For nearly two decades, enterprises and their payments partners have turned to the Payment Card Industry Data Security Standards (PCI DSS) for guidelines on how to mitigate payment data risks. These guidelines have evolved with the industry, introducing new requirements to help businesses ward off emerging payment data threats. The latest iteration (PCI DSS 4.0) introduces significant changes that enterprises must adapt.
Is your enterprise ready for PCI DSS 4.0? With many requirements due March 2024 and the remaining ones by March 2025, it is a question that organizations and payment professionals need to ask.
Understanding the Challenges of PCI DSS 4.0
A new S&P Global Market Intelligence study commissioned by Bluefin – The State of Enterprise Readiness for PCI DSS 4.0 – looked for insights. Surveying over 250 payment data security professionals at enterprises across nearly a dozen industry verticals, the study prioritized respondents with intimate knowledge of PCI DSS compliance, guidelines, and requirements. The results provide a view into the current state of payment data security and establishes a baseline for PCI DSS 4.0 readiness.
What is PCI DSS 4.0?
As the report states, “PCI DSS is a set of standards established by the PCI Security Standards Council (SSC) for payment service providers and merchants to protect customer payment data. The PCI SSC formed the first set of standards in 2004, and it put forth the current iteration, PCI DSS 3.0, 10 years ago. While there have been various adjustments to requirements in 3.0, they are smaller and more short-term-focused compared to the overhaul that 4.0 will require. The standards are not required by law or regulatory mandate but self-governed and imposed by the global card networks on merchants, payment processors, service providers and others in the payments ecosystem.”
Merchant Risk Council’s recent article featuring industry expert Dan Fritsche explains that “4.0 has over 50 new requirements, with 13 effective as 4.0 is rolled out, meaning everyone will need to meet those by March 31, 2024 if not sooner. The remaining requirements are listed as best practices and will become requirements as of March 31, 2025, allowing flexibility for an organization to figure out what makes sense for them to implement in what order based on their specific organizational risks.”
The several enhancements and amendments in the newest version will include the following:
- Increased security, expanded multi-factor authentication, updated password specifications and updated requirements to address phishing and security breaches.
- New requirements that support payment technology innovation and flexibility to allow different methodologies to achieve security goals. Organizations can use a defined or custom approach to meet requirements.
- Updated guidance on implementing security controls and updated specifications on roles and responsibilities for each updated requirement.
- Inclusion of detailed verification and reporting options to enhance verification methods and procedures.
The best resource for navigating all requirements, Fritsche notes, is the PCI SSC website, which includes a PCI DSS 4.0 Resource Hub.
How do Enterprises feel about PCI DSS 4.0?
Enterprises are under pressure to deliver payment experiences that let their customers transact wherever and however they prefer. Diversification of payment channels and methods is expanding the attack surface, attracting growing attention from hackers and fraudsters. This has put payment and risk professionals on high alert.
The S&P Global report shows that payment data security concerns are widespread and significant, with 94% of respondents having significant or very significant concerns pertaining to payment data security, and only 21% saying they are very confident in their ability to protect customer data today.
The new list of requirements brought on by PCI DSS 4.0 are designed to combat emerging threats and to ensure the protection of sensitive customer financial data from cyberattacks. The report ranked these requirements by the perceived challenge of implementation, with developing cybersecurity methods for threats topping the list.
The time and resources it will take to complete the requirements is not lost on enterprises.
“PCI DSS 4.0 necessitates a significant lift, and meeting the deadline is a growing concern. Ninety-three percent of respondents indicate the changes required by PCI DSS 4.0 are significant. Further, 90% are concerned about meeting the timeline, and 64% say they would be likely or very likely to accept a timeline extension.” – page 6.
Some Good News
While PCI DSS 4.0 presents an array of operational and resource hurdles for enterprises, there are clear benefits for the enterprise industry. Those that approach it with a strategic mindset stand to differentiate themselves in the marketplace and deliver a superior customer experience.
Download Bluefin’s report and stay tuned for part 2 of this blog series, The Roadmap to Adopting PCI DSS 4.0 Compliance.