The release of PCI DSS V2 is a welcome update, even though most of the changes from PCI DSS V1.2 are relatively minor. But there are a number of areas that PCI DSS has not addressed and that are critical to the security of credit card information. Some of these, such as the impact of virtualization and cloud, are already recognized as concerns. But at least one area has, at least as far as I know, not yet been put on the table for discussion. This area concerns best practices for protecting against increasingly sophisticated social engineering attacks. These attacks may attempt to steal credit card information directly. Or they may seek to install malware that can steal the information, such as through man-in-the-browser attacks.