Having taken effect on June 30, 2005, the Payment Card Industry Data Security Standard applies to the payment card industry worldwide, harmonizing earlier standards to regulate the security of MasterCard, Visa, and other credit-card organization payment-card systems. In September 2006, the payment card industry issued version 1.1 of the PCI standard* to provide clarification and minor revisions to PCI 1.0. This revision provided several updates to the first specification:
- A new section articulating the specific data elements of cardholder information and associated requirements for storage and protection
- Clarifications on required timeframes used in the requirements
- Clarification on requirements as they apply to Hosting Providers
- New information on compensating controls that may be considered for companies unable to legitimately comply with rendering cardholder data unreadable as stated in PCI 1.0
- Added a new requirement for the use of application firewalls, defined as optional through June 30, 2008, when it will be required
- General clarification of previously vague language
This version replaces version PCI 1.0, although PCI 1.0 may still be used for compliance validation through Dec. 31, 2006—after that PCI 1.1 must be used.
*Source: Payment Card Industry (PCI) Data Security Standard, PCI Security Standards Council LLC, Wakefield, Massachusetts, United States of America, September 2006.