Making Sense of Today's Payment Cybersecurity Landscape

PCI DSS v4.0 is the future of the payment card industry's information security standard, but businesses must continue to look beyond this guidance and engage in proactive strategies of their own.

4 Min Read
Small padlock sitting on a credit card with keyboard in background
Source: Piotr Adamowicz via Alamy Stock Photo

The surge in cybercrime activity since the outbreak of the COVID-19 pandemic has been tough to ignore. This is particularly true for "high-value" sectors such as finance — especially the payments industry.

Cybercriminals have continuously targeted the financial sector, not only because of the cache that comes with compromising a high-profile finance name but also because of the allure of a potentially lucrative payday. In fact, more than 60% of global financial institutions with over $5 billion in assets were hit by cyberattacks in 2022. And with the number of non-cash transactions hitting a record of 157 billion in 2021 in the US alone, the highly disruptive payments sector has emerged as a foremost threat target.

To combat this, the PCI Standards Security Council — which sets industrywide cybersecurity standards and is led by major players in the payments card space — has unveiled its newest version of its Data Security Standards (DSS) v4.0. With current guidance — DSS v3.2.1 — set to sunset in 2024, the payment card industry and vendors that accept card payments have been working diligently to make sure they hit the March 2025 compliance deadline for v4.0. However, with so many new technologies and threats to contend with, and more than five years elapsing since the debut of v3.2.1, getting up to speed with the expectations of v4.0 is proving to be easier said than done.

What's New in PCI DSS v4.0?

Originally set to be updated every three years, v4.0 guidance has been long awaited, to say the least. At over 350 pages, 4.0 features numerous new best practices, as well as enhancements on existing guidelines, including requiring businesses to implement multifactor authentication on all accounts that access cardholder data and new mandates for providing employee cybersecurity training. That said, when combining the legwork of meeting new compliance requirements and double-checking compliance against the rest of the guidance, the process of adopting v4.0 can seem like a highly daunting process — especially for businesses seeking to become DSS compliant for the first time. Here are three of the foundational steps that businesses can use to become compliant:

  1. Establish a baseline and review guidance pillars: This may seem like a no-brainer, but with such a dense piece of guidance — fines that can be in the millions of dollars for noncompliance — having a firm grasp of your end-to-end compliance from the start is pivotal. Much like previous versions of PCI DSS guidance, v4.0 is composed of a comprehensive list of 12 pillars that aim to provide the most comprehensive security for the industry and cardholders themselves — tackling things like network security to the cryptography used to transmit cardholder data. In tandem with familiarizing themselves with these pillars and seeing how they stack up, businesses need to determine which PCI DSS level they fall under to determine the exact specifics they are required to adhere to in terms of the rollout of their PCI DSS compliance.

  2. Determine the role of technology in your compliance efforts: One of the most interesting aspects of v4.0 is the latitude that is given to businesses to use technology to achieve and demonstrate their compliance. The compliance technology industry has come a long way since v3.2.1 was introduced. Moreover, the posture within the compliance community toward technology has shifted dramatically — with regulators now expecting, rather than encouraging, that technology be a part of an organization's compliance mix. With that, businesses now have greater latitude to deploy emerging technologies like the cloud and different SaaS tools to help meet their ongoing compliance needs — from network monitoring to vulnerability testing — including when it comes to meeting v4.0 expectations. Thus, in addition to identifying existing gaps or weaknesses in meeting v4.0 oversight expectations, businesses also need to think about how they are going to fill them, and how and when to use technology tools to help them do so.

  3. Embrace flexibility and dynamism: The rapid pace of innovation by well-funded cybercriminals means it is highly likely cybersecurity guidance will be coming at a much greater frequency from PCI in the years ahead. This means businesses need to begin building enabling cybersecurity strategies to be both flexible and adaptable as new payment technology and related threats become realized.  Meeting the compliance standards of today is great. However, as the payments world becomes more complex, global, and interconnected, businesses simply do not have the luxury of waiting around for new guidance to come out before they update their practices. Cybersecurity is a living, breathing ecosystem, and payment stakeholders that prioritize both robust preventative and detectable cybersecurity measures, like anti-malware software and threat hunting and penetration testing, stand a much better chance of not only remaining compliant, but delivering a more secure and enjoyable experience for their customers.

PCI DSS v4.0 is a major marker for the future of cybersecurity health and performance of the payments card industry. However, in addition to meeting this compliance threshold, businesses must continue to look beyond this immediate guidance and engage in proactive cybersecurity strategies that continuously push the boundaries of their own security. If they can do this successfully, the payments card space stands a much greater chance of remaining one step ahead of adversaries and can establish greater trust with consumers for years to come.

About the Author(s)

Norman Comstock

Managing Director, UHY Consulting

Norman Comstock serves as a senior leader for UHY Consulting's Technology, Risk & Compliance group focusing on Cybersecurity Solutions. Additionally, he leads the Enterprise Performance Management (EPM) practice as part of the Software Solutions group. In this role, he leads a team of solution consultants that help organizations evaluate and utilize the Planful (formerly Host Analytics), Workiva, and Dell Boomi solutions. Norman has more than 25 years of experience providing strategic consulting services.

Luke Nelson

Managing Director, Cybersecurity Solutions, UHY Consulting

Luke Nelson is a Managing Director for UHY Consulting focusing on Cybersecurity Solutions and Technology Risk services. Luke is responsible for providing all aspects of Cyber, Security, and Risk programs inclusive of leveraging new technological advancements, such as artificial intelligence (AI), cloud-based scalability, and advanced mathematical techniques along with optimized visualizations to deliver enhanced decision-making capabilities. He supports executives in analyzing their business plans to reassess strategies and focus on a performance and risk-aligned prioritized agenda. These efforts revolve around planning, executing, tracking, and reporting of performance and risk metrics, and root cause analysis aligned with measurable and actionable initiatives.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights