Fintech Insights

What’s the history of PCI DSS?


July 22, 2019

When you accept credit cards, debit cards and other form of electronic payments, your business connects to a complex system of issuing banks, card brand networks and credit card processors. In an age where fraud takes a financial toll on everyone, connecting to that system means meeting a minimum set of standards to help protect sensitive data.

Every merchant that accepts credit card payments must be in compliance with the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Failure to comply with PCI mandates leaves businesses vulnerable to the negative impacts of data breaches including fines, fees and lost business.

Electronic payments have witnessed a revolution over the last two decades. How have payment security standards kept up with those changes? How has the industry responded to threats from data breaches and fraud? Let's explore the history of PCI DSS and payment security standards.

What were the first payment security standards?

The Payment Card Institute as we know it today was established in 2004. However, the common roots of today’s payment security standards date back even longer.

The late 1990s saw the emerging web-driven internet evolve to embrace online shopping. Those early days of eCommerce gave rise to great excitement from retailers and consumers alike. Unfortunately fraudsters soon followed. Fraudsters were sophisticated, technology-savvy, increasingly organized and determined to cause financial harm to the economy.

Visa was the first of the major card companies to attempt to establish a set of security standards for businesses that accepted payments online. Visa’s Cardholder Information Security Program (CISP) was announced in 1999 and first implemented in 2001 as a means to “protect Visa cardholder data by ensuring clients, merchants, and service providers maintain the highest information security standard.”

Mastercard, American Express, and Discover quickly followed suit, founding their own unique security programs. Merchants that accepted multiple credit card brands were faced with multiple security compliance programs.

The lack of a unified standards caused confusion among merchants, many of whom struggled to achieve compliance. The recent history of high-profile data breaches and losses from online fraud pointed to the urgent need for a coordinated response.

When was PCI DSS introduced?

The history of PCI-DSS begins in 2004. As payment fraud began to rise, credit card industry leaders convened to develop a common set of security standards. The PCI’s founding members—American Express, Discover Financial Services, JCB International, Mastercard and Visa—introduced PCI DSS 1.0 in December 2004. All merchants accepting credit cards as well as other payment processing organizations were required to comply with the new standard.

Version 1.1 followed in 2006, calling for merchants to review all online applications and establish firewalls for added security. Version 1.1 also saw the creation of the PCI Security Standards Council (PCI SSC), an independent group that would oversee the standards moving forward.

How has PCI DSS evolved?

The PCI SSC continues to regularly update the standard to reflect current best practices. In October 2008, version 1.2 established guidance for protecting wireless networks and implementing antivirus software.

The first chapter in the history of PCI DSS came in 2004. PCI DSS 2.0 was introduced in October 2010 that sought to streamline the assessment process. PCI DSS version 3.0 went into effect in January 2015, emphasizing three major areas: increased security education and awareness among all employees of organizations that accept credit cards; greater flexibility for secure authentication methods; and a renewed focus in the age of multiple third-party touchpoints on security as a shared responsibility.

The current (May 2019) version of PCI DSS is 3.2.1. Released in May 2018, PCI DSS 3.2.1 sees five new sub-requirements for service providers, including requirements relating to multi-factor authentication, as well as new appendices on the migration of Secure Sockets Layer (SSL) / early Transport Layer Security (TLS).

Who can help your business stay compliant with PCI DSS?

We help businesses make compliance with PCI DSS requirements easy. Our tokenization solutions helps merchants safely remove cardholder data from their environments, replacing it with tokenized values that are valuable to you, but worthless to fraudsters. That helps preserve business intelligence, eliminate reputational risks and reducing PCI scope.