PCI DSS 4.0: Time to Pay Up, Securely
For decades, businesses that handle payment data have struggled to secure transactions end-to-end. Along the way, the payment industry has sought to apply discipline, best practices and consistency to those processes via the PCI DSS regulatory framework — and with the latest iteration, they made impressive strides. Now it’s time to put it into practice. Just last week, on March 31, the deadline to comply with PCI DSS 4.0.1 passed without a whimper. That’s not to say everyone has complied, but they should.
“Non-compliance with PCI DSS 4.0 brings more than just fines — it exposes businesses to breaches, legal liability and lost business relationships,” says Jonathan Gill, CEO of Panaseer.
While the fines should make any business shudder, as much as $100,000 per month, “the bigger risk is the long-term impact of data theft and operational disruption,” he says. “Without a solid compliance strategy, security gaps will persist, putting both business and customer trust at stake.”
PCI DSS 4.0 raises the regulatory bar with stricter authentication, continuous monitoring and tighter third-party oversight, the Panaseer CEO notes, which “means any business handling payment data – banks, merchants, tech providers — must shift from static compliance to ongoing risk management.”
But perhaps more importantly, the updated PCI DSS, Gill says, is “part of a broader global shift: Market forces alone have failed to prevent systemic risks in our increasingly interconnected digital ecosystems,” forcing regulators to step in. “Not just to enforce compliance, but to prevent cascading failures that could threaten entire industries,” he explains.
That’s just the kind of shift in thinking needed in the sphere of payments, where weaving security into the fabric of a business has proved challenging, in part because the resources and an overarching, integrated approach often haven’t been there. “Cybersecurity teams have long lacked the right operational tools that other business functions like finance typically have,” Gill says. “Closing this gap will require organizations to demonstrate they have control over payment data, prove compliance beyond audits, and integrate security into their daily operations.”
On the particulars, PCI DDS 4.0 shores up security around encryption, requiring the adoption of TLS 1.2 or higher. “Encryption at rest is also strengthened — if disk-level encryption is used, organizations must implement additional controls to ensure Primary Account Numbers (PANs) remain unreadable,” Vini Merlin, product manager at Oasis Security, points out.
“Secure key management and strong cryptographic algorithms are essential for maintaining compliance.”
According to Zimperium VP Krishna Vishnubhotla, encryption alone doesn’t remove PCI DSS scope. Mobile apps, where he notes, “Hardware Security Modules (HSMs) may not always be available or support required protocols,” are particularly thorny. “Without white-box cryptography, encryption keys can appear in cleartext in memory, making them easy to extract via memory dumping,” he says. “Even PIN entry must be secured, as default libraries can be vulnerable.”
Expanded MFA requirements impose the security measure beyond remote access “to include all access to the cardholder data environment (CDE),” says Merlin. “Additionally, organizations must conduct regular PCI DSS scope access reviews to ensure proper access controls,” which are meant to “address identity-based attacks and strengthen authentication security across payment ecosystems.”
There had long been gaps in MFA for mobile devices used in financial workflows. Without “explicit requirements asking the systems to ensure they do not send OTP to compromised mobile devices,” a worrisome issue “since most financial services are accessed through mobile apps, malware is quite common for stealing credentials,” says Vishnubhotla. “By not requiring ‘device attestation,’ bad actors can steal credentials and OTPs, resulting in account takeovers and fraud.”
The latest version of PCI DSS also takes a shot at corralling AI, but stops short of explicitly. But that’s likely because just like their counterparts in other industries, those tasked with regulating payments are struggling to put parameters around AI without stymieing its potential even as risk rises.
“The increasing use of AI tools in financial and security operations raises concerns about cardholder data (CHD) exposure,” says Merlin. Instead, PCI DSS v4.0.1 presses organizations to “vet their AI vendors, ensuring these tools do not inadvertently store, process, or transmit CHD outside of a controlled PCI DSS-compliant environment.” That means they must assess AI-driven fraud detection, automation tools and customer service platforms “for compliance risks to prevent unintentional data exposure.”
MFA requirements have expanded beyond remote access “to include all access to the cardholder data environment (CDE).” Merlin says. “Additionally, organizations must conduct regular PCI DSS scope access reviews to ensure proper access controls. These changes address identity-based attacks and strengthen authentication security across payment ecosystems.”
As much as PCI DSS 4.0.1 strengthens payment security, it shouldn’t be seen as the be-all end-all. Instead, it should be treated “as a baseline rather than an exhaustive security strategy,” says Pathlock CEO Piyush Pandey.
That’s because threats like ransomware and supply chain attacks, coupled “with the complexity of modern application systems, require organizations to think beyond PCI compliance and implement additional layers of security,” he explains. “One of the key areas of reducing business risk is securing access to regulated business applications at the transactional level to prevent insider threats and credential compromise-based attacks.”
Despite its shortcomings, PCI DSS 4.0 represents a tacit recognition that “cybersecurity is no longer an isolated IT issue,” he says, but rather “is now directly linked to operational resilience, business continuity, and board-level accountability.” Finally. That’s a message that should be reinforced for security to be woven into the fabric of a business. But security leaders are going to have to step up and face what Gill says is a profound change in what regulators and executives alike expect.
