The PCI Security Standards Council will issue its updated Data Security Standard (PCI DSS) as planned this October -- the current version is called and was issued October 2008. The anticipated new version of DSS has no official name or number assignment yet.

But instead of requiring the new DSS to go into effect immediately as the baseline for PCI compliance and assessment, as has been the custom in the past, it will not be effective until Jan.1, 2011. In addition, future versions of DSS (which had been tracked on a two-year cycle), as well as the two other standards known as  and PIN Transaction Standard, will all be moving along a three-year review and issuance cycle.

"We've gotten that people want this," says Bob Russo, general manager of the PCI Security Standards Council. "It gives merchants more time to understand them. It gives us the ability to gather a lot more feedback, and consider market dynamics and emerging threats."

The official complete retirement of PCI DSS 1.2 is expected to be after Dec. 31, 2011. "We will sunset the old one, and it will be totally gone," Russo says. But the 14-month phase-out is intended to allow some merchants and others in the middle of a PCI DSS 1.2 assessment to continue with the process without disruption.