These PAQSAs would be expected to play a role in evaluating applications at businesses handling credit- and debit-card information.

Some companies are taking novel approaches to tackling PCI requirements.

At the RSA Conference last week, security professionals from office-supply store chain Staples presented a session on masking the 13 to 19 digit codes on a credit card -- what's known as the "Primary Account Numbers" -- as they're used in business operations and across the network.

This data masking was begun after a lengthy effort to map PCI compliance to how Staples business operations really work to find out where card data is really used.

Christopher Dunning, director of enterprise information security at Staples, described an ongoing internal effort that involves using technology which RSA, the security division of EMC, helped develop with Staples to scramble live card data as a one-way hash.

Dunning called it "Data Aliasing Technology" that works by having applications make use of specialized tokens called "alias numbers" for credit cards. These card aliases have the impact of "limiting the scope of PCI," says Dunning because the real card numbers aren't in use.

Ed Kelliher, enterprise information security architect at Staples, said the data protection model the office-supply company is forging based on aliasing through scrambling live data effectively deprives access to the card data.

Data aliasing is "eclipsing the encryption rush to judgment," Kelliher noted, pointing out the data-hashing method offers a viable alternative to more widely used types of encryption. Both Kelliher and Dunning said they believe data aliasing could be widely adopted to meet PCI data-protection requirements.