Key Takeaways

1. Any business handling credit cardholder information must comply with PCI DSS to protect against theft, fraud, and misuse.

2. PCI SSC regularly updates PCI DSS to enhance payment security for merchants, issuers, processors, and organizations, ensuring consumer data safety throughout transactions. The latest version is the PCI DSS version 4.0.

3. I.S. Partners has worked with diverse industries requiring PCI DSS compliance. Allow our experts to guide you through the nuances of the framework. We are also a Qualified Security Assessor.

PCI DSS History

Leading up to the formation of PCI, the payment card giants noted the rapidly rising rates of industry-wide fraud between 1988 and 1998. Damages for Visa and MasterCard totaled $750 million lost due to credit card fraud in those years. It was clear that, without verifiable security, credit card companies would continue to face major losses.

In 2001, Visa was the first payment card company to implement security standards for businesses to accept payments online. Other major card companies followed suit shortly thereafter with their own security programs. However, with multiple security programs in place, merchants had a greater burden of learning, implementing, and maintaining compliance to accept more than one type of credit card.

At this point, the group returned to the drawing board to develop a more collaborative and cohesive approach to card payment security. This gave birth to the PCI DSS, which was introduced in 2004.

In 2006, the PCI SSC was formed to serve as a global forum for the payment card industry to come together to continually monitor industry risks and respond with regular updates to the PCI DSS. PCI SSC focuses on developing, enhancing, disseminating, and assisting with understanding security standards to provide effective payment account security.

PCI DSS History timeline

PCI DSS Versions and Updates

Version 1.0

The first version of the PCI DSS, called PCI DSS version 1.0, was released on December 15, 2004, and featured a basic, yet still comprehensive, set of security standards for merchants to follow. Any online retailers and other types of organizations that received and processed credit card payments were required to comply with the new standard.

Version 1.1

In 2006, the same year that PCI SSC was officially formed, the group already had updates to the standard and released version 1.1, calling for merchants to review all online applications and install firewalls to their systems for an added layer of security. This version also provided additional clarification and addressed minor revisions.

Version 1.2

PCI DSS version 1.2 was released in October 2008 to enhance clarity and address newly evolving risks and threats.

Version 1.2.1

In August 2009, PCI DSS 1.2.1 was released to share minor creations and to create clarity and consistency in the standards and all supporting documents.

Version 2.0

In 2010, the PCI SSC group came across some substantial changes that would help merchants commit to PCI DSS compliance more readily. The PCI SSC reviewed data from the Ponemon Institute, which polled 155 Qualified Security Assessors (QSA) to help them shape this update. Some of the official changes in this version involved the following:

  • Restricting access to data on a need-to-know basis.
  • Encrypting the data.
  • Managing and controlling the encryption keys.

Version 3.0.

The PCI Council felt it was important to address the current lack of education, awareness, and intention regarding the PCI DSS in this version, which was released in November 2013.

The council also focused on the evolution of emerging mobile and cloud-based technologies and how they would relate to the PCI DSS. Additionally, penetration testing and threat modeling were formally introduced into the mix.

Version 3.1

This short-term update, released in April 2015, was only intended to last until its retirement on October 31, 2016, to allow merchants time to adopt and achieve compliance for changes in the April 2016 PCI DSS 3.2 release.

Version 3.2

The PCI DSS version 3.2 was released in 2016 and went into full effect in 2018. It was developed by the SSC to respond to the growing threats to payment information. Similar to preceding updates, the council introduced new ways to help prevent, detect, and respond to cyberattacks that can lead to costly breaches and damage consumer trust. The refinements in PCI DSS v3.2 are also intended to help provide clarity and guidance to help companies maintain the council’s standards in everyday business practices.

