PCI History: How the Standard Came To Be

Buying a latte at your local coffee shop with your credit card takes seconds. 

But there was a time when card readers were non-existent and businesses had to call credit card companies to verify your card information. By the time your transaction was approved, your coffee was cold and your patience tested. 

The Payment Card Industry Data Security Standard (PCI DSS) is, in part, one of the reasons for today’s simplified and more secure process of using cards to make transactions. 

PCI DSS was born out of a need for an internationally uniform standard to make card transactions more secure for both the business and the customer. 

Below, we examine the history of PCI, what inspired its creation, and the future of PCI compliance. 

While PCI DSS is a well-known standard for anyone involved in card transactions, it has come a long way since it first debuted in the early 2000s. Below, we dig into what led to the PCI DSS and how it has evolved.  

What is PCI DSS?

The Payment Card Industry Data Security Standard (or PCI DSS) sets security guidelines for companies that store, process, and transmit cardholder data. PCI DSS compliance is required of any merchant or service provider that handles card transactions and cardholder data.

PCI DSS compliance means meeting 12 requirements that involve network security measures and internal security controls, such as restricting user access to cardholder data and maintaining security policies. 

Who developed PCI?

The PCI’s founding members are American Express, Discover Financial Services, JCB International, Mastercard, and Visa. Together, these five members make up the Payment Card Industry Security Standards Council (PCI SSC). 

When was PCI DSS introduced?

PCI DSS was first introduced in December 2004. Prior to this, Visa was the first major payment card company to establish its own set of security standards for businesses accepting payments online in 2001. 

Other payment companies followed suit, but each payment company began requiring their own set of security standards. Merchants struggled to meet compliance requirements to accept multiple card payment brands.

The founding members of PCI SSC came together to establish a uniform way to regulate payment security among merchants and service providers. This led to the first iteration of PCI DSS, which was named PCI DSS 1.0. 

Why was PCI developed?

PCI was developed because of the introduction of online shopping and rising credit card fraud in the late 1990s and early 2000s. 

As small businesses and large companies alike scrambled to open online shopping websites, payment security was not often top of mind. The lack of security measures that are commonplace on e-commerce sites today, such as using firewalls and encrypting cardholder data, were not as well-known or understood in the early aughts.  

According to CyberSource, in the year 2000 alone, North American online merchants lost an average of 3.6% of their sales to stolen or fraudulent credit cards.

With both businesses and payment card companies feeling the impact of e-commerce credit card fraud, industry giants such as Visa, Mastercard, and American Express banded together to create a global security standard that would protect card payments and encourage safer cardholder data practices.

A timeline of PCI 

From the first version of PCI DSS 1.0 to today, the international standard has evolved to keep up with the state of e-commerce and more sophisticated cyber threats. 

Below, we dive into the timeline of PCI DSS since its creation and take a look at what’s to come. 

• December 2004: PCI DSS 1.0 is introduced. 
• September 2006: PCI DSS v1.1 requires firewalls for web-facing applications and custom application code to be professionally reviewed. 
• October 2008: PCI DSS v1.2 includes new antivirus software and wireless network defense requirements.  
• August 2009: PCI DSS v1.2.1 provides clarity and consistency among standards and documentation. 
• October 2010: PCI DSS v2.0 introduces data encryption guidelines and user access restrictions. 
• November 2013: PCI DSS v3.0 provides information on emerging cloud-based technologies and guidelines on penetration testing.  
• April 2015: PCI DSS v3.1 provides a short-term update to allow merchants and service providers to make compliance updates to prepare for PCI DSS v3.2. 
• April 2016: PCI DSS v3.2 introduces guidelines around multi-factor authentication (MFA) and internal and external scans. 
• May 2018: PCI DSS v3.2.1 provides clarification and revises some of the standard requirements in the original PCI DSS 1.0. 
• March 2022: PCI DSS v4.0 includes expanded MFA requirements, clearly defined roles and responsibilities for each requirement, and new e-commerce and phishing requirements to address ongoing threats. 
• March 2024: PCI DSS v3.2.1 will be retired and replaced with v4.0.* 
• March 2025: Future-dated PCI DSS v4.0 requirements will officially become effective.*

*Note: These dates are based on projections from the PCI SSC and may be subject to change.

Additional PCI SSC standards

Over the years, the PCI SSC has released additional standards that cover aspects of cardholder security not included within the PCI DSS. 

Payment Application Data Security Standard (PA-DSS)

PA-DSS was created to provide security guidelines that help companies such as software vendors build compliant payment applications for merchants and service providers. 

Unlike PCI DSS that requires compliance from every business that stores, processes, and transmits cardholder data, PA-DSS only applies to companies that make and sell payment applications.  

PCI SSC has announced that PA-DSS will be retired in October 2022 and be replaced with PCI Software Security Framework (SSF). This framework will put a keener focus on the security practices around card transaction software. 

Payment Card Industry PIN Transaction Security (PCI PTS)

PIN Transaction Security (PTS) devices are used at the point of interaction (POI) to capture cardholder data and validate approval for use during the transaction.

PCI PTS outlines requirements against which vendor products are evaluated to gain POI device approval. 

PCI PTS standards are updated every three years. During these cycles, PTS devices are submitted to third-party labs for evaluation against the current PCI PTS requirements. Once approved, a Letter of Approval (LOA) is issued to prove compliance for the current PCI PTS version. 

Payment Card Industry Point-to-Point Encryption Standard (PCI P2PE)

This standard defines requirements for how businesses should securely encrypt cardholder data and manage encryption and decryption devices.

How PCI has evolved

Since it was first introduced in 2004, PCI DSS has grown to include many updates that scale with technology and security advancements such as firewalls and antivirus software. 

The PCI DSS updates have also emphasized the importance of PCI compliance, shining a spotlight on internal security practices and security awareness training for employees. 

The PCI SSC is in the midst of a new version update — PCI DSS v4.0 — that is set to become effective in Q1 of 2024. However, some of the new requirements will not become mandatory until March 31, 2025. 

The new standard was officially released on March 31, 2022, and will allow merchants and service providers time to make necessary adjustments until the current version (PCI DSS v3.2.1) is retired on March 31, 2024. 

PCI DSS v4.0 includes a variety of changes that aim to keep up with emerging threats and technologies. Noteworthy changes include:

• Updated password requirements
• Expanded multi-factor authentication (MFA) requirements
• Clearly defined roles and responsibilities for each requirement
• New e-commerce and phishing requirements to address ongoing threats

Just as PCI history shows, the future of compliance will continue to evolve along with new technologies and payment options. 

Companies like Secureframe can help ensure your business is staying up to date with the latest PCI DSS versions. 

With on-staff PCI DSS experts, you’ll be alerted to any PCI SSC updates that might affect you. Secureframe’s automatic evidence collection will send real-time alerts for any non-conformities so you’re able to maintain PCI compliance with less stress on your team. 

Request a demo today to see how Secureframe can help you gain and sustain PCI compliance for years to come.