For many enterprises, implementing PCI DSS 4.0 may seem like a daunting task. Many organizations admit they lack the knowledge and resources, but despite the perceived challenges v4.0 present, most organizations view PCI DSS 4.0 in a positive light. Bluefin’s report on The State of Enterprise Readiness for PCI DSS 4.0 found that four in five respondents (80%) agree or strongly agree that PCI DSS 4.0 is fair, necessary and for the betterment of the industry and consumers. Respondents also agreed that v4.0 was an opportunity to differentiate from competitors and generate revenue.
Partnerships will play a critical role in PCI DSS 4.0
To get to the finish line with PCI DSS 4.0, respondents within the report say they will look to partner with trusted advisors, with 86% indicating that their organization will solely or mostly rely on third-party vendors in some capacity. This high percentage reveals that trusted partners are needed to clarify any complexity and provide supporting technology. It also illustrates the information gap that exists for many enterprises.
A small cohort of organizations who say they strongly understand PCI DSS 4.0 provide some useful direction about what enterprises should prioritize – citing PCI-validated point-to-point encryption and tokenization as important tools for protecting sensitive data. These organizations report being furthest along in the PCI DSS 4.0 maturity journey, with the majority (55%) currently executing or already having executed on necessary changes.
Thirty-six percent of those who strongly understand PCI DSS cite PCI-validated point-to-point encryption (P2PE) as important to protecting customer data, compared to 26% of those with weak understanding, underscoring an emphasis on purpose-built and battle-tested security technology. Similarly, 37% with strong understanding cite payment tokenization (compared to 28% of those with weak understanding) and 31% cite network/EMV tokenization (compared to 23% with weak understanding), illustrating an appetite to reduce the storage of sensitive payment data. – page 9
Best Advice for PCI DSS 4.0– Don’t Wait
Regardless of the levels of reliance organizations will need from trusted partners, there is often one common question most are asking the experts – What is your best advice is for organizations when it comes to implementing v4.0? Merchant Risk Council’s recent article on PCI DSS 4.0, featuring industry expert, Dan Fritsche, gets straight to the point – don’t wait.
“Don’t take the ’Let’s take a risk and wait’ approach. I have seen countless organizations wait until the last minute to address implementation. This ends up costing more money in multiple ways. You could pay more for an assessment, put your organization at risk, or lose business by putting it off. If you start now, you can identify which requirements will demand change in a way that’s not disruptive to your existing business. In the long run, you’ll save time and money by picking the right tools instead of trying to figure it out at the last minute and with expensive solutions that may not even be effective.” – Dan Fritsche
Fritsche suggests that organizations take v4.0 as an opportunity to pivot compliance away from being perceived as a cost center and make it a measurable benefit. Tying security into risk postures and leveraging the changes to do positive, impactful things that can result in a return on investment.
Bluefin, a participating organization (PO) of the PCI Security Standards Council, safeguards sensitive data from attacks every time your business gets paid. We specialize in PCI-validated point-to-point encryption (P2PE) and tokenization solutions that devalue all data upon intake and transit in storage.