The Payment Card Industry Security Standards Council (PCI SSC) will update the Payment Card Industry Data Security Standards (PCI DSS) on a new three year cycle.
PCI DSS has been on a two year update cycle. The council made the changes to give merchants more time to implement the standards between iterations. In addition, the PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), will also be moved to a three year development cycle.
The changes also give merchants, banks, processors and vendors more time to submit feedback about propose changes and additional time to discuss feedback at two community meetings prior to finalizing any changes in year three.
"Moving the revision cycles to three year periods for all three existing standards ultimately means organizations have additional time to focus on making sure they have the appropriate processes and controls in place to secure cardholder data," Bob Russo, general manager of the Council said in a statement.
Russo did not rule out any mid-lifecycle changes. The council will evaluate technologies and threats and issue guidance materials or changes as necessary, he said.
The new 36-month lifecycle is broken into eight stages, allowing for a gradual, phased introduction of new versions of the standards to prevent organizations from becoming noncompliant when changes are published. The Council said the new time period also provides greater transparency into the development process, encouraging more participation from stakeholders.
The last major update to PCI DSS was in 2008. In an interview conducted in March, Russo said he anticipated no major revisions to the PCI standard due in October. The council may provide guidance documents on so called end-to-end encryption technologies and the use of tokens to replace credit card numbers in merchant systems. A guidance document may also address the rising use of virtualization technologies in the payment process.
A draft revision of the new standard is available and the organization will gather any remaining feedback at its community meetings in September.