PCI Standards Lifecycle Update
Bob Russo, General Manager
PCI Security Standards Council
June 2010
AGENDA
PCI SSC Standards Development
Current Standards Lifecycle
New Three Year Standards Lifecycle
PCI SSC Resources
2
PCI Security Standards Development
About the Council
• Open, global forum
• Founded 2006
• Responsible for PCI Security Standards
– Development
– Management
– Education
– Awareness
PCI Standards
Current PCI Standards Lifecycle
Feedback - We Heard You!
ASV
Financial Institution
Merchant
Other
POS Vendor
Processor
QSA
Move to Three Year Lifecycle
Three Year Lifecycle
Lifecycle for Changes to PCI DSS and PA-DSS
Stage 1 – Standards Published
Stage 2 – Standards Effective
Stage 3 – Market Implementation
Stage 4 – Feedback Begins
Stage 5 – Old Standards Retired
Stage 6 – Feedback Review
Stage 7 – Draft Revisions
Stage 8 – Final Review
Ongoing Evaluation
Community Meetings
Lifecycle for Changes to PTS
Implementation
22
Feedback
23
PCI SSC Resources
Need More Information?
25
Fact Sheets
26
Council Resources
• Security standards and supporting documents
• Quick Reference Guide
• Searchable Frequently Asked Questions
• List of approved PED Labs, QSAs, ASVs, PA-QSAs,
• Education and outreach - e.g., fact sheets, webinars
• Participating membership, meetings, collaboration
• A global voice for the industry
27
Summary
• The three year lifecycle streamlines the standards
development process by aligning DSS, PA-DSS and PTS
on a similar three year schedule
– Phased, orderly introduction of new versions of the standard
prevents organizations from becoming noncompliant when changes
are published
– Longer time for stakeholders to implement standards
– More time for members to submit feedback
– Additional time to consider market dynamics, emerging threats and
new technologies before issuing new version
– Greater transparency into the development process, makes sure
there are no surprises
28
Thank You