Regulatory changes are coming for the payment-card industry, say leaders of the PCI Security Standards Council, the global forum responsible for developing and implementing security standards for cardholder data protection.

The council, which has about 500 participants, just completed the annual process of electing its board of advisers.

Cisco and Citrix Systems were among the victorious candidates this week, winning a combined 14 elected positions on the 21-member advisory board, which will be providing feedback on upcoming initiatives.

Among these initiatives are possible new requirements around the use of virtualisation and wireless technologies, as well as more definitive answers on how to "scope," or set the limits of, a PCI assessment.

Still unclear is whether the council will back the concept of end-to-end encryption as a way for the industry to help fight payment-card fraud, such as the breach that struck Heartland Payment Systems earlier this year.

While no deadlines have been set, the council does expect this summer to take a stab at creating a guidance document for use of wireless, says Lib De Veyra, chair of the council. The main input for that effort will come from the Wireless Special Interest Group (SIG), headed up by Verifone.

It is also anticipated that by year-end there will be implementation guidelines on use of virtualisation technologies, according to Troy Leach, the council's technical director. Much of that input will come from the Virtualization SIG, headed by Bank of America.

The current set of data-security standards, PCI DSS 1.2, was issued last October, and the council is in a "feedback year" but likely to issue a "potential 1.3 or 2.0 standard" as a significant revision in 2010, says De Veyra, who is also vice president of emerging technologies at JCB Credit Card Co.

A new SIG, called the PCI Scoping SIG, has been set up to clarify how to architect a business network to prevent the wider part of it - which may not play a role in processing payment cards -- from falling under the scope of PCI requirements and assessments, Leach says. The PCI Scoping SIG is headed by PayPal, a subsidiary of eBay.

A fourth SIG, called Authorization and Pre-authorization, is headed by Exxon Mobile, and its job is to define security rules for cardholder data before and after it has been sent to a processor.

In addition, Leach says the council expects to name a technical firm it's selecting under a competitive review process to define a possible method the payment-card industry might use for end-to-end encryption.

There have been calls for use of end-to-end encryption as a defensive measure against criminal fraud where attackers are breaking into networks and grabbing sensitive cardholder data.

Heartland, which recently confirmed it has selected Voltage Security to help it build an end-to-end encryption system with its merchants, says it will soon make public more details about its plans.

Another new effort from the council will address the need for stricter requirements and certification for payment-card readers in unattended terminals - such as gasoline pumps - to protect personal identification numbers at point-of-sale devices.

"Make sure your vendor is supplying this type of equipment," Leach says. "There are approved devices now."