The first of the six milestones outlined in the framework deals with the need for companies to purge sensitive card-authentication data from their systems and limit the amount of data that they collect and retain. Among the measures that have to be implemented in this stage are purging magnetic-stripe data and PINs from systems and via measures such as shredding.

The second milestone involves firewalls and other controls for securing the perimeter of networks, while the third focuses on Web application security and the fourth on networking monitoring and access control. The fifth and six milestones include measures for protecting cardholder data via physical and virtual controls and implementing change-control and auditing mechanisms, respectively.

According to Russo, the milestones give companies a more organized way to achieve compliance while also ensuring that the highest-risk security issues are addressed first. And, he said, a spreadsheet-based tool released with the framework will enable companies to plot their progress against the milestones and let auditors get a quick snapshot of the compliance status of their clients.

The release of the framework also comes at a time when an unabated stream of data breaches - including two recent ones at payment processors and RBS WorldPay Inc. - is again raising questions about the .

In the past, Russo has asserted that there's nothing wrong with the standard itself and that the controls it mandates are adequate for meeting current threats. Last year, the council added and a new standard for PIN entry devices, while also releasing a .