By Tim Ayling, VP Cyber Solutions Specialists at Imperva, a Thales company
The banking and financial services industry is a highly regulated one – but with good reason. Although Thales’ recent Digital Trust Index found banking and financial services to be the most trusted industry for handling customer data, organisations cannot become complacent when it comes to data protection and cybersecurity.
The Payment Card Industry Data Security Standard (PCI DSS) exists for this very reason. It stands as a global benchmark, ensuring nearly every company handling credit card information maintains a secure and compliant environment. The standard equips organisations with a framework to secure payment card systems and to protect sensitive cardholder data from theft.
PCI DSS has seen several updates over the years, introducing new requirements and undergoing significant updates. The release of PCI DSS 4.0, published on March 31, 2022, introduced 64 new requirements to address critical architectural, control, and design risks organisations encounter when accepting and processing payment card transactions. With the final stage taking effect next year, organisations have until March 31, 2025 to comply with these new requirements – the countdown is on.
On this basis, here are six significant changes that organisations should know about ahead of PCI DSS 4.0:
- Customised implementation: Organisations have the power to choose the most suitable methods and technologies to meet their security goals, so long as they can prove and document their effectiveness. This flexibility allows for the free adoption of innovative compliance strategies, ensuring greater compliance.
- Security as a continuous process: Firms need to continuously monitor and evaluate their security posture, including that of their supply chain, on an ongoing basis. Organisations must also undertake validation activities at least annually or in response to significant changes.
- Strong authentication and encryption: Organisations must employ stronger and more secure methods to verify the identity of users, devices, and systems, while ensuring the confidentiality and integrity of cardholder data, whether in transit or at rest.
- Secure system components: PCI DSS encompasses all system components involved in capturing, processing, or storing cardholder data, ensuring holistic, comprehensive protection.
- Advanced and diverse payment fraud detection: Organisations are responsible for employing more sophisticated and varied techniques for detecting and preventing fraud, such as tokenisation, point-to-point encryption, and biometrics.
- Continual compliance: Organisations are obligated to assess their security posture and document their control effectiveness on a continual basis, not just annually. Organisations must continuously assess their security posture and document their control effectiveness rather than annually.
Compliance with PCI DSS 4.0 involves three stages over two years. The first stage, in effect since 2022, included 13 new requirements that organisations must meet. Stage 2 went into effect on March 31, upon the retirement of PCI DSS 3.2.1 version. The third and final stage, starting on April 1, 2025, requires the implementation of 51 best practices.
Failure to comply with PCI DSS 4.0 can have severe financial consequences, with fines for non-compliance ranging from US$5,000 to US$100,000 monthly, depending on the volume and length of non-compliance.
It’s not all about compliance
Instead of seeing PCI DSS 4.0 compliance as a tick box exercise, business and security leaders must instead view the transition 0 as an opportunity to enhance their organisation’s security posture, integrate cybersecurity with fraud management, and revolutionise the protection of cardholder data. To actively work towards these goals, organisations must place equal importance on application and data security.
That being said, PCI DSS 4.0 represents a significant update that demands substantial effort from organisations to achieve compliance. Companies that have yet to begin, should treat this as a decisive moment to organise their compliance strategy, and get their efforts underway. The process of budgeting, planning, implementing, testing, and validating solutions require time and should not be rushed.
Organisations should strive to adopt PCI DSS best practice to alleviate the compliance burden, including:
- Undertake an audit to identify and list all bespoke, custom and third-party software and APIs within the organisation’s tech inventory. By establishing this clear view, organisations are able to better manage vulnerabilities that may occur in the processing, receiving, transmitting, and storing of cardholder data.
- Implement a broader range of advanced techniques for fraud detection and prevention, including the use of bot detection and management.
- Avoid using web browser-based applications to capture cardholder data, as these can expose data to unauthorised parties. Malicious client-side scripts (javascript), often injected into the end user’s browser and application experience by cyber criminals, pose a significant risk. These scripts have the potential to copy cardholder data as it’s keyed into the application by users and transmit it to an unauthorised 3rd party data collection point. To address this, organisations should ensure policies are in place only to allow authorised scripts to interact with a payment web page. Additionally, they should restrict the locations from which a payment page can be loaded and use the content security policy of the parent page to prevent unauthorised content from replacing the payment page. At the very least, organisations must ensure they have Client-Side Protection to provide security for their computer’s browser.
- Monitor and block unintended behavior within an application. Runtime application self-protection (RASP) technology can detect and block anomalous behavior by the entire software and application stack during execution.
- Establish the ability to automatically identify and prevent web-based attacks by deploying a Web Application Firewall (WAF) that extends to API protection.
The way forward
Organisations must actively integrate a robust application security strategy as a core component of PCI DSS 4.0 and view the transition as more than a compliance checkbox. By embedding best security practices, they can ensure there is a critical line of defence for their most valuable assets – data. With the deployment of strong data security measures like tokenisation, point-to-point encryption, and biometrics, organisations can create comprehensive cardholder environment protection.
A cohesive security approach that merges application and data safeguards enables organisations to simplify compliance, fortify data protection, prevent expensive breaches, and uphold customer confidence. And with over a quarter (26%) of consumers having abandoned a brand or service because of concerns about how their personal data was being used, there’s rationale to prioritise data security more than ever.
PCI DSS 4.0 is just around the corner, but there is still time for organisations to plan strategically and utilise technology to make sure they are compliant well ahead of time.