The Payment Card Industry data security standards, which influence design of networks where sensitive payment-card account data is stored, are expected to be further revised by the PCI Security Standards Council over the next few months.
Bob Russo, general manager of the PCI Security Standards Council, says that by early summer the organisation expects to be able to issue a summary for a new PCI standard, which would go into effect in about October.
Russo, who will speak about this topic at the upcoming RSA Conference in San Francisco, said the council is readying guidelines on technical topics that include end-to-end encryption for account data and the use of virtualisation technologies, with the expectation that new payment transaction standard will be ready.
"In May, we'll be ready with a draft revision of what the standards will look like," Russo says. "In early summer, there'll be a summary of what the changes will be."
The past year has been a period of feedback asking for public comment on the existing PCI DSS 1.2 standard and other guidelines that have been issued by the council.
"We have almost 3,000 pieces of feedback," Russo says. In July of last year, the council did issue new guidelines for using wireless LANs in networks handling sensitive payment-card data. Some submitting commentary to the council are simply looking for clarification on the current PCI standards mean, Russo notes.
The council is on track to be able to issue a revised payment-card standard by October, which will contain a specific timeframe in which they will go into effect. Merchants and service providers handling sensitive payment-card information are required by their banks and the credit-card associations to adhere to PCI rules and typically undergo a formal PCI audit annually.