From the June 24, 2010, issue of ISO&Agent Weekly.
The move to a three-year cycle for updating the Payment Card Industry Security Standards Council’s three data-security standards will benefit merchants and the payments industry, says Bob Russo, council general manager.
The Wakefield, Mass.-based council on June 22 placed the update cycle for the PCI Data Security Standard on the same three-year timeframe as its PIN Transaction Security and Payment Application Data Security standards.
The council updated the PIN standard in May. It plans to update the two other standards in October.
Earlier this year, Russo said a common update cycle was a possibility when he announced that all three standards would be updated this year (ISO&Agent Weekly, 4/22).
Feedback, from merchants in particular, was one factor in the decision, Russo tells ISO&Agent Weekly.
Merchants, and others in the payments industry, want more time between standards updates to avoid getting their systems compliant with one standard only to have to immediately begin updating them for the next.
“More time to implement the standards, the more time to submit meaningful feedback,” Russo says.
Merchants’ feedback suggests they harbor some anxiety about standards updates because they fear the updates will knock them out of compliance, he says.
Now merchants will have more time to work with the standards, Russo says. “The merchants will feel more comfortable because they’ll have more time with [them] under their belts.”
The extended life of the PCI Data Security Standard also should elicit more feedback for the council, he says.
Each of the standards will follow an eight-step development process that includes soliciting feedback on proposed changes, retiring the older versions and evaluating changes in the payments industry, Russo says.
