members of ToIP who have signed the necessary agreements are permitted to participate in this activity beyond an observer role.
  • Suggestion by Neil Thomson about educating Governance Stack Working Group on mature governance, compliance and accreditation models in the marketplace to help adopt new standards for ecosystems to adopt
  • New Members: Ashley Rhéaume, part of the government of Quebec's team for digital identity, adopting the Trust over IP model 
5 minsReview of action items from previous meetingChairs


5 minsAnnouncements

TF Leads

  1. Mary Lacityco-authored academic paper that has looked across disciplines and gathered 13 assumptions about the nature of trust in information technologies https://blockchain.uark.edu/files/2023/06/BCoEWhitePaper2023POST.pdf
  2. Drummond Reedannouncement from EU regarding process of harmonizing on the European digital identity wallet. https://www.consilium.europa.eu/en/press/press-releases/2023/06/29/council-and-parliament-strike-a-deal-on-a-european-digital-identity-eid/
  3. Scott Perrymentioned new crypto egulation for companies that participate in crypto assets in the EU and his Aug 4 webinar focusing on crypto assets market in the US & EU
  4. Judith Fleenor On July 19 All Members meeting Wenjing Chuwill have an AI presentation
30 minsAdam "Sully" Perella, Schellman Director

Scott Perry Intro 

PCI Governance and Accreditation presentation summarized by ChatGPT:

Presentation

00:13:52.400 →  00:33:33.669

In this meeting transcript, Sully Perella provides background information on the payment standards and processes. He discusses the development of standards in the late nineties in response to increasing fraud in electronic transactions. Different payment brands developed their own standards, which led to the creation of the Payment Card Industry Security Standards Council (PCISSC). The purpose of this organization is to set and monitor standards for organizations involved in payment processing.

Sully explains that the PCISSC is responsible for validating companies and individuals who can perform assessments and evaluations. They ensure that companies follow specific controls related to networking systems, vulnerability management, coding, authentication, logging, alerting, monitoring, and incident response. The PCISSC remains independent and treats all payment brands equally.

The payment brands, which are members of the PCISSC, play a role in identifying fraud and non-compliance. If a bank or payments facilitator fails to comply with the standards, the payment brands take action by imposing penalties or making decisions about dropping services or increasing transaction fees. The PCISSC is not directly involved in assigning culpability or fees but focuses on maintaining and updating the standards.

Sully also mentions the role of Qualified Security Assessor (QSA) companies and employees in conducting assessments. Companies need to meet certain requirements and undergo training to become QSAs. The PCISSC can audit these companies at any time to ensure compliance.

During the meeting, Sully clarifies that sensitive information is removed from assessment reports to protect confidentiality. He emphasizes that the company is responsible for the work of its employees and discusses the remediation process for companies that do not pass assessments.

Overall, the meeting transcript provides an overview of the development of payment standards, the role of the PCISSC, and the responsibilities of payment brands, QSAs, and assessed companies.

Questions & Answers

00:33:37.500--> 00:59:07.760

The transcript revolves around questions and answers related to third-party service providers, their responsibilities, and compliance with PCI DSS (Payment Card Industry Data Security Standard). The conversation highlights different types of service providers, including hosting providers, authentication service providers, networking service providers, payment gateways, and website development and hosting providers. It is mentioned that third-party service providers that handle cardholder data or impact its security are required to undergo assessments and demonstrate compliance. The conversation also touches on the availability of PCI DSS standards, transparency, and the role of governing authorities and individual card companies in maintaining compliance lists. It is noted that banks play a crucial role in enforcing compliance and can disallow non-compliant entities from processing credit cards. The discussion further mentions the concept of a trust registry and the potential impact of trustable computing on general computing security.

5 minsAny other business

5 mins
  • Review decisions/action items
  • Planning for next meeting 
Chairs

Slides

Screenshots/Diagrams (numbered for reference in notes above

Action Items