PCI DSS v4.0: Adapting to modern security threats

Is your business ready?

The Payment Card Industry Data Security Standard (PCI DSS) plays a pivotal role in safeguarding sensitive credit card information — protecting consumers and businesses alike from data breaches and fraudulent activities.

Version 4.0, which replaces v3.2.1 as of 31 March 2024, adapts to contemporary threats in the ever-changing cyber security landscape. And with the transition window fully closing in March 2025, businesses need to assess whether they are in a position to meet this timeline when aligning their strategies with the new standard.

Considering this, it is imperative that IT teams implement robust measures to maintain a secure environment for processing, storing, and transmitting payment data.

What are the main changes?

Although the 12 core requirements remain fundamentally the same, PCI DSS v4.0 strengthens the following areas:

• Update and patching of equipment and systems
• Encryption protocols, access controls, and network configurations
• Security awareness training for employees
• Monitoring and tracking access to network resources and cardholder data
• Incident response and detection capabilities

Ensuring security best practices

While PCI DSS is concerned with protecting cardholder data, the security measures it encourages are generally considered as the minimum standard for all businesses, regardless of their level of involvement with card payments. This includes:

1. Automated updates – Leverage cloud-managed solutions to ensure updates are rolled out promptly and efficiently. As a fundamental requirement for any business, and a key component of Cyber Essentials, critical systems must be patched within 14 days.
2. Multi-Factor Authentication (MFA) – Prioritise the implementation of multi-factor authentication systems, adding extra layers of security and reducing the risk of attack.
3. Phishing attacks – Combine robust training programmes for employees with email security tools to mitigate this growing threat.
4. Access control – Determine access to resources dynamically by analysing the security posture of accounts. This provides a more adaptive and responsive approach to access control as opposed to changing passwords/passphrases every 90 days.
5. Internal vulnerability scans and security awareness programs – Integrate these practices into security protocols, and regularly review and update them.

Leveraging third-party solutions

For those seeking to achieve compliance, one of the simplest and most effective ways to meet the updated requirements is to use a third party solution that already meets the standard.

This approach offers three key benefits:

Assured security — Payment details never enter your organisation or systems; they are captured and processed by a separate, secure platform.

Ease of management — The complexity and responsibility of remaining compliant is taken away from you, freeing up time and resources to work on more strategic projects.

Customer experience — The payment process is streamlined, and points of friction are removed to ensure a seamless experience for your customers and agents.

Next steps

In a world of increasingly stealthy and sophisticated cyber threats, it is imperative that your business takes action — both to secure against debilitating data breaches and to protect your brand.

The Security Standards Council, consumers, and partners will all seek assurances that your methods of capturing, processing, and storing payment data are compliant with the latest industry standards and regulations. So, whether you are seeking guidance on security best practices or want to leverage third-party PCI compliance solutions, call 03330 11 22 55 today to speak to one of our experts.