With global retail e-commerce expected to exceed $6.3 trillion in 2024, cybersecurity in digital payments has never been more important. In the first half of 2024 alone, over 214,000 incidents of credit card fraud were reported to the FTC, with fraudulent activity often being facilitated as a result of digital payments.
As part of a major effort to ensure cyber-compliant digital payments, PCI DSS (Payment Card Industry Data Security Standard) has established clear guidelines for processing, storing and transmitting credit card information online. And in light of ever-evolving digital threats, businesses currently find themselves in the midst of the rollout of PCI DSS 4.0.
PCI DSS applies to any business accepting credit card payments online, which encompasses everything from D2C e-commerce all the way to subscription-based enterprise software. Here’s what online businesses need to know about getting ready for PCI DSS 4.0, and what these new standards indicate about the future of cyber-compliant digital payments.
Why This New Version?
The introduction of PCI DSS 4.0 is a direct response to the ever-changing cybersecurity landscape surrounding digital payments. The COVID-19 pandemic led to a rapid increase in digital payments, as well as a rise in cybercrime. At the same time, increased computing demand has caused many business networks to transition from traditional data center-based servers and routers to cloud computing.
Of course, cybersecurity threats are constantly evolving, with phishing and other attacks against digital payment applications becoming more sophisticated. Mobile, IoT devices and cloud processing have all seen rapid adoption since the previous PCI DSS standard was introduced in 2018.
The rapidly shifting pace of technology and the increased reliance on digital payments on a global scale has made updated standards a necessity to ensure that online payments remain truly secured. As the digital payments landscape has evolved, so have cyber attacks, and as a result, compliance standards like PCI DSS are likely to be revised to be increasingly strict over the years ahead.
Understanding the Gradual Rollout of PCI DSS 4.0
PCI DSS 4.0 was introduced in 2022 with 64 new security requirements, 13 of which needed to be implemented immediately beginning in March 2024, with the remaining 51 controls required to be in place by April 1, 2025.
Among these updated security standards are the requirement for all users who can access cardholder data to implement two-factor authentication, increasing minimum password length requirements to 12 characters and mandatory annual security awareness training on topics such as phishing.
Failure to comply with PCI DSS standards has notable penalties, with banks and payment processors passing on fines ranging from $5,000 to $100,000 per month to non-compliant merchants. The severity of non-compliance, the number of transactions processed by the merchant and their data security history can all play a role in the fine amount, which can also escalate if the merchant fails to resolve its noncompliance issues.
The scope of the new security requirements and the associated penalties makes this gradual rollout a necessity so that businesses have enough time to become fully compliant.
How to Ensure Compliance
With the full implementation of PCI DSS 4.0 just months away, organizations must act immediately to ensure they will be ready. Businesses should start by roadmapping the PCI DSS 4.0 updates that they need to make to ensure full compliance by April 1, 2025 and prioritize them accordingly.
With so many new security requirements to consider, roadmapping can be a time-consuming process. Tools like Cypago, a cyber GRC automation solution, can help. Cypago makes it easy for cyber and compliance teams to collect compliance evidence, address security gaps and engage in continuous monitoring.
Notably, Cypago covers a variety of compliance frameworks, including PCI DSS, as well as GDPR, ISO 27018, NIST 800-171 and SOC 2 – all of which are useful as trust signals to various stakeholders that a company takes information security and user privacy seriously. Using Cypago, cybersecurity and compliance teams can manage all of their controls holistically, can build out custom frameworks, and can perform risk-driven analyses.
Because the tool always keeps its system up to date, users are able to quickly evaluate how they compare to current standards and controls. Even with such tools, however, fully transitioning to PCI DSS 4.0 can’t be done overnight. While some requirements can be implemented relatively quickly, others take months to fully adopt. Evaluating your current status compared to pending security requirements is crucial to develop a plan for ensuring full compliance.
In addition to taking action to implement the specific requirements for PCI DSS 4.0, businesses can future proof their digital payment compliance by focusing on the underlying issues that contributed to this latest update.
To begin with, businesses should avoid storing sensitive cardholder data unless it is absolutely necessary, properly encrypt such data and erase data as soon as it is no longer needed for the transaction. Businesses must also closely control access to their systems and code script on payment pages to reduce potential breaches.
The overarching goal of PCI DSS 4.0 aims to create a future where merchants take a more proactive approach to cybersecurity and take decisive steps to protect their customers even before additional standards updates are introduced.
Creating a Safe Environment for Digital Payments
Ultimately, the rollout of PCI DSS 4.0 illustrates the emphasis that the payment card industry is placing on ensuring the safety of its customers and preventing identity theft and credit card fraud. At the same time, the gradual rollout of these standards highlights the understanding that businesses need time to fully implement the updated security requirements.
By enacting these additional security measures, the payment card industry and online businesses can work together to reduce fraud. PCI DSS 4.0 represents an ongoing commitment to navigating today’s security challenges — and the likelihood that additional standards updates will come in the future as new threats and tech innovations bring about even more changes.
The post What the Rollout of PCI DSS 4.0 Says About the Future of Cyber-Compliant Digital Payments appeared first on ReadWrite.