There was a time when card readers were non-existent and businesses had to call credit card companies to verify your card information. The Payment Card Industry Data Security Standard (PCI DSS) is, in part, one of the reasons for today’s simplified and more secure process of using cards to make transactions. 

PCI DSS was born out of a need for an internationally uniform standard to make card transactions more secure for both the business and the customer. 

Below, we examine the history of PCI DSS, what inspired its creation, and the future of PCI compliance. 

While PCI DSS is a well-known standard for anyone involved in card transactions, it has come a long way since it first debuted in the early 2000s. Below, we dig into what led to the PCI DSS and how it has evolved.

What is PCI DSS?

The PCI Data Security Standard sets security guidelines for companies that store, process, transmit, or could impact the security of cardholder data and/or sensitive authentication data.

PCI DSS compliance is required of any merchant or service provider that handles credit card transactions and cardholder data.

Compliance means meeting all 12 PCI DSS requirements that involve network security measures and internal security controls, such as restricting user access to cardholder data and maintaining information security policies. 

Who developed PCI?

The PCI’s founding members are American Express, Discover Financial Services, JCB International, Mastercard, and Visa. Together, these five major credit card brands make up the Payment Card Industry Security Standards Council (PCI SSC).

When was PCI DSS introduced?

PCI DSS was first introduced in December 2004. Prior to this, Visa was the first major payment card company to establish its own set of security standards for businesses accepting payments online in 2001. 

Other payment companies followed suit, but each payment company began requiring their own set of security standards. Merchants struggled to meet compliance requirements to accept multiple card payment brands.

The founding members of the PCI SSC came together to establish a uniform way to regulate payment security among merchants and service providers. This led to the first iteration of PCI DSS, which was named PCI DSS 1.0. 

Why was PCI developed?

PCI DSS was developed because of the introduction of online shopping and rising credit card fraud in the late 1990s and early 2000s. 

As small businesses and large companies alike scrambled to open online shopping websites, payment security was not often top of mind. The lack of security measures that are commonplace on e-commerce sites today, such as using firewalls and encrypting cardholder data, were not as well-known or understood in the early aughts.  

According to CyberSource, in the year 2000 alone, North American online merchants lost an average of 3.6% of their sales to stolen or fraudulent credit cards.

With both businesses and payment card companies feeling the impact of e-commerce credit card fraud, industry giants such as Visa, Mastercard, and American Express banded together to create a global security standard that would protect card payments and encourage safer cardholder data practices.

A timeline of PCI DSS

From the first version of PCI DSS 1.0 to today, the international standard has evolved to keep up with the state of e-commerce and more sophisticated cyber threats.

The many revisions below demonstrate the continuous effort to encourage and enhance payment account data security and facilitate the broad adoption of consistent data security requirements globally. 

Below, we dive into the timeline of PCI DSS since its creation and take a look at what’s to come. 

• December 2004: PCI DSS 1.0 is introduced. 
• September 2006: PCI DSS v1.1 requires firewalls for web-facing applications and custom application code to be professionally reviewed. 
• October 2008: PCI DSS v1.2 includes new antivirus software and wireless network defense requirements.  
• August 2009: PCI DSS v1.2.1 provides clarity and consistency among standards and documentation. 
• October 2010: PCI DSS v2.0 introduces data encryption guidelines and user access restrictions. 
• November 2013: PCI DSS v3.0 provides information on emerging cloud-based technologies and guidelines on penetration testing.  
• April 2015: PCI DSS v3.1 provides a short-term update to allow merchants and service providers to make compliance updates to prepare for PCI DSS v3.2. 
• April 2016: PCI DSS v3.2 introduces guidelines around multi-factor authentication (MFA) and internal and external scans. 
• May 2018: PCI DSS v3.2.1 provides clarification and revises some of the standard requirements in the original PCI DSS 1.0. 
• March 2022: PCI DSS v4.0 includes expanded MFA requirements, clearly defined roles and responsibilities for each requirement, and new e-commerce and phishing requirements to address ongoing threats. 
• March 2024: PCI DSS v3.2.1 is retired and replaced with v4.0. 
• June 2024: PCI DSS v4.0.1 is released. This limited revision includes corrections to formatting and typographical errors and clarification of the focus and intent of some of the requirements and guidance. 
• December 2024: PCI DSS v4.0 will be retired and v4.0.1 will become the only active version of the standard.
• March 2025: Future-dated PCI DSS v4.0 requirements will officially become effective.*

*Note: These dates are based on projections from the PCI SSC and may be subject to change.

Additional PCI SSC standards

Over the years, the PCI SSC has released additional standards that cover aspects of cardholder security not included within the PCI DSS. 

Payment Application Data Security Standard (PA-DSS)

PA-DSS was created to provide security guidelines that help companies such as software vendors build compliant payment applications for merchants and service providers. 

Unlike PCI DSS that requires compliance from every business that stores, processes, and transmits cardholder data, PA-DSS only applies to companies that make and sell payment applications.  

PA-DSS was retired in October 2022 and replaced with PCI Software Security Framework (SSF). This framework puts a keener focus on the security practices around card transaction software. PCI SSC is planning a revision to the currently published version of the Secure Software Standard v1.2.

Payment Card Industry PIN Transaction Security (PCI PTS)

PIN Transaction Security (PTS) devices are used at the point of interaction (POI) to capture cardholder data and validate approval for use during the transaction.

PCI PTS outlines requirements against which vendor products are evaluated to gain POI device approval. 

PCI PTS standards are updated every three years. During these cycles, PTS devices are submitted to third-party labs for evaluation against the current PCI PTS requirements. Once approved, a Letter of Approval (LOA) is issued to prove compliance for the current PCI PTS version. 

Payment Card Industry Point-to-Point Encryption Standard (PCI P2PE)

PCI P2PE defines requirements for how businesses should securely encrypt cardholder data and manage encryption and decryption devices.

P2PE solutions encrypt card data at the point of interaction, such as at a payment terminal, ensuring that sensitive data is unreadable as it is transmitted through the payment processing system.

This standard is designed to prevent data breaches by ensuring that even if the encrypted data is intercepted, it cannot be decrypted without the proper encryption keys, which are securely managed and kept separate from the payment processing environment.

Implementing a PCI P2PE solution can help merchants significantly reduce the scope of their PCI DSS compliance requirements, making it easier and more cost-effective to protect cardholder data.

How PCI DSS has evolved to the latest version

Since it was first introduced in 2004, PCI DSS has grown to include many updates that scale with technology and security advancements such as firewalls and antivirus software. 

The PCI DSS updates have also emphasized the importance of PCI compliance, shining a spotlight on internal security practices and security awareness training for employees. 

The PCI SSC has recently published a new version update, PCI DSS v4.0, which became effective in Q1 of 2024. However, some of the new requirements will not become mandatory until March 31, 2025. 

The new standard was officially released on March 31, 2022, but PCI DSS v3.2.1 remained in effect until March 31, 2024. This gave merchants and service providers time to make necessary adjustments until PCI DSS v3.2.1 was officially retired and superseded by v4.0.

PCI DSS v4.0 includes a variety of changes that aim to keep up with emerging threats and technologies. Noteworthy changes include:

• Updated password requirements
• Expanded multi-factor authentication (MFA) requirements
• Clearly defined roles and responsibilities for each requirement
• New e-commerce and phishing requirements to address ongoing threats

Since then, the PCI SSC has released PCI DSS v4.0.1, a limited revision that addresses stakeholder feedback and questions that have been received since v4.0 was published. PCI DSS 4.0.1 was released on June 11, 2024 and is in effect today. It will become the only active version of the standard after December 31, 2024.