
Why Is PCI Compliance Important?
Read articleBuying a latte at your local coffee shop with your credit card takes seconds.
But there was a time when card readers were non-existent and businesses had to call credit card companies to verify your card information. By the time your transaction was approved, your coffee was cold and your patience tested.
The Payment Card Industry Data Security Standard (PCI DSS) is, in part, one of the reasons for today’s simplified and more secure process of using cards to make transactions.
PCI DSS was born out of a need for an internationally uniform standard to make card transactions more secure for both the business and the customer.
Below, we examine the history of PCI, what inspired its creation, and the future of PCI compliance.
While PCI DSS is a well-known standard for anyone involved in card transactions, it has come a long way since it first debuted in the early 2000s. Below, we dig into what led to the PCI DSS and how it has evolved.
The Payment Card Industry Data Security Standard (or PCI DSS) sets security guidelines for companies that store, process, and transmit cardholder data. PCI DSS compliance is required of any merchant or service provider that handles card transactions and cardholder data.
PCI DSS compliance means meeting 12 requirements that involve network security measures and internal security controls, such as restricting user access to cardholder data and maintaining security policies.
Learn everything you need to know about the requirements, process, and costs of getting PCI certified.
Download ebookThe PCI’s founding members are American Express, Discover Financial Services, JCB International, Mastercard, and Visa. Together, these five members make up the Payment Card Industry Security Standards Council (PCI SSC).
PCI DSS was first introduced in December 2004. Prior to this, Visa was the first major payment card company to establish its own set of security standards for businesses accepting payments online in 2001.
Other payment companies followed suit, but each payment company began requiring their own set of security standards. Merchants struggled to meet compliance requirements to accept multiple card payment brands.
The founding members of PCI SSC came together to establish a uniform way to regulate payment security among merchants and service providers. This led to the first iteration of PCI DSS, which was named PCI DSS 1.0.
PCI was developed because of the introduction of online shopping and rising credit card fraud in the late 1990s and early 2000s.
As small businesses and large companies alike scrambled to open online shopping websites, payment security was not often top of mind. The lack of security measures that are commonplace on e-commerce sites today, such as using firewalls and encrypting cardholder data, were not as well-known or understood in the early aughts.
According to CyberSource, in the year 2000 alone, North American online merchants lost an average of 3.6% of their sales to stolen or fraudulent credit cards.
With both businesses and payment card companies feeling the impact of e-commerce credit card fraud, industry giants such as Visa, Mastercard, and American Express banded together to create a global security standard that would protect card payments and encourage safer cardholder data practices.
Why Is PCI Compliance Important?
Read articleFrom the first version of PCI DSS 1.0 to today, the international standard has evolved to keep up with the state of e-commerce and more sophisticated cyber threats.
Below, we dive into the timeline of PCI DSS since its creation and take a look at what’s to come.
*Note: These dates are based on projections from the PCI SSC and may be subject to change.
Over the years, the PCI SSC has released additional standards that cover aspects of cardholder security not included within the PCI DSS.
PA-DSS was created to provide security guidelines that help companies such as software vendors build compliant payment applications for merchants and service providers.
Unlike PCI DSS that requires compliance from every business that stores, processes, and transmits cardholder data, PA-DSS only applies to companies that make and sell payment applications.
PCI SSC has announced that PA-DSS will be retired in October 2022 and be replaced with PCI Software Security Framework (SSF). This framework will put a keener focus on the security practices around card transaction software.
PIN Transaction Security (PTS) devices are used at the point of interaction (POI) to capture cardholder data and validate approval for use during the transaction.
PCI PTS outlines requirements against which vendor products are evaluated to gain POI device approval.
PCI PTS standards are updated every three years. During these cycles, PTS devices are submitted to third-party labs for evaluation against the current PCI PTS requirements. Once approved, a Letter of Approval (LOA) is issued to prove compliance for the current PCI PTS version.
This standard defines requirements for how businesses should securely encrypt cardholder data and manage encryption and decryption devices.
Since it was first introduced in 2004, PCI DSS has grown to include many updates that scale with technology and security advancements such as firewalls and antivirus software.
The PCI DSS updates have also emphasized the importance of PCI compliance, shining a spotlight on internal security practices and security awareness training for employees.
The PCI SSC is in the midst of a new version update — PCI DSS v4.0 — that is set to become effective in Q1 of 2024. However, some of the new requirements will not become mandatory until March 31, 2025.
The new standard was officially released on March 31, 2022, and will allow merchants and service providers time to make necessary adjustments until the current version (PCI DSS v3.2.1) is retired on March 31, 2024.
PCI DSS v4.0 includes a variety of changes that aim to keep up with emerging threats and technologies. Noteworthy changes include:
Just as PCI history shows, the future of compliance will continue to evolve along with new technologies and payment options.
Companies like Secureframe can help ensure your business is staying up to date with the latest PCI DSS versions.
With on-staff PCI DSS experts, you’ll be alerted to any PCI SSC updates that might affect you. Secureframe’s automatic evidence collection will send real-time alerts for any non-conformities so you’re able to maintain PCI compliance with less stress on your team.
Request a demo today to see how Secureframe can help you gain and sustain PCI compliance for years to come.