But Pascual said that overall he sees real value in the update. "We have seen significant breaches in the past year that could have been avoided with the changes," he said. "Each change is relevant to the threat environment that businesses face."
There has also been considerable discussion in the wake of the breach at Target and other retailers like Neiman Marcus on why the U.S. has not moved to EMV (Europay, MasterCard and Visa) technology, which uses a computer chip and requires a PIN, rather than the magnetic stripe, and is considered more secure.
Expert views are mixed on this. Conroy said a change like that is not the role of the PCI standard. "The card networks are working on this separately, and trying to tackle it as part of the DSS would muddy the waters too much," she said.
Chuvakin called it "a nonstarter," and said it is not necessarily a sensible goal for the modern era since, "it does nothing to help ecommerce card fraud and theft."
And Camejo said U.S. consumers should be careful what they wish for, since EMV puts more of the liability burden on the consumer than on the bank or merchant. "For any transaction completed with EMV, consumers are liable for fraud losses unless they can prove that they are not responsible for a transaction," he said.
He also said there are vulnerabilities in the PIN system, and that it would be enormously expensive to shift to EMV in the U.S.
But then, Strand said the shift to EMV technology is already under way, "slow but sure."
Finally, experts stress that an update is not meant to imply that PCI DSS 3.0 addresses all current threats.
"I don't think that we can ever say that any of it is 'up to date' with the threats, because of how fast the threat environment is moving," Conroy said. "PCI 3.0 establishes some important fundamental practices that businesses should be implementing, but it should never be viewed as a panacea."
Chuvakin agreed. "The standard defines a base level of security rather than the level that is the absolute maximum. Think security floor, not ceiling," he said.
But he contends that compliance has real value, even if it can't keep up with an evolving, sophisticated threat landscape. "I am waiting for that one breach that affected a company that really did take PCI DSS to heart and did everything well," he said. "It just doesn't happen.
"A lot of people are outraged over the 'no PCI-compliant company has ever been breached' line that some on the SSC mentioned a few years ago, but I happen to actually believe that."
Sign up for Computerworld eNewsletters.