Part 1: Understanding PCI DSS

In this part, we lay the groundwork by explaining what PCI DSS is, where it came from, how it has changed over time, and who the major stakeholders are. By understanding the “big picture” of PCI DSS, you’ll be better equipped to tackle the detailed requirements later in the book.

Chapter 1: PCI DSS Fundamentals and Origins

The Birth of a Standard: In the early 2000s, the rise of e-commerce and electronic payments led to an increase in credit card fraud and data breaches. Each major card network responded by creating its own security program: Visa had the Cardholder Information Security Program (CISP), Mastercard had the Site Data Protection (SDP) program, American Express had the Data Security Operating Policy, Discover had Information Security & Compliance, and JCB had its own program as well. This patchwork of standards caused confusion for merchants and service providers who accepted multiple card brands. To unify these efforts, the five major brands formed the PCI Security Standards Council (PCI SSC) and in December 2004 released PCI DSS version 1.0 as the first unified security standard for the payment industry. From the start, PCI DSS encompassed 12 fundamental requirements organized into six core objectives (sometimes called “control objectives”). These 12 requirements were essentially a distillation of best practices in information security - things like installing firewalls, using strong passwords, encrypting data, and monitoring access.