While organisations have a fair share of responsibilities to consider, data security is quickly climbing its way to the top of the list. As cybercrime evolves, companies must prioritise keeping data they hold safe. Although many organisations realise that adhering to the Payment Card Industry Data Security Standards (PCI DSS) is one of the best ways to minimise the risk of falling victim to a data breach, not many are familiar with how these guidelines were created. Let’s take a look at the evolution of PCI DSS through the years and the impact they’ve had on PCI Compliance as a whole.
The foundation of PCI Compliance dates back to the beginning of the Dot-Com Era. The rise of e-commerce in the late 1990s made fraud easier than ever before and as a result, major credit card companies experienced significant financial losses. Their financial losses of over $750 million served as an incentive to change the way transactions were handled. In 2001, credit card giant Visa was the first organisation to create a set of guidelines for business handling online payments – the Cardholder Information Security Program. The remaining players in the credit card industry followed in Visa’s footsteps with their own security standards, but quickly realised they have a greater chance of battling cybercrime and fraud when working together – creating the first version of the PCI DSS we know today.
Supported by five major credit card companies, the PCI DSS 1.0 made its debut at the end of 2004 as a unified and comprehensive set of guidelines for organisations in the payment processing cycle. Less than two years later, the PCI Security Standards Council was created to oversee the data security standards and update them to reflect the not only best practice but the evolving landscape. The first update, PCI DSS 1.1 released in 2006 called for a professional review of all online applications as well as the requirement of placing additional firewalls for added security. Later in 2006, retail department store chain TJX fell victim to one of the largest data breaches, leaving over 45 million pieces of payment card data vulnerable to hackers. This event served as a reminder of just how important the newly created PCI DSS requirements are and what exactly could happen if security is not prioritised within an organisation. In a recent survey conducted by PCI Pal, results show that 41% of UK customers and 21% of US customers stop spending with a company after a breach, meaning the trust of customers is costly to lose and difficult to regain. Although there are costs associated with becoming compliant, it is far more costly to fall victim to a data breach.
Since its debut in 2004, the PCI DSS has been revised consistently with updates including advancements of wireless network protection, implementation of antivirus software and improvements in encryption methods for website security. 2008 marked a memorable year as another set of data security standards was launched – this time with a focus on payment applications (PA DSS). This set of guidelines was designed to help software vendors develop secure payment applications that do not store vulnerable data, such as the magnetic stripe on a credit card, the CVV, and the PIN.
While at this time the majority of organisations recognised the need for PCI Compliance, many encountered a challenge when it comes to full implementation. In response, the PCI Security Standard Council lengthened the update cycle from two years to three, granting merchants more time to become compliant with the new regulations. By the end of 2012, compliance reaches record levels of 97% on average among Level 1 merchants (those processing more than 6 million transactions per year). Although merchants were becoming more complaint than ever at this time, Yahoo experienced possibly the biggest breach in history, compromising over 3 billion pieces of customer data.
In the following years, PCI DSS continued to evolve, releasing over 7 different updates of the guidelines. By 2015, updates to the PCI DSS include improved regulations of passwords, requirements of consistent inventory of all hardware and software components present within the cardholder environment, requirements for detailed documentation of the transaction process, and added regulations for electronic payments via mobile apps.
In 2016, the PCI SSC released the PCI DSS 3.2, adding more regulation for service providers as well as more requirements for multi-factor authentication. This version of the data security standard most closely resembles the PCI DSS 3.2.1 we adhere to today.
Looking ahead, the PCI Security Standard Council is already gearing up for the release of PCI DSS 4.0 in 2020, which will feature additional requirements for user authentication, cardholder data encryption, monitoring the data environment, and it will call for greater testing frequency.
At PCI Pal, we keep PCI Compliance at the forefront of what we do and we help organisations understand the importance of prioritising data security. Get in touch with PCI Pal to stay in the know on all things PCI DSS or to discuss how our solutions can help your organisation overcome the compliance hurdle.