PCI DSS History: How the Standard Came To Be
There was a time when card readers were non-existent and businesses had to call credit card companies to verify your card information. The Payment Card Industry Data Security Standard (PCI DSS) is, in part, one of the reasons for today’s simplified and more secure process of using cards to make transactions.
PCI DSS was born out of a need for an internationally uniform standard to make card transactions more secure for both the business and the customer.
Below, we examine the history of PCI DSS, what inspired its creation, and the future of PCI compliance.
While PCI DSS is a well-known standard for anyone involved in card transactions, it has come a long way since it first debuted in the early 2000s. Below, we dig into what led to the PCI DSS and how it has evolved.
What is PCI DSS?
The PCI Data Security Standard sets security guidelines for companies that store, process, transmit, or could impact the security of cardholder data and/or sensitive authentication data.
PCI DSS compliance is required of any merchant or service provider that handles credit card transactions and cardholder data.
Compliance means meeting all 12 PCI DSS requirements that involve network security measures and internal security controls, such as restricting user access to cardholder data and maintaining information security policies.
The Ultimate Guide to PCI DSS
Learn everything you need to know about the requirements, process, and costs of getting PCI certified.
Who developed PCI?
The PCI’s founding members are American Express, Discover Financial Services, JCB International, Mastercard, and Visa. Together, these five major credit card brands make up the Payment Card Industry Security Standards Council (PCI SSC).
When was PCI DSS introduced?
PCI DSS was first introduced in December 2004. Prior to this, Visa was the first major payment card company to establish its own set of security standards for businesses accepting payments online in 2001.
Other payment companies followed suit, but each payment company began requiring their own set of security standards. Merchants struggled to meet compliance requirements to accept multiple card payment brands.
The founding members of the PCI SSC came together to establish a uniform way to regulate payment security among merchants and service providers. This led to the first iteration of PCI DSS, which was named PCI DSS 1.0.
Why was PCI developed?
PCI DSS was developed because of the introduction of online shopping and rising credit card fraud in the late 1990s and early 2000s.
As small businesses and large companies alike scrambled to open online shopping websites, payment security was not often top of mind. The lack of security measures that are commonplace on e-commerce sites today, such as using firewalls and encrypting cardholder data, were not as well-known or understood in the early aughts.
According to CyberSource, in the year 2000 alone, North American online merchants lost an average of 3.6% of their sales to stolen or fraudulent credit cards.
With both businesses and payment card companies feeling the impact of e-commerce credit card fraud, industry giants such as Visa, Mastercard, and American Express banded together to create a global security standard that would protect card payments and encourage safer cardholder data practices.
Recommended reading
What are the Benefits of PCI DSS Compliance?
A timeline of PCI DSS
From the first version of PCI DSS 1.0 to today, the international standard has evolved to keep up with the state of e-commerce and more sophisticated cyber threats.
The many revisions below demonstrate the continuous effort to encourage and enhance payment account data security and facilitate the broad adoption of consistent data security requirements globally.
Below, we dive into the timeline of PCI DSS since its creation and take a look at what’s to come.
- December 2004: PCI DSS 1.0 is introduced.
- September 2006: PCI DSS v1.1 requires firewalls for web-facing applications and custom application code to be professionally reviewed.
- October 2008: PCI DSS v1.2 includes new antivirus software and wireless network defense requirements.
- August 2009: PCI DSS v1.2.1 provides clarity and consistency among standards and documentation.
- October 2010: PCI DSS v2.0 introduces data encryption guidelines and user access restrictions.
- November 2013: PCI DSS v3.0 provides information on emerging cloud-based technologies and guidelines on penetration testing.
- April 2015: PCI DSS v3.1 provides a short-term update to allow merchants and service providers to make compliance updates to prepare for PCI DSS v3.2.
- April 2016: PCI DSS v3.2 introduces guidelines around multi-factor authentication (MFA) and internal and external scans.
- May 2018: PCI DSS v3.2.1 provides clarification and revises some of the standard requirements in the original PCI DSS 1.0.
- March 2022: PCI DSS v4.0 includes expanded MFA requirements, clearly defined roles and responsibilities for each requirement, and new e-commerce and phishing requirements to address ongoing threats.
- March 2024: PCI DSS v3.2.1 is retired and replaced with v4.0.
- June 2024: PCI DSS v4.0.1 is released. This limited revision includes corrections to formatting and typographical errors and clarification of the focus and intent of some of the requirements and guidance.
- December 2024: PCI DSS v4.0 will be retired and v4.0.1 will become the only active version of the standard.
- March 2025: Future-dated PCI DSS v4.0 requirements will officially become effective.*
*Note: These dates are based on projections from the PCI SSC and may be subject to change.
Recommended reading
PCI DSS 4.0 Requirements: A Deep Dive into the Latest Changes and How They Affect Your Organization
Additional PCI SSC standards
Over the years, the PCI SSC has released additional standards that cover aspects of cardholder security not included within the PCI DSS.
Payment Application Data Security Standard (PA-DSS)
PA-DSS was created to provide security guidelines that help companies such as software vendors build compliant payment applications for merchants and service providers.
Unlike PCI DSS that requires compliance from every business that stores, processes, and transmits cardholder data, PA-DSS only applies to companies that make and sell payment applications.
PA-DSS was retired in October 2022 and replaced with PCI Software Security Framework (SSF). This framework puts a keener focus on the security practices around card transaction software. PCI SSC is planning a revision to the currently published version of the Secure Software Standard v1.2.
Payment Card Industry PIN Transaction Security (PCI PTS)
PIN Transaction Security (PTS) devices are used at the point of interaction (POI) to capture cardholder data and validate approval for use during the transaction.
PCI PTS outlines requirements against which vendor products are evaluated to gain POI device approval.
