PCI DSS version 4.0: Is your payment card data security program ready?

BrandPost By Ken Phillips
Oct 16, 20234 mins

As the current PCI DSS Standard nears retirement, organizations are asking themselves if their payment data security program is ready for PCI DSS version 4.0.

Credit: Marco VDM

The numerous new attack vectors being used by threat actors to obtain payment card data underscores the increasing necessity of compliance with the Payment Card Industry Data Security Standard (PCI DSS). According to the 2023 edition of Verizon’s Data Breach Investigations Report (DBIR), payment card data was compromised in 37% of breaches in 2022. 

It is also a high-value target. In the Hospitality industry, credit card data was the target of 41% of cyberattacks, according to the 2023 DBIR. 

Not surprisingly, the retail industry was also highly targeted. Verizon’s researchers found that payment data comprised 37% of the data compromised in attacks. Notably, they also found another risk, as 18% of attacks on e-commerce companies involved malicious code embedded within credit card processing pages – an approach in which attackers remain undetected as they pilfer payment card data without impacting the site’s operation.

To avoid the reputational harm and lawsuits that accompany such breaches, businesses must embrace a comprehensive program to comply with PCI DSS v4.0 and remain compliant long-term, while continually strengthening their overall security stance. 

But how can enterprises know if their payment card data security program is ready?   And more specifically, what can CIOs, CISOs and other IT leaders do to make certain they are doing everything possible to prevent the loss of payment card data – an event that creates a worrisome inconvenience for customers and loss of trust among consumers?

Kris Philipsen, managing director of Cyber Security Consulting at Verizon, notes there is a lot to take into account, as PCI DSS v4.0 includes substantial updates and many new requirements.

“Fortunately, compliance is not simply window dressing or an added complexity in the already challenging task of safeguarding payment card data and digital payments. It is a highly effective defense that also contributes significantly to the design of an effective enterprise-wide security program.”

To know if their payment card data security program is ready, Philipsen stresses that IT leaders must first acknowledge the need for a comprehensive compliance program that contributes to an overall security program that is sustainable, adaptable and able to provide continuous maturity improvement.

That requires good leadership to avoid the most common reasons for PCI DSS compliance failures. They include:

  • Working with the wrong Qualified Security Assessor (QSA): PCI DSS v4.0 requires more than an auditor – enterprises need a QSA who is committed to making the organization’s payment card protection strategy as effective as possible.
  • Not securing executive support: Commitment from business leaders, particularly in enterprise-wide communication, is absolutely crucial to create an environment where the principles behind PCI DSS compliance efforts become part of the organization’s culture.
  • Not identifying the root causes: IT leaders must determine where security gaps exist before selecting new security solutions and capabilities, to discover contributing factors responsible for noncompliance.

“IT leaders need to approach PCI DSS v4.0 compliance as but one goal of their efforts, but not their end goal,” Philipsen adds. “You want to create a program that is compliant with PCI DSS v4.0 and that effectively and sustainably protects payment card data even as the threat landscape evolves.”

You can find more information on Verizon’s PCI DSS assessment here. Security and compliance teams can also download the 2023 Payment Security Report insights for information on advanced PCI security program management and design.