The Payment Card Industry Security Standards Council announced it will begin moving to a three-year cycle related to the main technical standards it issues for protection of sensitive payment-card information, allowing merchants and others more time to adopt them.
The PCI Security Standards Council will issue its updated Data Security Standard (PCI DSS) as planned this October - the current version is called DSS 1.2 and was issued October 2008. The anticipated new version of DSS has no official name or number assignment yet.
But instead of requiring the new DSS to go into effect immediately as the baseline for PCI compliance and assessment, as has been the custom in the past, it will not be effective until Jan.1, 2011. In addition, future versions of DSS (which had been tracked on a two-year cycle), as well as the two other standards known as Payment Application DSS and PIN Transaction Standard, will all be moving along a three-year review and issuance cycle.
"We've gotten feedback that people want this," says Bob Russo, general manager of the PCI Security Standards Council. "It gives merchants more time to understand them. It gives us the ability to gather a lot more feedback, and consider market dynamics and emerging threats."
The official complete retirement of PCI DSS 1.2 is expected to be after Dec. 31, 2011. "We will sunset the old one, and it will be totally gone," Russo says. But the 14-month phase-out is intended to allow some merchants and others in the middle of a PCI DSS 1.2 assessment to continue with the process without disruption.
In the future, the feedback, clarification and guidance process related to updates of standards should culminate in the April to August 2012 timeframe, with the goal of issuing a summary of changes in the May to July 2013 timeframe, with an October 2013 publication of future standards.
But if unexpected threats or other compelling reasons dictate a faster change, the council reserves the right to issue an "errata" notice for any changes needed quickly.