Security group stretching payment-card standards cycle to three years

The Payment Card Industry Security Standards Council Tuesday announced it will begin moving to a three-year cycle related to the main technical standards it issues for protection of sensitive payment-card information, allowing merchants and others more time to adopt them.

. What's this?

By Ellen Messmer

June 22, 2010Network World — The Payment Card Industry Security Standards Council Tuesday announced it will begin moving to a three-year cycle related to the main technical standards it issues for protection of sensitive payment-card information, allowing merchants and others more time to adopt them.

The PCI Security Standards Council will issue its updated Data Security Standard (PCI DSS) as planned this October -- the current version is called DSS 1.2 and was issued October 2008. The anticipated new version of DSS has no official name or number assignment yet. 

Cloud Computing: Would PCI Compliance Help or Hurt Security?  

But instead of requiring the new DSS to go into effect immediately as the baseline for PCI compliance and assessment, as has been the custom in the past, it will not be effective until Jan.1, 2011. In addition, future versions of DSS (which had been tracked on a two-year cycle), as well as the two other standards known as Payment Application DSS  and PIN Transaction Standard, will all be moving along a three-year review and issuance cycle.

"We've gotten feedback that people want this," says Bob Russo, general manager of the PCI Security Standards Council. "It gives merchants more time to understand them. It gives us the ability to gather a lot more feedback, and consider market dynamics and emerging threats."

The official complete retirement of PCI DSS 1.2 is expected to be after Dec. 31, 2011. "We will sunset the old one, and it will be totally gone," Russo says. But the 14-month phase-out is intended to allow some merchants and others in the middle of a PCI DSS 1.2 assessment to continue with the process without disruption.

In the future, the feedback, clarification and guidance process related to updates of standards should culminate in the April to August 2012 timeframe, with the goal of issuing a summary of changes in the May to July 2013 timeframe, with an October 2013 publication of future standards.

But if unexpected threats or other compelling reasons dictate a faster change, the council reserves the right to issue an "errata" notice for any changes needed quickly.

Read more about wide area network in Network World's Wide Area Network section.

Originally published on www.networkworld.com. Click here to read the original story.
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER