Fintech Insights

What’s the history of PCI DSS?


November 15, 2022

When you accept credit cards, debit cards and other forms of electronic payments, your business connects to a complex system of issuing banks, card brand networks and credit card processors. In an age where fraud takes a financial toll on everyone, connecting to that system means meeting a minimum set of standards to help protect sensitive data.

Every merchant that accepts credit card payments must be in compliance with PCI DSS.

What does PCI DSS stand for?

PCI DSS stands for Payment Card Industry Data Security Standards and includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

Is PCI DSS mandatory?

Yes. Merchants who accept, process or store card data must comply with PCI DSS. Failure to comply with PCI mandates leaves businesses vulnerable to the negative impacts of data breaches including fines, fees and lost business.

Electronic payments have undergone revolution over the last two decades. How have payment security standards kept up with those changes? How has the industry responded to threats from data breaches and fraud? To answer those questions and more, we first need to explore the history of PCI DSS and payment security standards.

What were the first payment security standards?

The Payment Card Institute as we know it today was established in 2004. However, the common roots of today’s payment security standards date back even further.

The late 1990s saw the emerging internet evolve to embrace online shopping. The early days of e-commerce gave rise to great excitement from retailers and consumers alike. Unfortunately, fraudsters soon followed. They were sophisticated, tech-savvy, increasingly organized and determined to cause financial harm for their own ends.

Visa was the first of the major card companies to attempt to establish a set of security standards for businesses that accepted payments online. The company’s Cardholder Information Security Program (CISP) was announced in 1999 and first implemented in 2001 as a means to “protect Visa cardholder data by ensuring clients, merchants and service providers maintain the highest information security standard.”

Mastercard, American Express and Discover quickly followed suit, establishing their own unique security programs. Merchants who accepted multiple credit card brands were faced with a variety of security compliance programs.

This lack of a unified standard caused confusion among merchants, many of whom struggled to achieve compliance. To make this logistical nightmare worse, the industry saw a series of high-profile data breaches and losses from online fraud. Everything pointed to the urgent need for a coordinated response.

When was PCI DSS introduced?

The history of PCI DSS begins in 2004. As payment fraud began to rise, credit card industry leaders convened to develop a common set of security standards. The PCI’s founding members – American Express, Discover Financial Services, JCB International, Mastercard and Visa – introduced PCI DSS 1.0 in December 2004. All merchants accepting credit cards as well as other payment processing organizations were required to comply with the new standard.

Version 1.1 followed in 2006, calling for merchants to review all online applications and establish firewalls for added security. Version 1.1 also saw the creation of the PCI Security Standards Council (PCI SSC), an independent group that would oversee the standards moving forward. Since then, these standards have continued to adapt to new trends, technology and security threats.

How has PCI DSS evolved?

The PCI SSC continues to regularly update the standard to reflect current best practices. In October 2008, version 1.2 established guidance for protecting wireless networks and implementing antivirus software.

The first chapter in the history of PCI DSS came in 2004. PCI DSS 2.0 was introduced in October 2010 to streamline the assessment process. PCI DSS version 3.0 went into effect in January 2015, emphasizing three major areas: increased security education and awareness among all employees of organizations that accept credit cards; greater flexibility for secure authentication methods; and a renewed focus on security as a shared responsibility in the age of multiple third-party touchpoints.

PCI DSS 3.2.1 was released in May 2018 and introduced five new sub-requirements for service providers, including requirements relating to multi-factor authentication as well as new appendices on the migration of Secure Sockets Layer (SSL) / early Transport Layer Security (TLS).

What is the current PCI DSS standard?

PCI DSS 4.0 was released on March 31, 2022, and is set to fully replace PCI DSS 3.2.1 on March 31, 2024. This overhaul expands risk analysis expectations and offers further customization to the specific needs of each business attempting to achieve compliance. It also increases the level of critical control testing, technology advancement requirements and requires more stringent security standards across the board.

How do I know if my business is PCI DSS compliant?

Your business should meet the principal requirements of PCI DSS compliance. These include:

  • Building and maintaining a secure network and systems
  • Protecting account data
  • Maintaining a vulnerability management program
  • Implementing strong access control measures
  • Regularly monitoring and testing networks
  • Maintaining an Information Security Policy

Refer to our PCI DSS compliance checklist to learn more about the requirements.

Who can help your business stay compliant with PCI DSS?

We help businesses make compliance with PCI DSS requirements easy. Our tokenization solutions help merchants safely remove cardholder data from their environments, replacing it with tokenized values that are valuable to you but worthless to fraudsters. That helps preserve business intelligence, eliminate reputational risks and reduce PCI scope.