The History of PCI Security: PCI Compliance and PCI Standards

Author: Ciske van Oosten

Today, payment cards are such a ubiquitous part of our daily financial life that it's hard to imagine a time before they existed. Completing payment for a latte at your local coffee shop with a credit card now only takes a few minutes. It’s hard to imagine a time when electronic network-connected card readers didn’t exist. The first credit cards were introduced more than 70 years ago. During those early years, it was standard practice for businesses to call credit card companies to verify card information for each payment. It was a time-consuming process and PCI security was likely not top of mind. By the time they had approved your transaction, several minutes had gone by, and your latte was likely teetering on tepid.

As the use of card payment increased, payment systems evolved – and so did the risks to protect data. The driving force behind industry regulations to protect payment card data came in the late 1990s with the widespread adoption of the internet and e-commerce. With the birth and rapid growth of online shopping came increased fraud and malware created to steal credit and debit card information. According to TechTarget, between 1988 and 1999, two of the major card brands documented more than $750M of losses from online fraud. The regulation significantly raised the bar, vastly improving the way in which organizations protect sensitive payment card data, also known as Payment Card Industry (PCI) security compliance.

Maintaining secure payment systems that allow consumers to easily make payment card transactions without risking the privacy of their personal data is a critical part of financial data security. Compliance with PCI security requirements can help keep you and your customers’ sensitive personal data secure and out of the hands of cybercriminals. Data breaches result in the compromise of several million data records each year and can result in lost confidence, bad press, legal challenges and declining profits.

According to the Verizon 2023 Data Breach Investigations Report (DBIR), 83% of data breaches in 2022 involved external actors—the majority being financially motivated. 84% of data breach caseloads entailed payment account data.1

Large-scale card data breaches happen when threat actors use nefarious tactics, such as installing malicious code on a web application, SQL injections, phishing or a range of other methods to access systems. These tactics give threat actors access to their target's systems, potentially allowing them to access and control a lot of data. The sheer amount of payment card data stored in databases and the cloud poses substantial risks to consumers concerned about the security of their data – particularly in light of the numerous high-profile data breaches over the years that resulted in the compromise of millions of payment card data records.

All these factors, and more, are pushing data security and compliance to the forefront in the form of industry regulations for modern business.

On March 31, 2024, compliance with the latest edition of the Data Security Standard, PCI DSS v4.0, will become mandatory, and v3.2.1 retires.

PCI history

The Payment Card Industry Security Standards Council (PCI SSC) is a global forum that enhances global payment account data security by bringing together payments industry stakeholders to develop and drive adoption of security standards and supporting services that drive education, awareness and effective implementation. The PCI SSC introduced the framework for one of the most influential compliance regulations in the world approximately 20 years ago.

Founded in 2006 as a joint venture between five large payment card brands, these members now include American Express, Discover, JCB International, Mastercard, UnionPay, and Visa, Inc. Each participating payment brand member maintains their individual data security compliance program to protect their payment card account data. Information for merchants can be found here.

In 1999, several major card brands announced the initiation of the development of data security programs to help merchants, service providers and customers protect themselves against security breaches. 

MasterCard introduced the Site Data Protection Program (SDP). Visa, Inc. introduced its Cardholder Information Security Program (CISP) and Account Information Security (AIS) program in the year 2000. Other card schemes, such as Discover Financial Services payment network, introduced their Discover Information Security & Compliance (DISC) program, and JCB maintains their Data Security Program. These programs include guidelines, best practices, and approved compliance validation tools and rules that are individually maintained by each card brand.

As payment security evolves, so does complexity with the entrance of cloud computing, mobile and contactless payments, a widening attack surface, and rising numbers of payment card transactions. Which is why between 2018 and 2022, the PCI Security Standards Council instituted the most extensive revision of the PCI DSS since its initial release in 2004. 

PCI Security compliance and enforcement

PCI security compliance is not legislated by governments. Instead, compliance is mandated by the business-to-business contracts that merchants and service providers sign with payment processors and card brands and other businesses. Compliance and enforcement of PCI Standards are the roles of the payment brands and acquirers, not the PCI SSC. As mentioned above, each of the PCI SSC’s participating payment brand members maintain their own individual PCI compliance programs for the management of their affiliated payment card account data, and programs are maintained to align with the global PCI security regulation.

In collaboration with the industry, The PCI SSC develops and maintains several standards that address payment security for issuers, merchants, vendors and solution providers, acquirers and processors.

Progression of the PCI Standards

The PCI DSS version 1.0 initially was developed by Visa Europe and Visa Inc., and released under the Visa brand in 2004. The familiar six control objectives and 12 Key Requirements included in the PCI DSS are the foundation of Visa’s data security compliance programs - the Account Information Security (AIS) program and the Cardholder Information Security Program (CISP). Subsequent updates to the PCI DSS resulted from a cooperative effort between Visa and MasterCard and other payment brands to create common industry security requirements. In 2006, formation of the PCI SSC was announced as a joint venture between participating card brands to develop and evolve the PCI security standards focused on protecting cardholder data throughout the payment transaction life cycle.

The founding payment brands aligned their programs to foster broad compliance with the PCI DSS. PCI DSS version 1.1 of the PCI DSS was released in 2006 as the flagship global data security standard managed by the PCI SSC. Nine updates of the PCI DSS followed after its initial release. 

The new standard

The latest version of the Standard, PCI DSS v4.0, was released in March 2022. PCI DSS v4.0 is the ninth update to the Standard, and provides added security and guidance for organizations attempting to achieve sustainable effectiveness across control and compliance environments in an increasingly challenging payments landscape.

On March 31, 2024, PCI DSS v3.2.1 retires, and compliance with v4.0 becomes mandatory for all organizations involved in payment data security.

The Verizon Payment Security Report (PSR) presents insightful trends in the evolving payment security industry. When first released in 2010, the research report presented the first-of-its-kind grounded analysis on the performance of the DSS with comparative analysis of the strengths and weaknesses of the requirements by industry and region. The report reviews the impact of updates to the requirements, and includes commentary on leading methods to simplify compliance program management and to improve program performance.

The latest PSR white paper and previous PSRs can be found here

The author of this content, Ciske van Oosten, is head of Global Business Intelligence within the Verizon Cyber Security Consulting Services division, and is the author of the Verizon Payment Security Report. Direct access to our collection of the PSR publications can be found at

  • Like what you're reading?

    If you’d like to receive new articles, solutions briefs, whitepapers and more—just let us know.

    Sign up

Let's get started.