  • Multi-Factor Authentication – Accessing cardholder information only by authorized personnel has been the biggest issue organizations face worldwide. In the past, PCI DSS addressed the need for multi-factor authentication for untrusted entities using remote access to enter cardholder data environments. The PCI V3.2 update now requires multi-factor authentication for any administrative staff using local access to these same cardholder data environments. This update was designed to prevent further unauthorized access from outside and inside the organization from administrative personnel who only use one form of authentication to enter the cardholder data environment. The name “two-factor authentication” was changed to “multi-factor authentication” for more consistent wording and to encourage organizations to use two or more authentication methods no matter where the administrative personnel are located.
  • Designated Entities Supplemental Validation (DESV) – The Designated Entities Supplemental Validation (DESV) gave credit card service providers a set of criteria to manage ongoing security issues and oversight programs. These requirements were designed to increase the protection of payments as they establish how to scope the environment, establish security measures to instantly detect failures in security control systems, provide timely alerts to these failures, and address the development of compliance program oversight to ensure all security processes are operating as desired. In PCI V3.2, the DESV requirements were consolidated into an appendix, making it easier to review the criteria and decide whether to incorporate them into best practices voluntarily. For some organizations, it is mandatory to undergo a DESV assessment as requested by a credit card brand or issuer.
  • More Secure Version of TLS – In December 2015, the PCI Data Security Council introduced migration dates for organizations to move away from Secure Sockets Layer (SSL) and early Transport Layer Security (TLS). The PCI V3.2 has appendices to help your organization with migration reporting efforts.
  • Added Service Provider Scrutiny – The PCI Compliance Guide states: “Service providers will undergo additional scrutiny of their management processes, and penetration testing will be required on a more frequent basis.” According to the PCI Data Security Standard Requirements and Security Assessment Procedures, and specifically regarding Requirement 11.2, companies must perform internal and external scans—or ASV scans—quarterly, and rescans as needed, or after any significant change and only by qualified personnel.

Most importantly, this series of requirements under 11.3 is a guideline for pen testing frequency:

Requirement 11.3.1 – Companies should conduct external penetration testing at least on an annual basis or after any significant change in the organization’s operating environment.

Requirement 11.3.2 – Companies are required to perform internal penetration testing at least annually or after any significant change in the organization’s operating environment.

Requirement 11.3.3 – Any exploitable vulnerabilities identified during penetration testing must be corrected, and testing must then be repeated to verify corrections.

Requirement 11.3.4 – Companies must perform network segmentation testing to validate if segmentation controls and methods are operating effectively.

Requirement 11.3.4.1 – Service providers must perform penetration testing on segmentation controls every six months. Previously performed at least annually, this PCI DSS v3.2 update was important because it allowed each specific entity to demonstrate that their segmented environment was truly isolated during testing. It’s important to validate the effectiveness of segmentation to make sure the PCI DSS scope stays current to stay on course with any changing business objectives.

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.

SPEAK TO AN EXPERT

PCI-DSS v3.2.1

PCI-DSS v3.2.1 is the current version, released on May 31, 2018. It introduced relatively minor changes, like the clarification updates and a correction to previous requirements. It revised several of the standard requirements that were a part of the original PCI-DSS.

Related article: How to Prepare for Your Upcoming PCI Audit.

PCI DSS V4.0

The PCI DSS recently released version 4.0, which took effect on March 31, 2024. This is the first major update to the standard since version 3.2 was released eight years ago. PCI DSS 4.0 includes 63 new requirements aimed at ensuring the standard stays current with emerging threats, technologies, and changes in the payment industry.

Key updates in PCI DSS 4.0 include:

  1. Increased emphasis on penetration testing. Merchants and processors will face heightened scrutiny to validate their cardholder data environments have appropriate protections in place. The new standards require more comprehensive penetration testing methodologies that go beyond routine assessments.
  2. Phased implementation. While some of the new requirements are effective immediately as of March 31, 2024, the majority have a transition period and do not come into full effect until March 31, 2025. This gives businesses time to implement the more challenging aspects.
  3. Clarification of key concepts. PCI DSS 4.0 provides more descriptions and examples of concepts like “significant changes” to cardholder data environments, which previous versions did not define well.
  4. New requirements regarding passwords and phishing. The minimum password length increases from 7 to 12 characters. Additional guidance is provided on security maintenance.
  5. Anti-skimming protections. PCI DSS 4.0 applies security requirements to both payment pages and the parent pages that host them. This makes it much harder for compromised parent pages to skim card data from iframes.

