Regulatory changes are coming for the payment-card industry, say leaders of the PCI Security Standards Council, the global forum responsible for developing and implementing security standards for cardholder data protection.
The council, which has about 500 participants, just completed the annual process of electing its board of advisers.
Cisco and Citrix Systems were among the victorious candidates this week, winning a combined 14 elected positions on the 21-member advisory board, which will be providing feedback on upcoming initiatives.
Among these initiatives are possible new requirements around the use of virtualisation and wireless technologies, as well as more definitive answers on how to "scope," or set the limits of, a PCI assessment.
Still unclear is whether the council will back the concept of end-to-end encryption as a way for the industry to help fight payment-card fraud, such as the breach that struck Heartland Payment Systems earlier this year.
While no deadlines have been set, the council does expect this summer to take a stab at creating a guidance document for use of wireless, says Lib De Veyra, chair of the council. The main input for that effort will come from the Wireless Special Interest Group (SIG), headed up by Verifone.
It is also anticipated that by year-end there will be implementation guidelines on use of virtualisation technologies, according to Troy Leach, the council's technical director. Much of that input will come from the Virtualization SIG, headed by Bank of America.
The current set of data-security standards, PCI DSS 1.2, was issued last October, and the council is in a "feedback year" but likely to issue a "potential 1.3 or 2.0 standard" as a significant revision in 2010, says De Veyra, who is also vice president of emerging technologies at JCB Credit Card Co.