Less Than a Year Out from the PCI DSS 4.0 Deadline, Where Do We Stand?

What’s Behind the Shift in the Payment Security Standards

The payment security landscape is constantly evolving, with governing bodies continually updating their guidance to keep pace with cybercriminal activity. The financial services industry is particularly vulnerable to cyberattacks, experiencing the highest volume (36%) of account takeover (ATO) attacks, given the incentive of payment credentials behind user accounts. While this industry is a lucrative target for attacks, any organization that handles payments faces similar threats. As cyberattacks increase in sophistication and e-commerce and digital transactions continue to rise, there’s a clear business imperative to protect customer data that transcends compliance.

The upcoming deadline for the Payment Card Industry Data Security Standard (PCI DSS) 4.0 presents organizations with a valuable opportunity to strengthen their overall security posture and demonstrate their dedication to protecting customer data. However, this new standard demands considerably more effort than PCI DSS 3.2 (retired as of March 31, 2024). So, what do organizations need to know about the new requirements?

Key Changes and Enhancements in PCI DSS 4.0

PCI DSS is a set of security standards that aims to secure credit and debit card transactions against data theft and fraud. It has been updated several times over the years, introducing new requirements to address the current state of the industry and growing threats.

Released in March 2022, PCI DSS 4.0 was a significant update, introducing 64 new requirements aimed at tackling key architectural, control, and design risks associated with payment card processing. As digitalization and innovation in payments continue to evolve, the goal of PCI DSS 4.0 is to mitigate emerging threats, improve clarity, and holistically enhance security for any organization touching cardholder data.

Organizations have until March 31, 2025, to comply with new requirements in the standard’s final stage of implementation. With the deadline looming, here are six key factors you should consider to ensure compliance:

Customized implementation: Organizations can select the most effective methods and technologies to meet their security objectives, provided they can demonstrate and document their effectiveness. This change acknowledges the importance of embracing new technologies and innovative approaches to compliance – while keeping in mind your organization’s unique needs.
Security and compliance as a continuous process: Routinely monitor and evaluate your security posture, including threats to your supply chain. Consistent compliance means businesses must assess and document their security measures not just annually but on a regular basis.
Comprehensive tech assessment: Conduct audits that identify all system components and APIs in your tech inventory. This assists in managing vulnerability concerns with processing, transmitting, and storing cardholder data for holistic protection.
Advanced fraud detection: Implement advanced and diverse techniques to detect and prevent fraud, including the use of tokenization, point-to-point encryption, and biometrics. Furthermore, organizations should take a proactive approach by utilizing sophisticated tools such as bot detection and firewalls that automatically block suspicious activities.
Strong authentication and encryption: Adopt more robust and secure methods for verifying the identities of users, devices, and systems while also ensuring the confidentiality and integrity of cardholder data, both in transit and at rest.
Secure system components: All components involved in processing or storing cardholder data fall within the scope of PCI DSS. Organizations must apply security to the entirety of the attack surface of system components.

The Importance of Application Security

As organizations increasingly rely on web applications and third-party code, ensuring robust application security is essential to protect sensitive customer data. Application security threats, such as client-side attacks, are often overlooked as organizations prioritize speed and productivity during development, leading to costly data breaches and heightened non-compliance risks.

PCI DSS 4.0 introduces several new requirements to address growing application security threats. PCI DSS 4.0.1, a limited revision to the standard published in June, provides further clarification on requirements for payment pages, forms, and script management. Organizations should pay particular attention to the following requirements to ensure they’re prepared for compliance:

Requirement 6.4.2: An automated technical solution must be deployed to continually detect and prevent web-based attacks for public-facing web applications. To do so, a web application firewall (WAF) should be implemented that continuously analyzes inbound traffic with automatic policy generation, behavioral analysis, and a low false positive rate.
Requirement 6.4.3: Payment page scripts loaded and executed in the consumer’s browser must be managed to ensure they are authorized and their integrity is maintained, with an inventory and written justification for each script. To protect against client-side attacks, technical controls like digital signatures and version control should be applied. Script management should also be employed to ensure that only authorized scripts are permitted to execute while unauthorized scripts are blocked. PCI DSS 4.0.1 clarifies that merchants are responsible only for scripts on their own web pages, not those in iframes from payment service providers (PSPs) or third-party service providers (TPSPs), who manage their own iframe scripts. However, organizations embedding a PSP or TPSP’s payment page or form should expect them to provide evidence of PCI DSS compliance. Organizations are also advised to use content-security-policy (CSP) headers with the frame-src directive to validate and restrict iframe sources.
Requirement 11.6.1: A change-and-tamper-detection mechanism must be deployed that alerts personnel to unauthorized modifications to the security-impacting HTTP headers and the script contents of payment pages as received by the consumer browser. A client-side protection solution should be implemented to provide page integrity monitoring that alerts security teams of unauthorized modifications, indicators of compromise, page changes, additions, and deletions. PCI DSS 4.0.1 refines this requirement by focusing specifically on security-impacting HTTP headers and script content, reducing noise from routine website updates, and aligning with the original intention of monitoring critical security changes.

Beyond Compliance, What’s Next?

Recent headlines have been inundated with reports of data breaches exposing sensitive customer information—events that can have dire consequences for businesses. Over the past 12 months, 26% of consumers have abandoned a brand or service due to concerns about how their data was handled. Non-compliance with PCI DSS 4.0 can exacerbate these issues, leading to severe financial repercussions with monthly fines ranging from $5,000 to $100,000, depending on the degree and period of non-compliance.

Rather than viewing PCI DSS 4.0 compliance as a cumbersome checklist, businesses and security leaders should see it as an opportunity to bolster their overall security posture. These requirements will go into effect on April 1, 2025. With the deadline fast approaching, businesses must carefully organize their compliance strategy, including budgeting, planning, implementation, testing, and validating solutions. Although time is running out, organizations can still integrate these security practices into their operations. By adopting the standards within PCI DSS 4.0 as best practices, organizations can ease the burden of compliance while empowering their security teams to maintain a robust security posture and reinforce customer trust.

Given the growing reliance on web applications and third-party code, application security is more critical than ever. PCI DSS 4.0 emphasizes the importance of addressing these vulnerabilities by introducing new requirements for web-based attacks, script management, and change detection. For businesses that haven’t started yet, strategic planning must begin now to ensure a smooth path to compliance and safeguard sensitive data against increasingly sophisticated threats.