History of Payment Card Industry Data Security Standard (PCI DSS)

History of PCI DSS

PCI DSS is the standard that has evolved from the efforts of several card brands. In the 1990’s, the card brands developed various standards to improve the security of sensitive information. In the case of Visa, different regions came up with different standards (i.e., European countries were subject to different standards than the US). In June 2001, Visa USA launched the Cardholder Information Security Program (CISP).The CISP Security Audit Procedures document version 1.0 was the granddaddy of PCI DSS.These audit procedures went through several iterations, and made it to version 2.3 in March of 2004. At this time, Visa was already collaborating with MasterCard.Their agreement was that merchants and service providers would undergo annual compliance validation according to Visa’s CISP Security Audit Procedures, and would follow MasterCard’s rules for vulnerability scanning. Visa maintained the list of approved assessors and MasterCard maintained the list of approved scanning vendors.

This collaborative relationship had a number of problems.The lists of approved vendors were not well-maintained, and there was no clear way for security vendors to get added to the list. Also, the program was not endorsed by all card brand divisions. Other brands such as Discover,American Express, and JCB were running their own programs.The merchants and service providers in many cases had to undergo several audits just to prove compliance to each brand, which was clearly costing too much. For that and many other reasons, all card brands came together and created the PCI DSS 1.0, which gave us the concept of PCI compliance.

Unfortunately, the issue of ownership still was not addressed, and a year later the PCI Security Standards Council was founded (https://www.pcisecuritystandards.org). Comprised of American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International, PCI Co (as it came to be known) maintains the ownership of the DSS, most of the approved vendor lists, training programs, and so forth.There are still exceptions, as the list of approved payment application assessors at the time of this book’s publication is still maintained by Visa.

Each card brand/region maintains its own security program beyond PCI.These programs go beyond the data protection charter of PCI and include activities such as fraud prevention. In certain cases, PCI ROC needs to be submitted to each card brand’s program office separately.

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Newsvine
  • Technorati

Trackback URL for this post:

http://www.securitycompliances.com/trackback/18

User login

Who's online

There are currently 0 users and 1 guest online.

Who's new

  • arrercuby
  • brijtiwari28
  • Fantasko
  • pyosaterryysx
  • ugg54685