PCI Update

The PCI Security Standards Council announced recently that all 3 standards it controls will follow a three year development lifecycle.


The PIN Transaction Security requirements which specify how pin numbers are handled already used the three-year cycle with Version 3.0 coming out earlier this year.

The PCI Data Security Standard (PCI DSS) used a two-year cycle – the current cycle ends in October 2010. The PCI DSS is a set of requirements for protecting card data by way of procedures, policies, networking, software and other areas.

Payment Application Data Security Standard (PA-DSS) also used a two-year cycle – the current cycle ends in October 2010. The PA-DSS is a set of best practices called the Payment Application Best Practices (PABP). The purpose of the PA-DSS is to help vendors and others build software that protects card data, including mag stripe data, CVV2 and pin numbers.

The reason for going to a three-year cycle is to allow more time for merchants, banks, processors and vendors to implement the standards and meet the requirements. It also allows more time for the council to receive feedback about the standards and to discuss that feedback at community meetings.

The council also continually evaluates new technology and threats, and if needed, makes changes to the standards or provides guidance. Bob Russo, general manager of the council said, “The PCI Security Standards Council relies heavily on feedback from our participating organizations and the PCI community to create standards that strengthen the security of payment card data, and the input we’ve received has been overwhelmingly in favor of lengthening the lifecycle… Moving the revision cycles to three-year periods for all three existing standards ultimately means organizations have additional time to focus on making sure they have the appropriate processes and controls in place to secure cardholder data.”
PCI Security Standards Council home page: https://www.pcisecuritystandards.org/index.shtml