Hard as it may be to believe, PCI 2.0 is no longer all that "new." In fact, starting today, November 1, the official comment period is now open. That means I want to hear from you on your experiences with PCI 2.0.
Both PCI DSS and PA-DSS have a three-year lifecycle. It has now been one year since both standards were aligned and version 2.0 became effective at the start of 2011. That means we are entering the comment phase where your experiences are important. Keep in mind that while the version has a three-year lifecycle, there are provisions for regular updates to reflect the experience of merchants, service provider, and vendors.
NACUBO, in partnership with the Treasury Institute, is a Participating Organization (PO) in the PCI Council. Tom Davis of Indiana University and I represent NACUBO - and by inference you - at Council meetings and deliberations. Therefore we want to hear what your experiences have been with PCI 2.0 so we can assemble our comments and get them to the Council.
There are a couple of things to understand. First, NACUBO gets to make five comments. That is, we can request clarification or changes or whatever to five PCI requirements. Tom is working the EDUCAUSE angle, and I am asking for comments through the Institute's blog. Maybe somebody can even post something on the PCI listserve? (hint, hint.)
I would like to ask you to organize your thoughts, experiences, and feedback on PCI 2.0. You can send comments directly either to me (wconway@403labs.com) or Tom (tdavis@iu.edu). If your school is already a Participating Organization, then be sure to get your whole PCI team together and have your voice heard. After all, that is one of the reasons you are paying to be involved in the Council.
Both of us, along with NACUBO and the Treasury Institute, look forward to receiving your comments.