History of the PCI DSS standard: How to become and stay compliant
Learn the history of the PCI DSS standard, how it came to be, how it's changed, and what tomorrow will bring.
Published December 17, 2024Since the emergence of online commerce, regulations governing payment standards have become increasingly stringent. For the security of merchants and customers alike, we need strict rules that protect all stakeholders from cyber threats, while preserving business continuity.
The introduction of the Payment Card Industry Data Security Standard (PCI DSS) marked a symbolic milestone for the security of online transactions.
PCI DSS was introduced in 2004 as an information security standard for major credit card brands, incorporating 12 strategic measures to reduce credit card fraud.
This article looks at the history of the PCI DSS standard: how it came into being, how it has developed, and how it will evolve in the future. We'll also look at what service providers can do to comply with the PCI DSS standard.
To meet the requirements of the Payment Card Industry Security Standards Council, organizations must adhere to the following 12 rules:
Protect cardholder data with a firewall.
Eliminate default settings for system passwords or vendor-defined security settings.
Protect stored cardholder data.
Encrypt the transmission of cardholder data over public open networks.
Deploy security controls to protect systems from malware and viruses.
Deploy and manage secure systems and applications.
Limit access to cardholder data to only those who need it.
Identify and authenticate access to system components.
Restrict physical access to cardholder data.
Track and monitor access to cardholder data and network resources.
Test security processes and systems at regular intervals.
Create and update a security policy governing information security for all employees.
During the '80s and '90s, data leaks and credit card fraud exploded, with one memorable event: the TRW data leak in 1984 (now known as Experian), in which stolen passwords led to the disclosure of the data of 90 million users. The arrival of the Internet only served to multiply incidents of this kind.
In the 90s, computer viruses began to make headlines, and we saw the emergence of denial-of-service (DoS) attacks. At the same time, credit card fraud became increasingly sophisticated: a teenager, for example, was able to modify the magnetic coding on a number of popular cards.
The major card issuers, such as Mastercard, American Express and Visa, have responded to this escalation by defining their own standards systems:
American Express Data Security Operating Policy
Discover's Information Security and Compliance standard
JCB's Data Security Program
Mastercard's Site Data Protection policy
Visa's Cardholder Information Security Program
These programs paved the way for the creation of the PCI DSS standard, designed to manage compatibility issues with a view to creating a unified standard. In this way, we can now apply the lessons learned in the 90s to improve cardholder data protection.
Over time, the PCI DSS standard has adapted to evolving threats and benefited from certain strategic advances to continue protecting financial services.
Following the formation in 2004 of a partnership of the world's leading payment card organizations, the Payment Card Industry Security Standards Council was born in 2006.
PCI DSS 1.0 defines the standards for building secure networks and protecting cardholder data. 2006 sees the publication of PCI DSS v1.1, which mandates the use of firewalls.
Published in October 2010, PCI DSS v2.0 introduces user access restrictions, as well as certain data encryption recommendations.
Published in November 2013, PCI DSS v3.0 incorporates cloud technology, offering new guidance on penetration testing.
PCI DSS v3.1 lays the groundwork for future v3.2, starting with updated compliance requirements, then introducing recommendations for multi-factor authentication (MFA).
The latest version is stricter with regard to non-compliance situations. It introduces customized implementation, enabling entities to design their own security controls.
PCI DSS 4.0 requires multi-factor authentication (MFA). In the wake of recent threats, these versions will cover e-commerce and incorporate phishing updates. Companies must comply with the requirements of PCI DSS 4.0 by March 31, 2025.
Even though the first version of PCI DSS was published in 2004, we can still learn from its difficulties and successes. Organizations can draw on the history of the standard to introduce their own security criteria, for example:
While the standard has been created to maintain a degree of uniformity among all payment card issuers, there are some differences in terms of compliance. The criteria required vary according to the merchant's classification level, based on annual transaction volume. VISA has four different levels, while Mastercard has five, for example.
The controls used to validate compliance can also vary: this is why suppliers are advised to use qualified security auditors (QSA) to ensure that companies meet the compliance criteria corresponding to their level.
The PCI SSC regularly reviews its standards. For example, PCI PTS (Payment Card Industry PIN Transaction) standards are updated every three years. As part of this process, all PTS equipment undergoes testing in independent laboratories to verify its compatibility with current PCI PTS requirements. A letter of authorization is then issued to prove the equipment's compliance with the latest version of PCI PTS.
The founding principles of the standards also provide for the possibility of updating the texts. In the original standards, card issuers agree to maintain an up-to-date vulnerability management program, including regular antivirus software updates. They also agree to maintain an up-to-date information security policy, and to monitor or test their network at regular intervals.
The security measures outlined in the PCI DSS standard benefit modern organizations in several ways: they protect customer card data, boost consumer confidence and reduce the risk of data leakage.
While the PCI compliance process may seem complex, companies can also refer to a checklist of steps to simplify their compliance. Most companies correspond to “Level 4” compliance, which means they must complete a self-assessment questionnaire.
They must also use an “Approved Scanning Vendor” responsible for conducting a quarterly network scan. A list of providers is available on the PCI SSC website. Finally, they must complete an attestation of compliance to prove that they adhere to these standards. This attestation must be completed by a qualified security auditor (QSA); further details are available on the PCI SSC website.