Merchants need to prepare for PCI DSS 4.0 by inventorying their compliance status, closing any gaps, and engaging third-party expertise if needed by the March 2024 and 2025 deadlines.

What Is the PCI DSS and Why Is It Important?

Major credit card companies such as MasterCard, Visa, Discovery, American Express, and JCB International created the Payment Card Industry Security Standards Council (PCI SSC) to help companies globally with their security systems when transmitting, receiving, using, and storing cardholder information.

To prevent security breaches and fraud, the PCI SSC has maintained and promoted PCI compliance services such as the Payment Card Industry Data Security Standards (PCI-DSS), which allow businesses and merchants to improve their payment account data security operating policy and network systems.

Complying with PCI DSS is crucial as it protects cardholder data, significantly reducing the risk of data breaches and securing safe routes to transmit cardholder data. Your PCI DSS compliance status helps businesses avoid costly breaches, maintain customer trust, and adhere to legal and regulatory requirements.

Customers benefit from enhanced payment data security while the broader payment card industry maintains its integrity and security. Thus, PCI DSS compliance supports a safer transaction environment for all stakeholders involved.

The PCI DSS assists online sellers in protecting their vital cardholder data, which contains personally identifiable information (PII). The PCI SSC’s ongoing efforts have become an invaluable resource for retailers who care about their customers.

The 12 PCI-DSS Standards

PCI DSS compliance standards are based on 12 requirements that deal with network security and internal controls. The foundation behind the 12 PCI DSS standards is to protect cardholder data and ensure the security of credit card transactions.

  1. Installing/maintaining a firewall configuration for networks and systems
  2. Avoid using vendor-supplied defaults for passwords and other security procedures
  3. Protecting cardholder data during storage
  4. Using strong access control measures during cardholder data transmissions in open and public networks
  5. Using and updating anti-virus software
  6. Developing and maintaining secure network systems and applications
  7. Restrict physical access to cardholder data
  8. Creating a unique ID for users who need to access cardholder data
  9. Restricting any physical access to cardholder information
  10. Tracking and monitoring all access to network systems and data
  11. Testing security processes and systems
  12. Maintaining information security policies

All PCI DSS requirements are further broken down into multiple standards, providing comprehensive details on improving your security systems and methods. By following the standards, you can mitigate risks to your security systems and maintain secure systems to protect cardholder data.

Not Sure How to Start Your PCI DSS Compliance Journey?

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.

BOOK A MEETING

Is PCI DSS v4.0 in Full Effect?

No, PCI DSS v4.0 has not yet fully launched all its requirements. Released on March 31, 2022, it is currently in effect alongside v3.2.1, which remains active until March 31, 2024, providing a transition period. Until this date, organizations undergoing assessments can comply with either v3.2.1 or v4.0 standards.

Starting March 31, 2024, v3.2.1 will be retired, and v4.0 will become the sole active version, introducing 64 new requirements. However, certain new requirements labeled as “future-dated” will be considered best practices until March 31, 2025, when they become mandatory.

Organizations are encouraged to implement these future-dated requirements before the 2025 deadline to enhance their security posture. Therefore, the complete transition to PCI DSS v4.0 with all requirements enforced will conclude by March 31, 2025.

Work Your Way Through PCI DSS Compliance with I.S. Partners

The PCI SSC designed the PCI DSS as a versatile framework for adapting to evolving threats. This change can be challenging to implement, especially without the help of experts.

At I.S. Partners, we are dedicated to protecting your customers’ cardholder data and understanding the significant impact that regulatory updates can have on your operations. As a PCI SSC-Qualified Security Assessor, our team specializes in guiding organizations across various industries through the nuances of compliance.

With decades of combined experience, our experts offer unparalleled insights tailored to your specific industry needs. We ensure thorough preparation for audits, helping you grasp the latest regulatory changes and pinpointing any vulnerabilities that could compromise data security.

Trust in our expertise to navigate the complexities of PCI DSS compliance effectively, empowering your business to maintain robust security standards while focusing on your core operations.

Contact us to help you prepare for the new changes expected later this year.

About The Author

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Analysis of your compliance needs
Timeline, cost, and pricing breakdown
A strategy to keep pace with evolving regulations

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top