Well, they’ve always been changing, but a complete new set are due to be released this summer, according to CNET:
Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell [director of e-Business and Emerging Technologies at MasterCard International] said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.
In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. “There will be more-acceptable compensating and mitigating controls,” he said.
I’ll trade you encryption for a couple new firewalls. Wait, the whole monitoring thing is pretty hard to do as well. Can we trade logs and monitoring for a couple more firewalls?
Beware the silver bullet fallacy.
Do not believe what you read. The card associations have been fighting this mis-interpretation all week. There is no backpedaling on the issue of encryption.