How did the Payment Card Industry standards come to fruition? Let’s start with the body that governs their development; the PCI Security Standards Council (PCI SSC). The PCI SSC is a worldwide consortium of security experts from different areas of payment processing, including businesses taking credit card payments.
Let’s look at how the three key standards were launched and developed throughout PCI history.
PCI History: The Standards
The Payment Application Data Security Standard (PA-DSS), first introduced in 2007, is applicable to payment application settings. Organizations that offer this type of software for third-party use (such as for e-commerce) must maintain PCI compliance.
The release of PA-DSS 3.2 in May 2016 brought with it some major changes that were parallel with the new language in PCI DSS 3.2, which we’ll review later. New requirements included multi-factor authentication for non-console administrative access and mandating that all default accounts and roles be identified within the Implementation Guide.
PIN Transaction Security (PTS) is a set of standards related to the logical and physical security of point-of-sale (POS) terminals or devices. The standards dictate that POS devices can be attended, like the register at your favorite coffee shop, or unattended, such as the automated machine you pay when leaving a parking garage. A major change with this requirement came in 2010 when the PCI SSC announced the release of PCI PTS 3.0. That release integrated requirements for POS devices and PIN pad devices, emphasized physical over logical security as the initial priority and gave further guidance on how to securely use open protocols.
Of the three standards, PCI DSS is the oldest and has gone through many changes since its inception. Below we break down the major milestones in PCI history:
- October 1999 – The first online merchant security standards were released by a major card company, Visa. Visa's Cardholder Information Security Program (CISP) was the first of a few standards that arrived before the Payment Card Industry Data Security Standard (PCI DSS).
- 2000-2001 – The amount of fraud occurring solely online in 2000 was worth $1.5 billion, according to CyberSource. Online fraud via credit cards was as much as 300% more than the average transaction, according to Visa’s analysis in 2001.
- December 15, 2004 – The initial appearance of the standard as PCI DSS 1.0. All organizations in the payment processing cycle, including all e-commerce merchants, were required to comply with PCI DSS.
- September 6, 2006 – Requirement 6.6 was a notable addition to the standard when PCI DSS 1.1 was released on September 6, 2006. That part of the standard declared "that all custom application code must be professionally reviewed for vulnerabilities or a web application firewall must be installed in front of web-facing applications," noted SearchSecurity.
- October 1, 2008 – Release of PCI DSS 1.2. New requirements within this version related to antivirus systems for all operating systems and wireless network defense via the 802.1x standard.
- October 2010 – Release of PCI DSS 2.0. While new versions of standards often signify greater challenges, this version was centrally geared toward simplifying the process of PCI DSS compliance by making the assessment process more streamlined.
- November 2013 – Release of PCI DSS 3.0. This release emphasized how increasingly crucial it is for providers to shore up their defenses and meet compliance, stressing that internal vulnerability assessments be conducted.
- April 2016 – Release of PCI DSS 3.2. This placed more focus on multi-factor authentication (MFA) and contained new mandates for service providers.
- May 22, 2018 – Release of PCI DSS 3.2.1. This is the current version as of January 2019. It contains clarifications but no significant modifications, according to the council.
Statements from PCI General Managers
One way we can better understand what is involved in the developments of PCI compliance is through the perspectives of the current and former general managers of the Payment Card Industry Security Standards Council, Bob Russo and Stephen Orfei.
In an interview for CNET, Russo noted that the council was created by the five major card companies – American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. The reason it was formed was that there was some disparity between the compliance programs of the different organizations, and the five corporations wanted to create a more seamless and consistent notion of what card data protection entailed.
"There was a time when you could pick up the phone and call one brand and ask a security question and get one answer and call another brand and ask the same question and get a different answer," Russo explained. Since the creation of the board, there has been shared understanding across these companies which has set the baseline for payment security.
After the current general manager, Stephen Orfei, took office at the PCI Council in 2014, he spoke at the North American PCI community meeting to discuss his perspective and how the mission of the council would evolve under his leadership. As covered in BankInfoSecurity, Orfei introduced a three-pronged strategy that he believed would improve the council's ability to advance the general goal of keeping payment data secure:
- Better education for small businesses related to the information technology tools needed to safeguard payments.
- Bolster the organization's efforts to provide prescriptive advice and to strengthen its perspective by conducting industry studies.
- Foster stronger collaboration within the industry.
Even at a time when hacking and other nefarious efforts were on the rise, Orfei exuded optimism, saying that the manner in which businesses were being targeted was "not so sophisticated" and that "[w]e have the technology to fight back."
Another major way the new GM wanted the council to change was to shift focus from compliance to risk. Rather than generating standards to which merchants would be averse, Orfei wanted the PCI Council to be more collaborative in its orientation.
PCI, A Living Standard
Standards can seem cold and inanimate, especially since they are so technically dense and otherwise demanding. However, the PCI Council is still run by people. Although there is significant weight behind the major credit card companies who founded PCI, the collaboratively modeled PCI SSC can change and evolve over time so that these key payment security standards do not become irrelevant.
What surprised you about PCI’s history? Tell us in the comments section below.