The history of payment card industry data security standards
The Payment Card Industry Data Security Standard (PCI DSS) is important for any merchant that accepts card payments. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. While complying with PCI DSS standards can be complicated, understanding its history can help business owners appreciate why it exists and why it's important. Additionally, failure to comply with PCI mandates leaves a merchant vulnerable to a data breach and the ensuing negative fallout including fines, fees and lost business.
PCI DSS was created in 2004 by Visa, MasterCard, Discover, and American Express. However, its roots date back even further.
The origins of PCI DSSAs payment fraud began to rise dramatically, the top players in the credit card industry felt the need to establish a set of security standards . Between 1988 and 1998, Visa and MasterCard lost $750 million due to credit card fraud. Without a focus on security, credit card companies faced major losses, in part driven by the rise of ecommerce, which increased the instances of card-not-present transactions and made fraud easier to accomplish. These financial losses gave credit card companies an incentive to work toward a solution to the problem.
Visa was the first of the major card companies to attempt to establish a set of security standards for businesses that accepted payments online. Visa named the standard the Cardholder Information Security Program and implemented it in 2001. MasterCard, American Express, and Discover quickly followed suit, founding their own unique security programs. Merchants that accepted more than one type of credit card had to be compliant with multiple security programs.
PCI DSS introducedIn the early 2000s, online payments became more common and security breaches increased rapidly. In December 2004, all the major credit card companies responded to this crisis by coming together to create a comprehensive set of security standards for merchants. At this point, PCI DSS 1.0 was born. All merchants and other organizations dealing with credit card processing were required to comply with the new standard.
The organization followed up on this initial program in 2006, with version 1.1, which called for merchants to review all online applications and place firewalls for added security. Along with this announcement, the credit card brands announced the creation of the PCI Security Standards Council (PCI SSC), an independent group that would oversee the standard moving forward.
From 2008 to the presentThe PCI SSC continues to regularly update the standard to reflect current best practices. In October 2008, version 1.2 was released, which included guidance for protecting wireless networks and implementing antivirus software. In 2010, the PCI SSC lengthened its update cycle, giving merchants more time to become compliant with new regulations. Later that year, the PCI DSS gained a foothold in Europe as the council instituted Jeremy King, its first European director.
In the intervening years, the council has made numerous updates to the standards. In January 2015, PCI DSS version 3.0 went into full effect, and PCI DSS 3.1 followed in April 2015. One of the biggest changes between these two is that the Transport Layer Security will replace Secure Sockets Layer as the dominant encryption method for website security.
Despite the years the PCI DSS has existed, some merchants still don't comply with the mandates, which leaves them open to harmful data breaches. As fraudsters become more sophisticated with their own methods, merchants and card companies need to be vigilant and continue to make digital environments safer for sensitive data. Merchants need to learn about PCI DSS updates and keep implementing changes to make payment processing safer. One way to accomplish this is for businesses to make sure they work with payment processing vendors that have PCI-compliant equipment.