PCI is being pushed by Visa USA, MasterCard International, American Express and the JCB International Credit Card Co. and has emerged as a leading example of private industry's effort to regulate itself in the wake of major data breaches.

It prescribes a set of 12 security controls, such as encryption, access management and transaction logging, with which all entities who process payment cards are expected to comply. PCI went into broad effect more than 18 months ago, but it was only after credit card companies warned in December that they would start assessing stiff fines for noncompliance beginning in October that many companies have begun paying serious attention to the rules.

So far, the verdict about how effective the standard is appears to be mixed -- at least among those attending the RSA show.

Some worried that by stipulating specific controls rather than broad security objectives, PCI may be unnecessarily restricting corporate options. Others argued that the rules are too tough for the smaller vendors. One of the biggest fears was that the rules would essentially force giant retailers, midsized merchants and mom-and-pop shops to all become security experts.

"I see pushback from the information security community," said Lynn Goodendorf, vice president of information privacy protection at Intercontinental Hotels Group, the Atlanta-based owner of brands such as Holiday Inn and Crowne Plaza hotels. "I am surprised by it, but I do feel that there has been some resistance" to the idea of implementing specific technology controls dictated by an external entity.