The History of PCI Security: PCI Compliance and PCI Standards

Today, payment cards are such a ubiquitous part of our daily financial life that it's hard to imagine a time before they existed. Completing payment for a latte at your local coffee shop with a credit card now only takes a few minutes. It’s hard to imagine a time when electronic network-connected card readers didn’t exist. The first credit cards were introduced more than 70 years ago. During those early years, it was standard practice for businesses to call credit card companies to verify card information for each payment. It was a time-consuming process and PCI security was likely not top of mind. By the time they had approved your transaction, several minutes had gone by, and your latte was likely teetering on tepid.

As the use of card payment increased, payment systems evolved – and so did the risks to protect data. The driving force behind industry regulations to protect payment card data came in the late 1990s with the widespread adoption of the internet and e-commerce. With the birth and rapid growth of online shopping came increased fraud and malware created to steal credit and debit card information. According to TechTarget, between 1988 and 1999, two of the major card brands documented more than $750M of losses from online fraud. The regulation significantly raised the bar, vastly improving the way in which organizations protect sensitive payment card data, also known as Payment Card Industry (PCI) security compliance.

Maintaining secure payment systems that allow consumers to easily make payment card transactions without risking the privacy of their personal data is a critical part of financial data security. Compliance with PCI security requirements can help keep you and your customers’ sensitive personal data secure and out of the hands of cybercriminals. Data breaches result in the compromise of several million data records each year and can result in lost confidence, bad press, legal challenges and declining profits.

According to the Verizon 2023 Data Breach Investigations Report (DBIR), 83% of data breaches in 2022 involved external actors—the majority being financially motivated. 84% of data breach caseloads entailed payment account data.¹

Large-scale card data breaches happen when threat actors use nefarious tactics, such as installing malicious code on a web application, SQL injections, phishing or a range of other methods to access systems. These tactics give threat actors access to their target's systems, potentially allowing them to access and control a lot of data. The sheer amount of payment card data stored in databases and the cloud poses substantial risks to consumers concerned about the security of their data – particularly in light of the numerous high-profile data breaches over the years that resulted in the compromise of millions of payment card data records.

All these factors, and more, are pushing data security and compliance to the forefront in the form of industry regulations for modern business.

On March 31, 2024, compliance with the latest edition of the Data Security Standard, PCI DSS v4.0, will become mandatory, and v3.2.1 retires.

The Payment Card Industry Security Standards Council (PCI SSC) is a global forum that enhances global payment account data security by bringing together payments industry stakeholders to develop and drive adoption of security standards and supporting services that drive education, awareness and effective implementation. The PCI SSC introduced the framework for one of the most influential compliance regulations in the world approximately 20 years ago.

Founded in 2006 as a joint venture between five large payment card brands, these members now include American Express, Discover, JCB International, Mastercard, UnionPay, and Visa, Inc. Each participating payment brand member maintains their individual data security compliance program to protect their payment card account data. Information for merchants can be found here.

In 1999, several major card brands announced the initiation of the development of data security programs to help merchants, service providers and customers protect themselves against security breaches. 

MasterCard introduced the Site Data Protection Program (SDP). Visa, Inc. introduced its Cardholder Information Security Program (CISP) and Account Information Security (AIS) program in the year 2000. Other card schemes, such as Discover Financial Services payment network, introduced their Discover Information Security & Compliance (DISC) program, and JCB maintains their Data Security Program. These programs include guidelines, best practices, and approved compliance validation tools and rules that are individually maintained by each card brand.

As payment security evolves, so does complexity with the entrance of cloud computing, mobile and contactless payments, a widening attack surface, and rising numbers of payment card transactions. Which is why between 2018 and 2022, the PCI Security Standards Council instituted the most extensive revision of the PCI DSS since its initial release in 2004. 

PCI security compliance is not legislated by governments. Instead, compliance is mandated by the business-to-business contracts that merchants and service providers sign with payment processors and card brands and other businesses. Compliance and enforcement of PCI Standards are the roles of the payment brands and acquirers, not the PCI SSC. As mentioned above, each of the PCI SSC’s participating payment brand members maintain their own individual PCI compliance programs for the management of their affiliated payment card account data, and programs are maintained to align with the global PCI security regulation.

In collaboration with the industry, The PCI SSC develops and maintains several standards that address payment security for issuers, merchants, vendors and solution providers, acquirers and processors.

The PCI DSS version 1.0 initially was developed by Visa Europe and Visa Inc., and released under the Visa brand in 2004. The familiar six control objectives and 12 Key Requirements included in the PCI DSS are the foundation of Visa’s data security compliance programs - the Account Information Security (AIS) program and the Cardholder Information Security Program (CISP). Subsequent updates to the PCI DSS resulted from a cooperative effort between Visa and MasterCard and other payment brands to create common industry security requirements. In 2006, formation of the PCI SSC was announced as a joint venture between participating card brands to develop and evolve the PCI security standards focused on protecting cardholder data throughout the payment transaction life cycle.

The founding payment brands aligned their programs to foster broad compliance with the PCI DSS. PCI DSS version 1.1 of the PCI DSS was released in 2006 as the flagship global data security standard managed by the PCI SSC. Nine updates of the PCI DSS followed after its initial release.