90% of Organizations Concerned With Meeting PCI DSS 4.0 Timeline, Bluefin Survey Finds
Payment data security concerns remain widespread as organizations undertake significant lift to meet PCI DSS 4.0 deadline
ATLANTA – September 12, 2023 – Bluefin, the recognized leader in PCI-validated encryption and tokenization technologies that protect payments and sensitive data, unveiled the findings of a new data report it commissioned with S&P Global Market Intelligence, “The State of Enterprise Readiness for PCI DSS 4.0,” which offers insight into the current state of payment data security and establishes a baseline for PCI DSS 4.0 readiness.
The overwhelming majority of survey respondents (94%) said they have significant or very significant concerns pertaining to payment data security. Additionally, only 21% indicate that they are very confident in their ability to protect customer data. As a result, breaches of financial data have become all too common – 98% of respondents indicate their organization experienced at least one data breach over the past 24 months and 50% have experienced a breach that created a significant disruption to business operations.
While the majority of organizations (58%) place high importance on securing customer data, it’s evident that the challenges to do so remain persistent. Organizations have turned to the Payment Card Industry Data Security Standards (PCI DSS) for guidance in combating payment data threats for nearly two decades and should continue to do so with the latest requirements in PCI DSS 4.0, which organizations must adapt to before the March 2025 deadline. Bluefin’s survey revealed the following key findings when it comes to enterprise readiness for new PCI DSS 4.0 requirements:
- PCI DSS 4.0 necessitates a significant lift, and meeting the deadline is a growing concern. 93% of respondents indicate the changes required are significant. Further, 90% are concerned with meeting the PCI DSS 4.0 timeline with 64% saying they would be likely or very likely to accept a timeline extension.
- PCI DSS 4.0 education and execution remains concerningly low. Fewer than a third (31%) of payment data security professionals have a strong understanding of all requirements associated with PCI DSS 4.0 and nearly half (49%) indicate their organizations have yet to begin executing on PCI DSS 4.0 changes.
- Despite the challenges, enterprises overwhelmingly view PCI DSS 4.0 in a positive light. More than 4 in 5 (81%) respondents agree or strongly agree that PCI DSS 4.0 is fair, necessary and for the better of the industry and consumers.
“As payments stacks continue to evolve alongside customer needs and expectations, cybercriminals view this as a key opportunity to exploit emerging points of vulnerability and capture critical customer data,” said Brent Johnson, CISO at Bluefin. “In this environment, it’s not a matter of if an organization will experience attempts at being breached – it’s a matter of when. Businesses must ensure compliance with new PCI DSS 4.0 standards as part of a holistic approach to protecting customer data, and our new report serves as a guide for organizations as they look to meet these requirements ahead of the looming March 2025 deadline.”
The report also found that there is a strong acknowledgement of the critical role of partners to support PCI DSS 4.0 readiness, with 86% percent of respondents indicating their organization will solely or mostly rely on third-party vendors for PCI DSS 4.0 in some capacity. Respondents place the highest prioritization on payment data security vendors that have an intimate knowledge of regulatory environments and PCI DSS compliance parameters, including expertise pertaining to the 4.0 updates.
“While PCI DSS 4.0 presents an array of operational and resource hurdles for enterprises to overcome, those that approach it with a strategic mindset will differentiate themselves and ultimately deliver a superior customer experience,” said Jordan McKee, fintech research director at S&P Global Market Intelligence. “Developing an internal strategy, including the implementation of payment data security technologies like PCI-validated P2PE and tokenization, alongside working with trusted partners will be crucial for organizations to fully understand and address the required changes.”
The State of Enterprise Readiness for PCI DSS 4.0 is based on a survey conducted in Q2 2023 of 250 North American PCI DSS decision-makers/influencers at enterprises across nearly a dozen industry verticals. To learn more about the report and download a full copy, please visit this page.