Payment data security requirements are set to change and organizations aren’t ready

  • Requirements concerning payment data security are set to change in 2024.
  • But companies in the payments ecosystem are not prepared to handle the overhaul these new mandates require.

Email a Friend

Payment data security requirements are set to change and organizations aren’t ready

98% of organizations have reported at least one data breach in the past two years and 94% of organizations have very significant concerns about payment data security, according to a new research. Shielding the payments ecosystem from being exposed to vulnerabilities generated by advancements in technologies and lax data governance are Payment Card Industry Data Security Standards (PCI DSS). PCI DSS provides important guidelines and requirements that delineate how payment partners should manage and govern their payment data and lessen the attack surface that bad actors can exploit.

But the current version of PCI DSS is a bit outdated. The first set of standards through PCI DSS were introduced in 2004, and its current iteration PCI DSS 3.0 was issued in 2013. Since then, the payments landscape has considerably evolved and grown in terms of volume, stakeholders, and modes of payment. PCI DSS 3.0 is set to retire in early 2024 and version 4 will come into effect the same year. But unlike PCI DSS of days past, this new version demands significant technical change and advancement from players in the industry.

Snapshot: What PCI DSS 4.0 is changing

  • Cracking down on phishing: PCI DSS 4.0 requires companies in the payment ecosystem to implement automated email security software that can locate and block phishing emails. Moreover, it is also shifting raising security awareness from a best practice to a requirement, asking companies to review and update their programs at least once every 12 months. 
  • Securing the e-commerce environment:  To cut down on attempts at stealing consumer data during a transaction by using malicious code, PCI DSS 4.0 requires companies to conduct weekly checks to ensure that there aren’t third-party scripts of malicious code in their software. 
  • Level up the tech:  To ensure compliance, companies must now provide multi-factor authentication for all access to credit card data. Previously this requirement was limited to only remote access. Moreover, it also demands that organizations limit access to the least number of people necessary and employ detection mechanisms that identify any changes to the payment processing systems. 

This is only a snapshot – the new regulation has 12 requirements and 300 sub-requirements, some of which will go into effect in March 2024 and the rest in March 2025. 

The compliance clock is ticking

PCI DSS 4.0 will impact every payment channel, and companies expect card-not-present transactions to be the most affected. But nearly every touchpoint within the payments process is going to be affected. 

Bar chart showing perceived impact of PCI DSS compliance frame works on different payment touchpoints. Online web/online payments are expected to be the most impacted.

As March 2024 draws closer, firms within the industry feel the pressure of meeting the requirements put forth by PCI DSS 4.0, with many citing that an extension would be helpful. Among the biggest challenges are developing new methodologies to counteract cyber attacks, performing risk analysis, and updating logistical and operation processes for compliance. 

Horizontal bar graph showing the perceived challenge of different PCI DSS 4.0 requirements. Developing cybersecurity methods, conducting targeted risk analysis and updating logical access controls are perceived to be the most challenging.

Meanwhile, understanding of these changes remains low with only a third of payment data security professionals indicating a strong understanding of the changes demanded by PSI DSS 4.0. In this environment it is likely that companies will depend even more heavily on assistance from third-party organizations such as Bluefin, Fiserv, and Paysafe, that specialize in payment data security.

0 comments on “Payment data security requirements are set to change and organizations aren’t ready”


Wading into new waters: Microsoft launches Xbox-centric Mastercard

  • Microsoft launched an Xbox Mastercard last week exclusively for US users enrolled in the Xbox Insider program.
  • But, Xbox could have done better by adding newer options to the card in terms of the application process, accessibility, and loyalty points.
Sara Khairi | September 26, 2023

TikTok and payments, a match made on social media

  • Gen Z’s popular haunt TikTok is abuzz with payments activity, surpassing $1 billion in global consumer spending through in-app purchases in Q1 2023.
  • TikTok is looking to make a name for itself in the retail space in America as well, as it battles with the White House over concerns about its Chinese origins.
Rabab Ahsan | September 20, 2023
Banking, Payments

Banks can offer speed and convenience as Wise and Swift integrate cross-border payment networks

  • Swift and Wise partner for streamlined cross-border payments, benefiting banks and their customers.
  • The Wise Platform will utilize Swift's capabilities, including cloud and API connectivity, enhancing international payments for FIs with features like payment status tracking and end-to-end visibility.
Zachary Miller | September 20, 2023

Digital shopping can benefit from the creator economy

  • Despite the proliferation of online shopping, 65% consumers still prefer to shop in brick-and-mortar stores.
  • For consumers one of the major reasons to stick to in-person shopping is their ability to try on products and test them.
Rabab Ahsan | September 19, 2023
Partner, Payments

The opportunities and evolution of the consumerization of B2B payments

  • B2B payments are slowly but surely following in the footsteps of consumer payments, becoming faster and more secure.
  • Visa, with solutions like Visa B2B Connect, is leading the way in streamlining cross-border transactions and improving efficiency, enhancing the business payment experience.
Darren Parslow, Visa | September 18, 2023
More Articles