With a looming deadline for the adoption of PCI DSS 4.0 approaching, merchants are increasingly concerned about meeting new Payment Card Industry (PCI) security standards. Failure to comply within a year could result in penalties ranging from $5,000 to $100,000 or more.
A recent Ecommerce Times article featured findings from a report on PCI DSS 4.0 readiness by Bluefin, revealing that 94% of ecommerce industry respondents are significantly concerned about payment data security. Only 21% are very confident in their ability to protect customer data, while a shocking 98% reported experiencing at least one data breach in the past 24 months, with 50% saying it significantly disrupted their business.
The new standards require a significant security upgrade, with two key dates for merchant compliance. On March 31, 2024, v3.2.1 will be retired, and v4.0 will be the only active version. As of March 31, 2025, the best practices listed within v4.0 will become requirements.
The evolving payments landscape provides cybercriminals with opportunities to exploit vulnerabilities and capture critical customer data. The urgency to adopt PCI DSS 4.0 before the March deadline is paramount, according to Brent Johnson, CISO at Bluefin.
“In this environment, it is not a matter of if an organization will experience attempts at being breached. It is a matter of when. Businesses must ensure compliance with new PCI DSS 4.0 standards as part of a holistic approach to protecting customer data, and our new report serves as a guide for organizations as they look to meet these requirements ahead of the looming March 2025 deadline.”
While there are no legal implications to not meeting the deadline, organizations that are not compliant can face serious fines. PCI compliance also helps reduce fraud and is in the overall best interest of merchants and consumers.
Bluefin stresses that implementing payment tokenization and PCI-validated point-to-point encryption (P2PE) are vital to meeting new PCI DSS 4.0 requirements and protecting customers’ sensitive payment data. In fact, implementing P2PE can reduce a company’s PCI compliance scope by over 70%.