PCI DSS originally began as five different security programs by five different card companies:
- Visa Card Information Security Program (CISP)
- MasterCard Site Data Protection
- American Express Data Security Operating Policy
- Discover Information and Compliance
- JCB Data Security Program
Each of these companies intended to create an additional level of protection to customers, hence ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council was formed, and on the 15 December 2004, these companies aligned their individual policies and created Payment Card Industry Data Security Standard (PCI-DSS) version 1.0.
In September 2006 , the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0. In October 2008, the PCI DSS version 1.2 is released and provided clarity on some of the debated requirements.
VISA and MasterCard plays a key role in promoting and enforcing the PCI DSS across the industry.
- MasterCard is responsible for certifying products and companies capable of fulfilling the Scanning requirements
- These are often referred to as SDP Certified products and/or companies
- Visa is responsible for training and certifying companies and individuals capable of fulfilling the Onsite Audit
- Such companies are called QSAs (Qualified Security Assessors) and the individuals are called QSAPs (Qualified Security Assessor Personnel)
- The other PCI organisations are contributors to the standards