The History of PCI Compliance: How It Started and Where We're Headed

Sep 14, 2023

By Valerie Hare, Content and Website Specialist at TokenEx

The dawn of online shopping forever changed the way people purchase products and services. In 1982, the world's first eCommerce site launched, the Boston Computer Exchange (BCE). By 1995, eCommerce giants Amazon and eBay hit the virtual marketplace. Brick-and-mortar businesses began establishing an online presence and adopting digital payments to increase revenue and compete in the evolving payment landscape.

Unfortunately, this global wave of online businesses and card-not-present transactions led to a surge in credit card fraud. Between 1998 and 1999, credit card networks Mastercard and Visa reported more than $750 million in online fraud losses. Keep reading to find out how the major credit card networks banded together to address this payment security issue still plaguing today's online businesses, as well as a look at the history of PCI and today's latest version.


Quick Hits:

  • The Payment Card Industry Data Security Standard (PCI DSS) is a set of security guidelines for organizations that store, process, or transmit cardholder data.
  • PCI DSS was born out of the need to create streamlined standards that organizations can use to help protect sensitive cardholder data from theft.
  • The five key players from the card industry developed PCI DSS – American Express, Discover, Mastercard, JCB International, and Visa.
  • PCI 4.0 is the latest version, which companies should start preparing for when it replaces 3.2.1 in 2024.


The History of PCI DSS Compliance

What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is the global set of security guidelines for organizations that store, process, or transmit cardholder data. PCI DSS compliance includes 12 requirements that cover network security measures and internal security controls.

Who established PCI DSS?
The five major card networks that established PCI DSS are American Express, Discover Financial Services, Mastercard, JCB International, and Visa. These networks make up the Payment Card Industry Security Standards Council (PCI SSC).

When was PCI DSS introduced?
PCI DSS was officially introduced in December 2004. Before then, in 2001, Visa was the first major card network to develop its own set of security standards for companies that accept digital payments.
Other major card companies introduced their security standards. Merchants found it challenging to meet compliance requirements for each network, which was necessary to accept online payments from these card networks.
To make it easier for businesses, service providers, and card networks, the PCI SSC members joined forces to develop a uniform set of global standards to regulate payment security for merchants and service providers. The first PCI version was known as PCI DSS 1.0.

Why was PCI DSS established?
During the 1990s and early 2000s, the introduction of online shopping led to a rise in credit card fraud. Traditional brick-and-mortar stores started selling their products and services online. While this was convenient for customers, the lack of payment security measures created vulnerabilities that attracted cybercriminals to commit payment fraud.
In 2000, U.S. online merchants reported an average loss of 3.6 percent of their sales due to stolen or fraudulent credit card transactions. It was clear that something needed to be done to address these payment security issues impacting businesses, card networks, and customers.
Thus, the industry giants created the global security standard – PCI DSS. These security standards help protect cardholder information and encourage safer payment security practices.

The PCI DSS timeline
Since the payment and security landscapes are ever-changing, PCI DSS has undergone several changes to scale with the eCommerce market and emerging cyber threats.
Here is an overview of PCI DSS since it was established:

  • December 2004 – PCI DSS 1.0 is released.
  • September 2006 – PCI DSS version 1.1 required firewalls for web-facing applications and custom application code to be reviewed by a professional for vulnerabilities.
  • October 2008 – PCI DSS version 1.2 added new antivirus software and wireless network defense requirements.
  • August 2009 – PCI DSS version 1.2.1 offered clarity and consistency regarding its standards and documentation.
  • October 2010 – PCI DSS version 2.0 introduced data encryption guidelines, data encryption, and user access restrictions.
  • November 2013 – PCI DSS version 3.0 offered information about emerging security, cloud-based technologies, and penetration testing guidelines.
  • April 2015 – PCI DSS version 3.1 offered a short-term update to allow merchants and service providers to make compliance updates necessary for PCI DSS version 3.2.
  • April 2016 – PCI DSS version 3.2 introduced guidelines regarding multi-factor authentication (MFA), accounts for Designated Entities Supplemental Validation (DESV), Transport Layer Security (TLS), and performing internal and external scans.
  • May 2018 – PCI DSS version 3.2.1 offered clarification and changed some standard requirements from the original PCI DSS 1.0.
  • March 2022 – PCI DSS 4.0 included expanded MFA requirements, clearly defined roles and responsibilities for every requirement, and updated eCommerce and phishing requirements to address ongoing threats.
  • March 2024 – PCI DSS version 3.2.1 will officially retire and be replaced with version 4.0.
  • March 2025 – Future-dated PCI DSS 4.0 requirements will be effective.

