Merchants, processors, and others in the card industry will have more time to review and implement new versions of the Payment Card Industry data-security standard under a new schedule announced on Tuesday by the PCI Security Standards Council. With the revised schedule, the main standard and PA-DSS, the standard for payment card software applications, will be upgraded every three years, instead of every two years, beginning in October.
The current version of the standard—1.2—has been in effect since October 2008, with the next official release scheduled for October.
Under the new schedule, processors, merchants, and other industry players also will have up to 14 months to implement any new versions of the standard, says Robert Russo, general manager of the PCI council.
The council decided to extend the life cycle of the standard to three years based on feedback from its board of advisors, participating organizations and other industry players. The council previously had implemented a three-year life cycle for the PTS standard for PIN-entry devices.
By extending the life cycle of the standard to three years, “it gives us a little more time to get people familiar with the standard, to get people using the standard,” Russo says. “The more familiar people feel with the standard, the more likely they are to adhere to it or understand what’s going on.”
With the two-year cycle, industry players would give feedback on the new standard at two community meetings held in the U.S. and Europe. The council would receive informal feedback throughout the two-year period. A new standard would then be issued at the community meetings the following year.
With a three-year cycle, there will be one additional community meeting in both the U.S. and Europe to garner feedback during the second year, with the new standard issued at community meetings in the third year. Industry participants also could offer feedback on an informal basis throughout the three- year cycle.
“It’s an opportunity for us to have another community meeting in the middle year to basically give everyone an opportunity to get familiar with it, more opportunity to give us feedback,” Russo says.
The council also decided to postpone implementation of the new standard released in October until January 2011. Previously, the effective date of a new version fell immediately upon its October release.
“The timing didn’t seem right to let them do that,” Russo says. “From the end of October though the end of year, people are sort of in lockdown mode. Nobody is really changing anything or adding anything. Everybody’s concentrating on making a profit for the year.”
Under the new life cycle, the council also will give processors and merchants more time to implement the newest version of the standard, effectively “grandfathering in” the previous version for a 14-month period following the October release, Russo says.
“They’ll have an additional year to still use the older standard,” he says. “So if they’re six months into a one-year term, and they’re already preparing to do their next assessment, they don’t have to worry about using the new standard.”
However, the council will encourage merchants to adopt the newest standard as quickly as possible, he says.
“Basically, it gives them more time to get familiar, more time to get comfortable, and from our perspective, it’s more of a phased orderly kind of approach to getting these new versions out,” Russo says. “Rather than trying to do this in a speedy fashion, it is ‘let’s get it right as opposed to fast.’”
The upgrade to be released in October will likely be labeled Version 2.0. Any changes made during the three-year cycle to account for evolving trends or technology will be labeled 2.1, 2.2, and so on, Russo says.
“They’ll have pretty much a full year to get the standard implemented and more time for them to give us feedback on what they’re seeing,” he says. “That gives us additional time to consider emerging threats, new technology that might affect new versions going forward, and to look at market dynamics to see what’s actually going on in the industry instead of rushing to get a new standard.”
Under the new schedule, the next major upgrade to the standard will be published at the October community meetings in Orlando, Fla., and Barcelona, Spain, although summaries of major changes will be released throughout the summer, Russo says.
“People will have to opportunity to read about what some of these proposed changes are and understand them so that when we do get to the publishing date of the standard, there really won’t be any surprises,” he says.
Once published, the standard becomes effective Jan. 1, with implementation not mandatory until Dec. 31, 2011, when Version 1.2 is retired. “Hopefully many people will jump on board as soon as it’s available and start doing assessments to this new standard,” Russo says. ”That will give them an opportunity to get familiar with it.”
Industry participants can give feedback at community meetings scheduled for September and October of 2011. After that, staff revisions will go to the board of advisors and working groups for review, with a final review scheduled for May through July of 2013.
The council is hosting webinars discussing the life cycle changes at its site at 3 p.m., Eastern Time, today, and 11 a.m. Eastern Time on Wednesday. Replays of the webinars will also be available at pcisecuritystandards.org.