It is once again time to celebrate the new year, along with a shiny new PCI Version 3.2.1 update. Vigilant as ever, the Payment Card Industry Security Standards Council (PCI SSC) continuously monitors the pulse of the credit card industry.
Detecting some important changes over the past few years, PCI has responded with relevant changes to its industry-wide respected PCI Data Security Standard (DSS), intended to keep you and your customers’ data safe while in your care.
The Creation and Introduction of the PCI DSS
Leading up the formation of PCI, the payment card giants took note of the rapidly rising rates of industry-wide fraud between 1988 and 1998. The damage came out to Visa and MasterCard having lost $750 million due to credit card fraud in those years, and it was easy to see that, without a focus on security, credit card companies would continue to face major losses.
The collective understood that their combined effort against mounting fraud losses—both individually and collectively—would provide a unified front and a breadth of understanding of the rapidly increasing fraud and how to confront it. They worked together to establish a set of security standards that would become known as PCI DSS.
In 2001, Visa was the first of the payment card companies to implement a set of security standards for businesses to accept payments online, with other major card companies following suit shortly thereafter with each developing their own security program.
However, with multiple security programs in place, merchants had a greater burden of learning, implementation and compliance since they accepted more than one type of credit card—sometimes all of them—and had to achieve and maintain compliance with multiple card company security programs.
The group went back to the drawing board to develop a more collaborative and cohesive approach to card payment security, resulting in the PCI DSS, which was introduced in 2004.
In 2006, the PCI SSC was formed to serve as a global forum for the payment card industry to come together to continually monitor industry risks and respond with regular updates to the PCI DSS. PCI SSC focuses on developing, enhancing, disseminating and assisting with understanding security standards to provide peak payment account security.
Why Is the PCI DSS Important to the Payment Card Industry?
Given the ever-increasing number of data breaches each year around the world, it probably comes as no surprise that data security is a prime focus for online merchants who regularly accept and process credit cards. Each time an online retailer wins the loyalty of a new customer, they understand that the customer has taken a leap of faith in providing their personal details.
The PCI DSS serves to assist online sellers in protecting their vital cardholder data that contains personally Identifiable information (PII). As data breaches show no signs of slowing down—and since hackers are apparently tireless, never sleeping or running out of nefarious ideas—PCI SSC’s efforts have become an invaluable resource for retailers who care about their customers.
What Is the Continuing Evolution of the PCI DSS?
The PCI DSS is a living and breathing standard, thanks to the PCI SSC, and in response to the volatile world of cybersecurity. Take a look at the evolution of the PCI DSS, as it has increasingly addressed the concerns of emerging technologies and increasing threats to data.
PCI DSS Version 1.0.
The first version of the PCI DSS, which was simply called PCI DSS version 1.0, was released December 15, 2004 and featured a basic, yet still comprehensive, set of security standards for merchants to follow. Any online retailers and other types of organizations that received and processed credit card payments were required to comply with the new standard.
PCI DSS Version 1.1.
In 2006, the same year that PCI SSC was independent global monitoring collective was officially formed, the group already had updates to the standard and released verion 1.1, calling for merchants to review all online applications and install firewalls to their systems for an added layer of security. This version also provided additional clarification and addressed minor revisions.
PCI DSS Version 1.2.
PCI DSS version 1.2 was released in October 2008 to enhance clarity and address newly evolving risks and threats.
PCI DSS Version 1.2.1.
In August 2009, PCI DSS 1.2.1 was released to share minor creations and to create clarity and consistency to the standards and all supporting documents.
PCI DSS Version 2.0.
In 2010, the PCI SSC group came across some substantial changes that would help merchants commit to PCI DSS compliance more readily. The PCI SSC reviewed data that the Ponemon Institute polled of 155 Qualified Security Assessors (QSA) to help them shape this update. Some of the official changes in this version involved the following:
- Restricting access to data on a need-to-know basis
- Encrypting the data
- Managing and controlling the encryption keys
PCI DSS Version 3.0.
The PCI Council felt it was important to address the issue of the current lack of education, awareness and intention of the PCI DSS in this version, which was released in November 2013. The Council also focused on the evolution of emerging mobile and cloud-based technologies and how they would relate to the PCI DSS. Additionally, penetration testing and threat modeling were formally introduced into the mix.
PCI DSS Version 3.1 and PCI DSS Version 3.2.
This short-term update, released April 2015, was only intended to last until its retirement on October 31, 2016 to allow merchants time to adopt and achieve compliance for changes in the April 2016 PCI DSS 3.2 release. The PCI SSC team released a fairly extensive volume of requirements for this update, laying out a more pronounced set of best practices.
What Are the Changes in PCI DSS Version 3.2.1?
Released May 31, 2018, PCI DSS Version 3.2.1 is a relatively minor version to add to the collection, it essentially includes clarification updates and a correction to a previous requirement reference.
Following are a few of the minor changes in this version:
- The removal of the February 1, 2018 date as an application deadline, which has long expired.
- The amendment of Appendix A2 and the Standard’s requirements to limit the use of Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) to only point-of-sale point-of-interaction (POS POI) terminals, as well as their service provider connection points beyond June 30, 2018.
Do You Need Help Implementing the Latest Updates to PCI DSS Version 3.2.1?
If you need more information about PCI DSS Version 3.2.1, or any other version, our I.S. Partners, LLC. team is here to help. Our seasoned QSAs can also help you get started with the PCI DSS suite if you are a new merchant, ready to become compliant.