The Payment Card Industry (PCI) emerged during the early days when the Internet was becoming popular for commerce, and businesses began accepting credit cards for online sales. The card issuers began to see fraud and realized that additional security measures were needed to manage the potential risk. Initially, credit card issuers developed and imposed their own security standards on businesses that used their cards for online transactions. However, it quickly became clear that working together was more likely to receive widespread adoption than having each issuer impose its own requirements on the businesses. In 2004, a group represented by American Express, Discover Financial Services, JCB International, Mastercard, and Visa was formed to develop a single set of standards. In December 2004 the PCI Data Security Standards (DSS) 1.0 (now updated to PCI DSS 4.0) was created and shared publicly. At that time, all merchants who accepted credit cards, plus payment processors (i.e., entities that process payments on behalf of merchants), were required to comply with the standards.
In 2006, the PCI founders created a quasi-independent organization to continue driving the standards and increase compliance. The PCI Security Standards Council was created and updated the standards to 1.1, which included requirements for online application review and firewall deployments.
Since 2006, the PCI DSS updates have occurred every 1-2 years. The current version is PCI DSS 4.0, which was released in March 2022 with new requirements coming into effect in March 2024.