PCI DSS deadline is today, but is it really a deadline?

Analyst accuses credit card firms of giving out mixed messages

Visa mandate means big retail firms should be PCI DSS compliant tomorrow

Major payment card brand Visa's deadline for Level 1 merchants to be PCI DSS [version 1.2] compliant expires today, but in his Computing blog Quocirca analyst and director Bob Tarzey argues that the deadline is more nebulous than it seems.

The deadline itself has been described differently at different times. First as a deadline from the PCI Security Standards Council (PCI SSC) itself, then as the introduction of a new version of the standard and finally as a UK deadline for compliance.

However, as Tarzey said: "Go in search of the facts about the deadline and you may get frustrated, they are hard to pin down. First, as the PCI SSC clearly states in a FAQ document that has a high profile on its own web site – it does not impose deadlines."

He also makes the point that as compliance is mandated by the payment card brands, for most merchants the deadlines for validating compliance with the PCI DSS have already passed.

Finally, the five brands, namely Visa, Mastercard, Amex, JCB and Discover mandate compliance of PCI DSS and set deadlines for validation of that compliance. Neither the PCI DSS nor any of the brands operate solely at the UK level, so Tarzey argues it is hard to see how there could be a UK deadline; unless an individual brand chose to set validation dates by country.

However, these concerns aside, the deadline is today according to Visa, and the web site says Level 1 merchants must comply with this. Level 1 merchants are defined as those firms processing more than six million cards transactions annually, such as Tesco.

As well as large retail outfits, Mathieu Gorge, chief executive of security consultancy VigiTrust, said that Visa will be able to fine acquirers from today.

Visa and Mastercard are the biggest payment card brands in the UK.

Currently PCI DSS is at version 1.2, but version 2.0 of the standard will ship on 28 October after being discussed at the Council’s European Community Meeting in Barcelona, according to the PCI Security Standards Council.The updated standards will come into effect on 1 January 2011.

Again, there is little information available regarding whether or not retailers and acquirers need to update to this version of the standard.

PCI DSS 2.0 will have "additional guidance" for virtual component infrastructure and virtualisation.