C|NET reports:

Proposed new security rules for credit card-accepting businesses will put more scrutiny on software, but let them off the hook on encryption.

The update to the Payment Card Industry (PCI) Data Security Standard, due this summer, responds to evolving attacks as well as to challenges some businesses have with the encryption of consumer data. The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities…Currently, merchants are required to validate only that there are no security holes in their network. While security stands to benefit from a broader vulnerability scan, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data.

Paul Simmonds from the Jericho Forum retorts,

“It basically means that if you hack the system, you get the data…I can't think of a good alternative for encryption.”

To learn more about the PCI security standard, go here.