A History Lesson: PCI-DSS From Then To Now
We’ve spoken previously about PCI-DSS, about how PCI-DSS Compliance affects your business (read about it here) and how vital it is to secure card terminal connectivity for growing businesses (which you can read about here). But what we’ve come to realise is that while the market and businesses in general seem to know what PCI-DSS is and to some extent why they should comply, there are many who aren’t as aware of its history.
Today we want to focus on the history of PCI-DSS because we strongly believe that knowing its history will help businesses formulate and implement a proper strategy for payment services and payment solutions. In doing so, we also intend to explore the future of PCI-DSS with the impending launch of PCI-DSS 4.0.
How PCI-DSS Started
The majority of the time, the history of PCI-DSS starts in 2004, but the reality is that it all started way in the 1990s. Throughout this decade, credit card companies witnessed alarming increases in credit card fraud, with Mastercard and Visa seeing over $750M of losses from online fraud between 1988 and 1999.
Given that the integrity and security of credit and debit card transactions are critical to both eCommerce and brick-and-mortar retailers alike, as well as for consumer to business and business to business financial transactions, something had to be done.
The response from credit card brands was to introduce their own information security initiatives in the late 90s and early 2000s, including:
- Visa: Cardholder Information Security Program (CISP)
- Mastercard: Site Data Protection programme
- American Express: Site Data Protection Program and Data Security Operating Policy
- Discover: Information Security and Compliance programme
- JCB: Data Security programme
Problematically, what we got was a bunch of disjointed security programmes that were confusing in the market and ineffective. It became impossible to ignore the fact that a single, seamless credit card security protection effort was required.
Cut to 2004, when the top brands formed the Payment Card Industry Security Standards Council (PCI-SSC), modeling their security initiative after the Visa CISP, called the Payment Card Industry Data Security Standard (PCI-DSS).
Over the next few years, the world would go through a few permeations of PCI-DSS, including:
- PCI-DSS v1.0 (2004)
- PCI-DSS v1.1 (2006)
- PCI-DSS v1.2 (2008)
- PCI-DSS v1.2.1 (2009)
- PCI-DSS v2.0 (2010)
- PCI-DSS v3.0 (2013)
- PCI-DSS v3.1 (2015)
- PCI-DSS v3.2 (2016)
- PCI-DSS V3.2.1 (2018)
Since 2004, there have been clarifications, minor revisions, enhanced clarity, improved flexibility, and measures to address risks and threats as they evolve – always in aid of protecting cardholder data. Because that’s the whole point.
The Future is 4.0
Currently, the PCI-DSS v3.2.1 data security standard is what we are complying with in order to protect credit card account data. The “we” refers to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers.
But the future is coming. PCI-DSS v4.0 is expected to be released Q1 2022, with much anticipation around changes to security, customised implementation, authentication, encryption, monitoring, and critical control testing frequency methods.
Here are 6 key areas we expect changes to happen:
- Flexibility: Where flexibility and support of additional methodologies enable a customised implementation to meet the intent of security controls.
- Security: More stringent requirements to ensure that all sellers safely and securely store, process, and transmit cardholder data – setting the bar higher and build on the assurances of PCI-DSS v3.2.1.
- Authentication: A deeper focus on NIST MFA/Password Guidance, putting more emphasis on applying stronger authentication standards to payment and control process access log-ins.
- Encryption: Broader applicability on trusted networks to overcome cyberthreats that include malicious code considerations.
- Monitoring: Technology advancement requirements, including pluggable options, much like the PCI Software Security Framework.
- Critical Control Testing Frequency: Possible inclusion of Designated Entities Supplemental Validation (DESV) requirements for all companies, not just those who have been compromised.
Using PCI-DSS to Inform Your Business Strategy
The reality is that PCI-DSS applies to all businesses that accept payment cards, and in South Africa, this is a PASA (Payment Association of South Africa) regulation that can’t be ignored.
Outside of this regulatory requirement, there are other motivating factors that must be considered as part of your business’ overall strategy in order to formulate and implement a proper strategy for payment services and payment solutions.
The clear impact to your business strategy, enabling growth:
- Generates greater levels of consumer trust and goodwill by signaling trustworthy data handling and increased payment security to customers.
- Improves B2B relationships by proving that your business isn’t neglecting the critical components of data security, demonstrating to payment brands and business partners that you are a responsible and committed retailer who prioritises payment security.
- Closes the gap on data breaches, reduces lost sales, decreases the risk of losing the option to accept card payments, and avoid possible lawsuits.
Let’s talk about how PCI-DSS can inform a smarter, more secure business strategy that imbues your business with longevity and the correct protective measures to ensure that longevity.
Let’s connect.