Yesterday (5/14/08) the PCI Standards Council, the body that oversees the Payment Card Industry Data Security Standard (PCI DSS) announced the formal timeline for releasing version 1.2 of the specification in October of this year.

PCI DSS was last revised in September 2006 and is still one of the most interesting security mandates in the IT industry. It is specific, it has no legal standing (i.e. it isn't mandated by legislation) and it carries clear and enforceable punishments for non-compliance.

Version 1.2 eliminates some overlap in various parts of the standard. What exactly is in 1.2 will be revealed at a webcast that I'll be attending and reporting that will take place on May 22.

Challenges of driving security into the previously unregulated consumer retail space where a high-volume of relatively low-value transactions where buyers and sellers can have no previous knowledge of each other.

One Countervailing pressure has come into play to push back against implementing a really toothy PCI DSS. The banks and card issuers have thus far been successful in making sure that consumers bear identity recovery costs. So, while fraudulent charges are absorbed by the banks, the much higher cost of identity recovery is left in the hands of the victims. In fact, it's gotten bad enough that identity recovery has been turned into a product that is sold to consumers like insurance.

But countervailing tendencies are just that, factors that influence but don't controvert the main thrust of a trend. In this case, PCI DSS 1.2 is a clear recognition that vendors who accept credit card data must demonstrate some semblance of care when processing card data.

There are ways for IT managers to comply with PCI DSS today and when the revised standard is issued in October that minimize costs. Come here my keynote address on compliance at the Ziff Davis Enterprise Virtual Tradeshow on June 24 to get my thoughts on what compliance means for our best practice approach to supporting business process with the best available technology.