What is PCI DSS 4.0 Compliance?
PCI DSS 4.0 is the latest version, released on March 31, 2022. PCI DSS 4.0 includes a wide range of updates designed to address emerging security threats and technologies, facilitate customized security solutions, and offer more precise guidance on security requirements.
PCI 4.0 changes to note:

  • Updated password requirements
  • Expanded multi-factor authentication (MFA) requirements
  • Clearly defined roles and responsibilities for every requirement
  • New eCommerce and phishing requirements to address ongoing threats
  • A customized approach that allows organizations to define their security controls

Like previous versions, 4.0 includes four levels for merchants and two for service providers. The level is based on the annual number of transactions a merchant or service provider processes annually.


Are you prepared for PCI DSS 4.0?

Merchants and service providers have time to update from the current PCI DSS version 3.2.1 until it's retired on March 31, 2024. This transition period gives organizations time to familiarize themselves with the revised requirements and standards. PCI DSS 4.0 still includes the 12 high-level requirements. Businesses need to comply with these requirements to pass a PCI audit.

  • Install and Maintain Network Security Controls
  • Apply Security Configurations to All System Components
  • Protect Stored Account Data
  • Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
  • Protect All Systems and Networks from Malicious Software
  • Develop and Maintain Secure Systems and Software
  • Restrict Access to System Components and Cardholder Data by Business Need to Know
  • Identify Users and Authenticate Access to System Components
  • Restrict Physical Access to Cardholder Data
  • Log and Monitor All Access to System Components and Cardholder Data
  • Test Security of Systems and Networks Regularly
  • Support Information Security with Organizational Policies and Programs


PCI Regulations are getting more complex

The PCI DSS timeline proves the standard will continue updating according to the evolving payment technology and security threats. From 2010 (version 2.0) with 75 pages of sub-requirements to 2023 (version 4.0) with 360 pages, these compliance sub-requirements continue to become more granular with how to securely accept, handle, and process cardholder data. PCI 4.0 introduced 64 new requirements businesses need to comply with if applicable to their environments. The core PCI objective will likely remain the same: protecting sensitive cardholder data and encouraging payment security best practices.

As PCI experts, TokenEx can help protect sensitive payment data via cloud tokenization. Not storing your raw payment information on internal systems reduces your PCI scope and risk levels, thus making it easier to achieve PCI compliance and focus on scaling your business. Additionally, you won't have to spend as much time keeping up-to-date with the latest PCI DSS requirements that change regularly.


About TokenEx: 
TokenEx is a cloud tokenization and payment optimization provider committed to helping organizations safely and compliantly accept, store, and transmit sensitive data. With an initial focus on applying tokenization to the management of PCI compliance, TokenEx has expanded its product suite to enable the intelligent routing of payment data. Intelligent payment routing allows clients to optimize authorization rates and fraud management, leading to increased revenue and customer lifetime value. For more information, visit

Contact us: 
Our TokenEx team is here to help you. Contact us to get started. 


Blue-tinted background of a man watching a webinar

Host a Webinar with the MRC

Help the MRC community stay current on relevant fraud, payments, and law enforcement topics.
Submit a Request

Publish Your Document with the MRC

Feature your case studies, surveys, and whitepapers in the MRC Resource Center.
Submit Your Document

Related Resources

There are no related Events

There are no related Surveys

Cookies help us improve your website experience.
By using our website, you agree to our use of cookies.