The latest Payment Card Industry Data Security Standard - PCI DSS 3.2 - continues what industry experts call "an evolution, not a revolution."
That would make sense, since it is also "mature," by Internet historical standards.
The first official iteration, PCI DSS 1.0, was released in December 2004 - several generations ago in the IT era. And its roots go back another five years, to October 1999, when Visa established the Cardholder Information Security Program (CISP).
It also remains controversial. Its supporters say while nothing can make credit card transactions "bulletproof," its requirements have significantly lowered the risk of fraud and breaches.
Its critics have contended since the start that the standard, created by five major card brands - Visa, Mastercard, American Express, Discover and JCB - is mainly designed to shield the card issuers and banks from liability for loss, at the expense of merchants.
"We view PCI as the ultimate Catch 22 for most smaller businesses," said Liz Garner, vice president of the Merchant Advisory Group (MAG), who adds that MAG calls the PCI requirements "specifications." "We don't say 'standards' because they aren't accredited.
"You spend a ton of capital and resources to become 'compliant,' but if you're breached you are no longer compliant, and become subject to thousands of dollars of fees and fines," she said. "Until that aspect of PCI changes, and small businesses that invest in compliance are offered some protections for their investment, I don't think PCI as an organization will be truly effective."
Rich Mogull, CEO and analyst at Securosis, a longtime critic of PCI DSS, agreed. The requirement for essentially constant compliance - a nearly impossible task - "is more to help push the blame back on enterprises that are breached than anything else," he said.
Of course, not everybody sees the merchants as overburdened. Alphonse Pascual, senior vice president, research director, head of fraud and security at Javelin Strategy and Research, argued that, "the burden for protecting cardholder data rests with every stakeholder, and merchants should rightfully be responsible for meeting the requirements of PCI DSS when it is their systems that are responsible for storing and transmitting that data."
Julie Conroy, analyst with the Aite Group, said she thinks critics are, "viewing this through the lens of compliance obligation versus security best practices. The reality is that criminals are innovating their attacks faster than businesses are fortifying their security.
"The new reality in this age of digital commerce and digital data is that businesses need to spend money to protect that data," she said.
And Jeremy King, international director at the PCI SSC, while not directly addressing the merchant complaints, said in a statement that protection against breaches, "comes down to having and maintaining the right people, process and policies, with the technology in place to support those. PCI DSS 3.2 emphasizes the importance of validating that security controls are in place and working."
Sign up for CIO Asia eNewsletters.