For the Payment Card Industry Data Security Standard (PCI-DSS), 2009 was a horrific year, given the many headline-grabbing data breaches at the likes of Heartland Payment Systems and TJ Maxx (data security news). The nadir for the standard, released in December 2004 (seems like a long time ago), might have been the Congressional hearings back in April, when one lawmaker declared: "I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure." Ouch. It's a true statement. Still, it sort of hurts.

But Visa and other companies--MasterCard, AmericanExpress, Discover, and the Japanese Credit Bureau--did not roll over (credit card news). They got right back to work, and the fruit of that labor will be on display soon. The PCI Security Standards Council has effectively announced that a summary of a new iteration of the current version will be issued in the early summer. It would likely go into effect around October.

The new guidelines will likely address the issues that everyone expects it to, issues such as end-to-end encryption, tokenization and virtualization technologies. The emphasis will be on practical guidelines that companies can use immediately. The hope of course is that the new iteration will enhance security.

But the group has a ways to go in instilling confidence. A recent survey asked, "PCI standards represent the credit card industry's attempt to self-regulate the storage and protection of credit card data. More than 37 percent chose the answer "helpful and necessary." But nearly as many (33 percent) chose the answer "confusing and a waste of money."

While the standard faces a lot of challenges--many related to PR--I do think most appreciated this attempt at self-regulation. That said, there are a number of clarifications that people will be looking for.

One issue is end-to-end encryption. We've noted Heartland Payments Systems has mounted an aggressive effort to roll out such a technology, moving out ahead of PCI. Given the firm's heft, some may see it as a de facto standard. It will be interesting to see how the new PCI version will deal with it. My guess is that they will end up being somehow compatible. But you never know. - Jim