The Payment Card Industry Security Standards Council will update all three of its standards this year, and it eventually may place all on a three-year update cycle, says Bob Russo, the council’s general manager.
The council expects the first update to be for the PIN Transaction Security standard for devices that use PIN pads by the end of this month, and then it would revise the Payment Application Data Security Standard and the PCI Data Security Standard in October, Russo tells PaymentsSource. The PA-DSS is for software used in point-of-sale systems, while the PCI DSS is the umbrella standard for all payment devices.
So far, the global payments industry wants further clarification of information in the standards, additional guidance on security issues and to know how the standards will evolve, Russo says. The revised standards will respond to those requests, he says.
The payments industry should not read too much into the revision numbers in the names of the updated standards, Russo says. For example, the PCI DSS is now version 1.2, but the council may adopt a 2.0 name. Such a change should not be viewed as a wholesale reworking of the standard, Russo says.
The council also may move the revision cycles to three-year periods for all three existing standards to simplify tracking and use, Russo says.
Currently, the council updates PCI DSS every two years and the PTS and PA-DSS every three years. Russo says the council not yet made a final decision.
Because of the work this year to update the existing standards, the council has not started work on standards covering emerging mobile-payment devices, such as smartphones, Russo says. “Ultimately, we will get to these devices because they accept card payments,” he says.
The council also is not yet working on a standard governing advanced encryption, often labeled “end-to-end” encryption or tokenization, he says. Part of the reason is because scores of companies have developed proprietary versions of these services, and no interoperability exists between them, Russo says.
The council expects to issue some guidance on these two services later this year, he says.
Changes also may be in store for the self-assessment questionnaire, which merchants use to measure their compliance with the PCI standards.
The council could develop an additional questionnaire–there are now four–for the smallest merchants, Russo says. Visa Inc. estimates there are approximately 5 million of these merchants, and acquirers are responsible for ensuring they meet PCI compliance.
The council also may develop an online tool to help merchants determine the correct questionnaire they should use, Russo says. Similar tools, known as “wizards,” ask users simple questions to determine an appropriate product or service to use.
“We need to find something that will work for everybody,” Russo says.
With all of these changes and possibilities in motion this year, the council does not intend to “surprise” the industry with changes all at once, Russo says. “We will release different pieces in the summer so everyone knows what’s coming up,” he says. “We’re not going to leave anybody in the dark.”