A new set of updates to the Payment Card Industry Data Security Standard and the Payment Application Data Security Standard will clarify some of the obligations of merchants to protect cardholder data, but do not include any major revisions or changes.
"The aim is to get more clarity," said Bob Russo, the general manager of the Payment Card Industry Security Standards Council, the trade group that oversees the standards. "There are no additional requirements this time around."
The updates include improved definitions of how merchants must prevent card account data from being accessible over their Internet connections, and recognizes that issuers have a legitimate need to store sensitive authentication data. The adjustments also enable merchants to rank and prioritize security vulnerabilities.
The updates will be officially announced Oct. 28 and become effective Jan. 1, 2011.
The Wakefield, Mass., council drafted the updates after gathering about 900 comments from members of the payments industry, including comments from merchants. About half of the comments came from outside the U.S., Russo said.
A summary of the updates to the two standards — one covers all types of electronic payments made with cards and the other, PA-DSS, is specific to payment software — is available now, and payments executives will be able to review the full standards starting in September.
The council updated its PIN Transaction Standard earlier this year. All three standards are now on a three-year life cycle.