The PCI Security Standards Council announced another building block to set of payment industry security standards. This one covers applications -- specifically those developed and then distributed to third parties -- that handle credit card data. A draft has been released (not publicly) for review. Final release is expected in a few months (Q1 2008). Official press release here. The official FAQ is here.
The new standard (called PA-DSS) is based on Visa's existing best practices for applications which can be found here (scroll down to the bottom and you'll find a link to the document or just click here). Thus, even though the new standard isn't released, one can get a preview by reading through that document.
Some more coverage here and here.
- Does not apply to internally developed applications by merchants (but these are subject to PCI DSS still)
- Based on existing Visa "Payment Application Best Practices"
- Will be publicly released in Q1 2008