98% of organizations have reported at least one data breach in the past two years and 94% of organizations have very significant concerns about payment data security, according to a new research. Shielding the payments ecosystem from being exposed to vulnerabilities generated by advancements in technologies and lax data governance are Payment Card Industry Data Security Standards (PCI DSS). PCI DSS provides important guidelines and requirements that delineate how payment partners should manage and govern their payment data and lessen the attack surface that bad actors can exploit.
But the current version of PCI DSS is a bit outdated. The first set of standards through PCI DSS were introduced in 2004, and its current iteration PCI DSS 3.0 was issued in 2013. Since then, the payments landscape has considerably evolved and grown in terms of volume, stakeholders, and modes of payment. PCI DSS 3.0 is set to retire in early 2024 and version 4 will come into effect the same year. But unlike PCI DSS of days past, this new version demands significant technical change and advancement from players in the industry.
Snapshot: What PCI DSS 4.0 is changing
- Cracking down on phishing: PCI DSS 4.0 requires companies in the payment ecosystem to implement automated email security software that can locate and block phishing emails. Moreover, it is also shifting raising security awareness from a best practice to a requirement, asking companies to review and update their programs at least once every 12 months.
- Securing the e-commerce environment: To cut down on attempts at stealing consumer data during a transaction by using malicious code, PCI DSS 4.0 requires companies to conduct weekly checks to ensure that there aren’t third-party scripts of malicious code in their software.
- Level up the tech: To ensure compliance, companies must now provide multi-factor authentication for all access to credit card data. Previously this requirement was limited to only remote access. Moreover, it also demands that organizations limit access to the least number of people necessary and employ detection mechanisms that identify any changes to the payment processing systems.
This is only a snapshot – the new regulation has 12 requirements and 300 sub-requirements, some of which will go into effect in March 2024 and the rest in March 2025.
The compliance clock is ticking
PCI DSS 4.0 will impact every payment channel, and companies expect card-not-present transactions to be the most affected. But nearly every touchpoint within the payments process is going to be affected.
As March 2024 draws closer, firms within the industry feel the pressure of meeting the requirements put forth by PCI DSS 4.0, with many citing that an extension would be helpful. Among the biggest challenges are developing new methodologies to counteract cyber attacks, performing risk analysis, and updating logistical and operation processes for compliance.
Meanwhile, understanding of these changes remains low with only a third of payment data security professionals indicating a strong understanding of the changes demanded by PSI DSS 4.0. In this environment it is likely that companies will depend even more heavily on assistance from third-party organizations such as Bluefin, Fiserv, and Paysafe, that specialize in payment data security.