Security group stretching payment-card standards cycle to three years

PCI DSS update set to be issued in October

The Payment Card Industry Security Standards Council Tuesday announced it will begin moving to a three-year cycle related to the main technical standards it issues for protection of sensitive payment-card information, allowing merchants and others more time to adopt them.

The Payment Card Industry Security Standards Council Tuesday announced it will begin moving to a three-year cycle related to the main technical standards it issues for protection of sensitive payment-card information, allowing merchants and others more time to adopt them.

The PCI Security Standards Council will issue its updated Data Security Standard (PCI DSS) as planned this October -- the current version is called DSS 1.2 and was issued October 2008. The anticipated new version of DSS has no official name or number assignment yet.

Cloud Computing: Would PCI Compliance Help or Hurt Security?  

But instead of requiring the new DSS to go into effect immediately as the baseline for PCI compliance and assessment, as has been the custom in the past, it will not be effective until Jan.1, 2011. In addition, future versions of DSS (which had been tracked on a two-year cycle), as well as the two other standards known as Payment Application DSS  and PIN Transaction Standard, will all be moving along a three-year review and issuance cycle.

"We've gotten feedback that people want this," says Bob Russo, general manager of the PCI Security Standards Council. "It gives merchants more time to understand them. It gives us the ability to gather a lot more feedback, and consider market dynamics and emerging threats."

The official complete retirement of PCI DSS 1.2 is expected to be after Dec. 31, 2011. "We will sunset the old one, and it will be totally gone," Russo says. But the 14-month phase-out is intended to allow some merchants and others in the middle of a PCI DSS 1.2 assessment to continue with the process without disruption.

In the future, the feedback, clarification and guidance process related to updates of standards should culminate in the April to August 2012 timeframe, with the goal of issuing a summary of changes in the May to July 2013 timeframe, with an October 2013 publication of future standards.

But if unexpected threats or other compelling reasons dictate a faster change, the council reserves the right to issue an "errata" notice for any changes needed quickly.

Learn more about this topic

What's wrong with the PCI security standard

Credit-card security standard issued after much debate

New payment application security on deck
Join the discussion
Be the first to comment on this article. Our Commenting Policies