PCI PTS standards are updated every three years. During these cycles, PTS devices are submitted to third-party labs for evaluation against the current PCI PTS requirements. Once approved, a Letter of Approval (LOA) is issued to prove compliance for the current PCI PTS version.
Payment Card Industry Point-to-Point Encryption Standard (PCI P2PE)
PCI P2PE defines requirements for how businesses should securely encrypt cardholder data and manage encryption and decryption devices.
P2PE solutions encrypt card data at the point of interaction, such as at a payment terminal, ensuring that sensitive data is unreadable as it is transmitted through the payment processing system.
This standard is designed to prevent data breaches by ensuring that even if the encrypted data is intercepted, it cannot be decrypted without the proper encryption keys, which are securely managed and kept separate from the payment processing environment.
Implementing a PCI P2PE solution can help merchants significantly reduce the scope of their PCI DSS compliance requirements, making it easier and more cost-effective to protect cardholder data.
How PCI DSS has evolved to the latest version
Since it was first introduced in 2004, PCI DSS has grown to include many updates that scale with technology and security advancements such as firewalls and antivirus software.
The PCI DSS updates have also emphasized the importance of PCI compliance, shining a spotlight on internal security practices and security awareness training for employees.
The PCI SSC has recently published a new version update, PCI DSS v4.0, which became effective in Q1 of 2024. However, some of the new requirements will not become mandatory until March 31, 2025.
The new standard was officially released on March 31, 2022, but PCI DSS v3.2.1 remained in effect until March 31, 2024. This gave merchants and service providers time to make necessary adjustments until PCI DSS v3.2.1 was officially retired and superseded by v4.0.
PCI DSS v4.0 includes a variety of changes that aim to keep up with emerging threats and technologies. Noteworthy changes include:
- Updated password requirements
- Expanded multi-factor authentication (MFA) requirements
- Clearly defined roles and responsibilities for each requirement
- New e-commerce and phishing requirements to address ongoing threats
Since then, the PCI SSC has released PCI DSS v4.0.1, a limited revision that addresses stakeholder feedback and questions that have been received since v4.0 was published. PCI DSS 4.0.1 was released on June 11, 2024 and is in effect today. It will become the only active version of the standard after December 31, 2024.
How Secureframe can help you achieve and maintain PCI DSS compliance over time
Just as PCI history shows, the future of compliance will continue to evolve along with new technologies and payment options.
Companies like Secureframe can help ensure your business is staying up to date with the latest PCI DSS versions.
With on-staff PCI DSS experts, you’ll be alerted to any PCI DSS updates that might affect you. These experts can assess your current environment and scope to help determine exactly which controls are applicable to you and how you can implement them within your environment in order to meet the requirements in the latest version of PCI DSS.
You can then use the Secureframe platform to complete readiness work, including:
- assigning owners to tasks, controls, and reviews
- managing the completion of security awareness training and secure code training
- managing policy acceptance, including acceptable use policy
- remediating automated tests
- continuously monitoring your tech stack for non-conformities
Secureframe compliance managers can also perform a gap analysis with you prior to your audit so you can be confident in your PCI DSS v 4.0.1 compliance before your auditor performs the actual assessment. When you’re ready, you can select one of our partner QSAs to perform fieldwork directly within the platform.
We also have pre-evaluated partners for any third party service that Secureframe cannot complete. In addition to audit partners, we have a network of penetration testers, ASV scanning partners, and tokenization partners who would be happy to assist you in becoming PCI DSS compliant.
Request a demo today to see how Secureframe can help you achieve and maintain compliance with the latest version of PCI DSS.
“The platform helped streamline all aspects of getting PCI compliant. Plus, we received amazing support from Secureframe’s in-house compliance experts. Getting PCI compliant was a breeze, and anyone considering PCI should definitely consider Secureframe.” —Matthew Trisoline, Senior Platform Engineer, Basis Theory
Recommended reading
How Basis Theory Achieved PCI Compliance With Zero Issues or Delays
FAQs
Does PCI DSS apply to debit cards?
Yes. Any payment card that bears the logo of a PCI SSC Participating Payment Brand, including credit, debit, prepaid, stored value, gift or chip, may be subject to that brand's PCI compliance programs.
When did PCI DSS start?
PCI DSS was introduced in December 2004. It was developed by the major credit card companies (Visa, MasterCard, American Express, Discover, and JCB) to establish a unified set of security standards for organizations that handle credit card information. The goal was to protect cardholder data and reduce the risk of data breaches.
What was before PCI?
Before PCI DSS, there was no unified standard for securing payment card data across the industry. Instead, each credit card brand had its own security requirements and guidelines. These varied standards often led to confusion and inconsistencies in how organizations protected cardholder data. The introduction of PCI DSS provided a comprehensive and consistent set of security practices that all organizations could follow, simplifying compliance and enhancing data protection in the payment card industry.
Was PCI DSS created as federal regulation?
No, PCI DSS was not created as federal regulation. It is a set of security standards developed by PCI SSC, a private organization. Compliance with PCI DSS is required by the credit card companies for any organization that processes, stores, or transmits credit card information. Failure to comply with PCI DSS can result in fines, penalties, and increased scrutiny from the payment card brands.
Is PCI DSS compliance legally required?
PCI DSS compliance is not mandated by federal law. However, in some states such as Nevada, Minnesota, and Washington, portions of the PCI DSS have been written into state law.
Do banks need to comply with PCI DSS?
PCI DSS is part of a contractual relationship between an acquiring bank and the payment card companies they have a relationship with. Since the acquiring banks are on the hook for non-compliance by the card brands, they will determine how their merchants must report PCI DSS compliance and will likely pass any fines down to them. Acquiring banks therefore need to establish an appropriate merchant PCI compliance program for their affiliated card brand.