But the standard "has done a lot more good than people think," he said. "The bar had to be raised because of all the breaches that are going on."

The consensus so far appears to be that "PCI is a good road map," said Seana Pitt, vice president of merchant policy and data quality at American Express. "But there are opportunities for more clarifications." Pitt chairs the PCI Security Standards Council, a recently created group responsible for developing and maintaining the standard.

For instance, finding a way to map PCI controls to established information security standards such as those from the International Standards Organization is an often-cited need, she said. They are also calls for more clarity on how the PCI council plans to enforce rules compliance.

Overall, PCI is leaving the payment industry better off than it was, said Gordon Rapkin, president of Protegrity Corp., a Stamford, Conn.-based security vendor. It has also "shaken money loose" for companies to invest in security.