One of the top compliance standards for the payment industry, the Payment Card Industry Data Security Standard (PCI DSS), is undergoing an overhaul with its 4.0 version. While other versions saw incremental changes compared to the original standard, 4.0 will bring more than 50 new requirements for companies to comply with before March 31st, 2025, thus radically transforming the framework.
Considering how painfully slow traditional compliance processes have been, I believe many companies risk being blindsided and suffering the costs of non-compliance if they don’t pay close attention to this change, which begins with version 3.2.1, which was retired on March 31, 2024. Ignoring these looming changes—or simply downplaying their impacts—could lead to much higher costs than most organizations can pay.
Understanding PCI DSS 4.0
Let’s start with the origins of PCI DSS. In 2004, major payment companies – including Visa, MasterCard, American Express, Discover, and JCB – helped create the standard to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. These same companies continue to enforce PCI DSS to this day and can levy fines of up to $500,000 per incident for security breaches when payment providers are not compliant. Additionally, non-compliant organizations may face increased transaction fees or rates.
PCI DSS's goal was to create better controls for cardholder data and reduce credit fraud. The original version required companies to install and maintain firewall configurations to protect cardholder data and change default passwords. Providers were also tasked with updating their systems and managing vulnerabilities, maintaining strong access control measures, regularly monitoring and testing networks, etc.
March 31, 2024, marked the retirement of PCI DSS v3.2.1, and the introduction of PCI DSS 4.0 looms large. This new version brings with it a staggering 64 new requirements, all designed to protect against emerging threats, promote continuous security, and offer more flexibility in security methodologies. The urgency of preparing for these changes cannot be overstated.
Why is 4.0 Necessary?
You may wonder if a new PCI DSS version is necessary, considering the previous version was already comprehensive. The short answer is “yes” for several reasons. The standard has had to evolve over time to address new security challenges and emerging threats, and new threats are coming harder and faster than ever in 2024.
Cyber threats have become more sophisticated, with attackers employing advanced techniques to exploit vulnerabilities in payment systems. This includes using malware, phishing, and advanced persistent threats (APTs) to target cardholder data. Phishing remains one of the most common and dangerous threats to payment systems since it involves using real credentials gained by targeting individuals’ emails or other contact mechanisms and tricking those individuals into sharing sensitive data or passwords.
There has also been a rise in credential stuffing, which is a type of cyber-attack in which attackers use stolen account credentials (usernames and passwords) from one breach to attempt to log into accounts across various other services. This method relies on the tendency of many users to reuse their login credentials. Attackers can now use automated bots to perform these attacks at scale, testing thousands or even millions of credential pairs. Moreover, AI has made it easier and faster for malicious actors to orchestrate complex scams and fraud, so the current threat landscape requires improved protections for consumer payments.
Preparing for Compliance Early
So, what does 4.0 mean for companies? I like to say that compliance is less about checking specific boxes and a lot more about creating a strategic framework. In particular, the transition to PCI DSS 4.0 is meant to be a comprehensive shift in security ideology. The goal is to allow payment card companies to find the best ways to protect themselves and give them more freedom to do so while also ensuring that consumers’ payment data stays secure.
Compliance with any new standard takes a lot of effort, and in the case of complying with 64 new requirements, you’ll need a whole new security framework and new policies. Considering that failing to comply can cost your company up to $500,000 for each security incident – not to mention the severe damage to your reputation – your priorities should be understanding the changes to the standard, assessing your current level of compliance, and bridging the distance between those two.
There are several ways you can start to prepare early. For example, if you have not already implemented multi-factor authentication (MFA), now is the time to do it across all accounts. Beyond merely asking for a username and password, MFA requires additional verification factors, like a one-time PIN sent to your email or phone, significantly reducing the likelihood of successful cyberattacks. According to Microsoft, phishing-resistant MFA could prevent over 99% of attacks.
Another measure you can take right now is to implement regular testing of your security measures, antivirus software, and cyber protection frameworks. A definitive survey on PCI DSS compliance conducted in 2020 showed that regular testing was the least enforced aspect of PCI compliance. However, failing to test adequately puts your company and consumer payment data at risk.
The third major thing you can do to speed up compliance is to document all the changes you make to comply with 4.0 over the next year. According to the PCI DSS Quick Reference Guide (v. 4.), “Because entities develop their own security controls, the Customized Approach requires substantial preplanning and [advanced] documentation.” In other words, because 4.0 gives companies more freedom to determine their compliance methods, you’ll need to document more thoroughly to prove your methods are adequate.
Fourth, could you make ongoing compliance a priority? Please consider the new PCI DSS standard an opportunity to update your compliance rather than an annoying chore. Many payment providers initially comply with PCI DSS for an audit, but they have become more lax in protecting payment card data over the years, resulting in major breaches and non-compliance lawsuits.
Of course, the standard is complicated and there are many other ways you can work on preparing yourself for compliance. But if you start with the basics, you’ll be well on your way long before the year ends.
Final Thoughts
The path to PCI DSS 4.0 compliance isn’t going to be easy. You’ll need a nuanced understanding of the new requirements and a strategic approach to implementation. You already have guidelines for compliance, so don’t wait until early next year to protect payment data and reduce breaches. The stakes are too high.
Bruce Edwards is the Senior Manager at PCI Assurance. He is a seasoned professional with 14 years of experience and holds both CISA and CISM certifications. His experience spans various sectors, including penetration testing, PCI QSA, ASV, and Cloud Security. As a security director, Bruce led PCI DSS assessments for Fortune 500 companies in the FinTech and healthcare sectors, both in the U.S. and worldwide.
At Thoropass, Bruce continues his focus on PCI DSS compliance, guiding customers through the certification processes across all levels and assisting with readiness activities for PCI’s 12 requirements. Bruce plays an essential role in translating client needs and evolving regulatory standards into new product features and service requirements to ensure a world-class experience for our customers.