Revised PCI Rules Scheduled for October Release

Revised rules for payment card security will be released in October, the PCI Council announced recently.

Version 1.2 of the Payment Card Security Industry data security standard, known as PCI DSS or just PCI, will be a moderate upgrade from the current version 1.1 which was released in Sept. 2006.

The major payment card networks, American Express, Discover, Japan’s JCB, MasterCard, and Visa, joined together in 2006 to create the PCI standards. The group also instituted the PCI Council to oversee the implementation of the standards. The council’s initial focus has been ensuring that card-accepting merchants reach and maintain PCI standards. The council is based in Wakefield, Mass.

A recent report from TowerGroup found that Level 1 merchants, defined as those conducting more than 6 million card transactions annually, achieved a PCI compliance rate of nearly 80 percent in 2007 (“STORY,”). Level 2 merchants, conducting 150,000 to 6 million card transactions a year, had a compliance level of 65 percent last year.

The council plans to turn its attention to improving the compliance rate among Level 3 and Level 4 merchants.

TowerGroup reported that firms categorized as falling under the account receivables management industry umbrella are among the next group of service providers that need further guidance to meet PCI standards.

The report, “Extending Influence of Data Security into the Card Ecosystem: The Next Trend in PCI Compliance,” listed the firms as collection agencies, debt buyers, call center service firms, reward fulfillment companies, direct marketing vendors, and print and digital media companies.

The six industries are strongly integrated with the payment card industry, according to report author Brian Riley, TowerGroup senior analyst. These industries constitute PCI “Security Hot Spots” because many companies still don’t meet the security standards, according to Riley.

He recommends these firms implement several safeguards to begin meeting PCI standards, including instituting strong access controls, conducting vulnerability management, and ensuring the protection of stored cardholder data.