Larger companies, on the other hand, are subject to additional controls, such as the production of an annual compliance report completed by an auditor. Each of these checks can be outsourced to the PCI SSC, so no additional recruitment or costly investment in training is required. Nevertheless, it is possible to obtain “PCI Security Standards Company” certification, which enables these checks to be organized in-house.
PCI DSS compliance applies not only to merchants who accept card payments (debit or credit), but also to service providers involved in the processing, storage and transmission of cardholder data. Incentives to maintain compliance are as relevant today as they were in 2004: the main aim is to prevent large-scale data leakage and card fraud.
The paperwork involved in PCI compliance can seem daunting at first. That's why it's important to clearly define the level of PCI compliance corresponding to your organization:
Level 1: more than 6 million transactions per year
Level 2: Between 1 million and 6 million transactions per year
Level 3: Between 20,000 and 1 million transactions per year
Level 4: Less than 20,000 transactions per year
Each level imposes its own certification criteria: for example, Level 1 companies must provide both an attestation of compliance and an annual compliance report. Smaller companies at level 4 need only produce an attestation of compliance and a self-assessment questionnaire.
These levels help companies to meet security requirements without investing too much time or money. Compliance criteria evolve naturally as organizations grow.
Although PCI DSS is not a law, but a standard, non-compliance can result in fines of up to $500,000 per security breach, plus monthly fines that provide a strong incentive for accountability. Similarly, some card issuers, including Visa and Mastercard, impose fines for non-compliance.
The PCI DSS standard has always been consistent with other international standards, such as those of the International Organization for Standardization (ISO). In particular, the ISO 27001 information security standard is consistent with the PCI DSS standard, since it was introduced in 2005 and has followed a similar evolution to payment standards.
Updates to this standard have kept pace with ISO 27001, which was last updated in October 2022. Whereas ISO 27001 concerns management systems and is based on the notion of risk, providing a benchmark for data protection, PCI DSS is a rules-based standard governing the protection of payment card data.
The interoperability difficulties experienced by the major payment card organizations as their respective standards emerged prompted the creation of a standardized approach. Today, we have a set of compliance validation tools to ensure that these standards remain acceptable to all merchants and data processors:
Qualified security auditors are independent groups or entities responsible for auditing merchants.
Internal security auditors have been certified to conduct in-house assessments.
Compliance reports apply to Visa Level 1 merchants to protect cardholders against fraudulent transactions. Compliance report templates are available on the PCI SSC website.
Self-assessment questionnaires are available in eight versions, corresponding to merchant level, and must be submitted to the company's bank to demonstrate compliance.
The standards have sometimes come in for criticism in the past, and payment card issuers have had to overcome these difficulties to avoid image damage. For example, one merchant claimed that the standards were only designed to collect fines, not to protect businesses.
Nevertheless, these standards also shed light on information security in general, since they encourage all companies to analyze their IT systems and mitigate threats. They are regularly updated as technologies evolve. For example, by 2025, multi-factor authentication is expected to become a PCI DSS compliance requirement.
Since 2021, new developments in compliance requirements have been added to the PCI Data Security Standard :
In June 2021, the PCI Security Standards Council publishes Version 4.0.
In October 2021, updates are added to Version 4.0, including recommendations for encrypting cardholder data in transit.
In November 2021, the PCI SSC publishes an update: additional information addressing cloud computing in PCI DSS environments.
In December 2021, new information is published on the use of payment tokens, which are encrypted representations of cardholder data.
Some PCI DSS sub-standards are aligned with the evolution of technology. At the end of 2022, the PCI SSF (PCI Software Security Framework) will replace the former PA-DSS (Payment Application Data Security Standard). It includes provisions for fraud monitoring and cardholder data authentication, in response to the latest threats.
To meet PCI DSS compliance requirements, it is essential to:
Keep compliance documentation up to date, such as the certificate of compliance;
Ensure that third-party suppliers are also compliant, e.g. suppliers of payment card printing machines;
Keep abreast of the latest developments by regularly consulting the PCI SSC website;
Report any data leaks or security incidents without delay to avoid fines;
Regularly audit the effectiveness of compliance programs;
Consider outsourcing this expertise to a PCI DSS compliance expert.
The introduction of the Payment Card Industry Data Security Standard marked an important milestone in the protection of consumers and businesses against fraud and data leakage. Following the upsurge in online scams and cyber-attacks in the 90s and early 2000s, the world's major credit card brands had to react to protect their customers and employees.
While the standard has undergone numerous updates and several versions since its launch in 2004, the fundamental principles of the PCI DSS still apply today, including the idea that providers should adhere to the highest standards of cardholder data protection, limiting access and encrypting information wherever possible.
These best practices are reflected in each new version of the PCI DSS standard and its sub-standards. Developments in both payment methods and cyberthreats have motivated the emergence of new data security requirements, notably through the use of technologies such as MFA.
Maintaining PCI DSS compliance can be complex and difficult for many organizations. That's why the PCI SSC has developed a set of requirements consistent with international standards. The PCI SSC regularly publishes guidance to help organizations understand the rules and follow them to avoid fines.