How did the Payment Card Industry standards come to fruition? Let’s start with the body that governs their development; the PCI Security Standards Council (PCI SSC). The PCI SSC is a worldwide consortium of security experts from different areas of payment processing, including businesses taking credit card payments.
Let’s look at how the three key standards were launched and developed throughout PCI history.
The Payment Application Data Security Standard (PA-DSS), first introduced in 2007, is applicable to payment application settings. Organizations that offer this type of software for third-party use (such as for e-commerce) must maintain PCI compliance.
The release of PA-DSS 3.2 in May 2016 brought with it some major changes that were parallel with the new language in PCI DSS 3.2, which we’ll review later. New requirements included multi-factor authentication for non-console administrative access and mandating that all default accounts and roles be identified within the Implementation Guide.
PIN Transaction Security (PTS) is a set of standards related to the logical and physical security of point-of-sale (POS) terminals or devices. The standards dictate that POS devices can be attended, like the register at your favorite coffee shop, or unattended, such as the automated machine you pay when leaving a parking garage. A major change with this requirement came in 2010 when the PCI SSC announced the release of PCI PTS 3.0. That release integrated requirements for POS devices and PIN pad devices, emphasized physical over logical security as the initial priority and gave further guidance on how to securely use open protocols.
Of the three standards, PCI DSS is the oldest and has gone through many changes since its inception. Below we break down the major milestones in PCI history:
One way we can better understand what is involved in the developments of PCI compliance is through the perspectives of the current and former general managers of the Payment Card Industry Security Standards Council, Bob Russo and Stephen Orfei.
In an interview for CNET, Russo noted that the council was created by the five major card companies – American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. The reason it was formed was that there was some disparity between the compliance programs of the different organizations, and the five corporations wanted to create a more seamless and consistent notion of what card data protection entailed.
"There was a time when you could pick up the phone and call one brand and ask a security question and get one answer and call another brand and ask the same question and get a different answer," Russo explained. Since the creation of the board, there has been shared understanding across these companies which has set the baseline for payment security.
After the current general manager, Stephen Orfei, took office at the PCI Council in 2014, he spoke at the North American PCI community meeting to discuss his perspective and how the mission of the council would evolve under his leadership. As covered in BankInfoSecurity, Orfei introduced a three-pronged strategy that he believed would improve the council's ability to advance the general goal of keeping payment data secure:
Even at a time when hacking and other nefarious efforts were on the rise, Orfei exuded optimism, saying that the manner in which businesses were being targeted was "not so sophisticated" and that "[w]e have the technology to fight back."
Another major way the new GM wanted the council to change was to shift focus from compliance to risk. Rather than generating standards to which merchants would be averse, Orfei wanted the PCI Council to be more collaborative in its orientation.
Standards can seem cold and inanimate, especially since they are so technically dense and otherwise demanding. However, the PCI Council is still run by people. Although there is significant weight behind the major credit card companies who founded PCI, the collaboratively modeled PCI SSC can change and evolve over time so that these key payment security standards do not become irrelevant.
What surprised you about PCI’s history? Tell us in the comments section below.