Merchants have gained some welcome breathing room for complying with PCI: The PCI Standards Council today announced its standards cycle will move from a two- to three-year cycle.

The extra year between new versions of the PCI DSS, PA-DSS, and PCI DTS standards came in response to complaints from merchants and others in the secure payment industry that the current schedule of releasing new requirements every two years was too tight.

"We're looking at a phased, orderly introduction of new standards. This gives the stakeholders more time to get familiar with them and implement them," says Bob Russo, general manager of the PCI Security Standards Council. "This [decision was] based on direct feedback and a lot of input we had from a myriad of places ... This gives merchants a lot of time to absorb what's coming out."

The PCI Council also shifted the date the standards take effect from its current fall time frame to after the holiday season. "Merchants go into a lockdown period in late September, and their systems basically stay static from there. They are heads down for Black Friday," Russo says. So the latest PCI standards won't go into effect until the first of the year.

Russo expects the three-year cycle to improve PCI compliance rates as well. "This gives them more of an opportunity to understand the standards a little more, and to have an additional feedback period," he says.

To date, VISA reports a 90 percent compliance rate among Level 1 merchants in the U.S., and about 85- to 90 percent for U.S. Level 2 merchants. "That's higher than we were two years ago," Russo notes.

Meanwhile, security experts say the new three-year PCI cycle isn't a major change, but should make PCI less onerous, especially for smaller merchants. "This was an easy thing for them to do for themselves and for the merchant community," says Avivah Litan, vice president and distinguished analyst at Gartner. "Merchants complain that they don't want to start with Step A and then only to find a new requirement for Step B ... the perception is that that PCI standard is a moving target that's always changing."

Litan says the three-year stretch shouldn't pose a problem for the PCI standards to keep up with the rapid pace of morphing malware and attacks, as well as emerging technologies. "They have the right to issue updates, and they have pretty much covered security from A to Z," she says. "I don't see them coming up with brand-new technology environments except in the mobile world," for instance, she says.

The PCI Council's Russo says the three-year cycle will give the organization more time to study new technologies."We [still] have the ability to react quickly if there's a major threat that we see," Russo says. "As newer technologies are more apparent out there, we can put out a supplemental standard."

Russo says the PCI Council is working to change the mindset of the standards as a "checkbox." "We want them to think about security" rather than a checkbox, he says. "We're seeing rates of compliance go way up as people become educated on what the standard is."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.