FRAMINGHAM, MA - The Payment Card Industry Security Standards Council (PCI SSC) announced earlier this week that it will move to a three-year cycle related to its main security standards, allowing retailers more time to adopt them, Network World reports.
The PCI SSC is scheduled to update its Data Security Standard (PCI DSS) this October; the current standards were issued October 2008. However, the new DSS will not take effect until January 1, 2011, whereas previous versions took effect immediately upon release. In addition, future DSS versions, which had been tracked on a two-year cycle, as well as the Payment Application DSS and PIN Transaction Standard, will all be moving to a three-year issuance cycle.
"We've gotten feedback that people want this," said Bob Russo, general manager of the PCI Security Standards Council. "It gives merchants more time to understand them. It gives us the ability to gather a lot more feedback, and consider market dynamics and emerging threats."
Feedback of the upcoming standards are expected to culminate in mid-2012 with the goal of issuing a summary of changes in mid-2013, followed by an October 2013 publication of updated standards.
NACS and PCATS have submitted a significant proposal to reduce the complexity of PCI compliance through broadening the qualifications for small merchants to comply through the simpler Self Assessment Questionnaire (SAQ) C; with the announcement of adoption by the Council coming at this Fall??s Community Meeting.
"This proposal, the result of hundreds of industry hours of volunteer work and would allow the majority of small merchants in all retail segments to use the SAQ with 45 questions versus the current requirement of the SAQ D." said Gray Taylor, Card Payments Consultant to NACS and Executive Director of PCATS. "If the Council adopts this proposal, it would save the small merchants in our retail segment close to $100M in lost productivity and greatly increase compliance. It??s like the difference between IRS 1040 long form and 1040EZ."
Check out all of the NACS PCI compliance resources.