News Stay informed about the latest enterprise technology news and product updates.

PCI Standards to be updated on new three-year cycle

The PCI Security Standards Council will update the PCI Data Security Standard on a new three-year cycle after the latest update is applied in October.

The Payment Card Industry Security Standards Council (PCI SSC) will update the Payment Card Industry Data Security Standards (PCI DSS) on a new three year cycle.

PCI DSS has been on a two year update cycle. The council made the changes to give merchants more time to implement the standards between iterations. In addition, the PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), will also be moved to a three year development cycle.

The changes also give merchants, banks, processors and vendors more time to submit feedback about propose changes and additional time to discuss feedback at two community meetings prior to finalizing any changes in year three.

"Moving the revision cycles to three year periods for all three existing standards ultimately means organizations have additional time to focus on making sure they have the appropriate processes and controls in place to secure cardholder data," Bob Russo, general manager of the Council said in a statement.

Russo did not rule out any mid-lifecycle changes. The council will evaluate technologies and threats and issue guidance materials or changes as necessary, he said.

The new 36-month lifecycle is broken into eight stages, allowing for a gradual, phased introduction of new versions of the standards to prevent organizations from becoming noncompliant when changes are published. The Council said the new time period also provides greater transparency into the development process, encouraging more participation from stakeholders.

The last major update to PCI DSS was in 2008. In an interview conducted in March, Russo said he anticipated no major revisions to the PCI standard due in October. The council may provide guidance documents on so called end-to-end encryption technologies and the use of tokens to replace credit card numbers in merchant systems. A guidance document may also address the rising use of virtualization technologies in the payment process.

A draft revision of the new standard is available and the organization will gather any remaining feedback at its community meetings in September.

The Council will hold a webinar to discuss the lifecycle changes today at 3 p.m. ET and June 23 at 11 a.m. ET.

Dig Deeper on Data privacy issues and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.