Preparing for PCI DSS 4.0: Five Steps to Get Financial Institutions Ready

For two decades, payments security industry body the PCI Security Standards Council (PCI SSC) has demanded compliance with an ever-growing set of rigorous technical and operational requirements in order to protect cardholder data. PCI DSS 4.0 is the biggest update to its payment card industry data security standard since its inception in 2004. It applies to any organization that accepts, processes, stores or transmits card data—which means most financial institutions.

But with so much on their to-do list, what should financial services firms prioritize to accelerate compliance before the 1 April 2025 deadline?

What’s new in PCI DSS 4.0?                                                  

PCI DSS 4.0 was designed to move with the times—not an easy feat in a world where threat actor innovation is moving as fast as enterprise digital transformation. That’s why it introduces a series of new requirements designed to ensure complying banks are as secure as they can be. In fact, the banking industry is a prime target for data breaches, given the huge quantity of card details and personally identifiable information (PII) it stores. According to one recent study, the sector was the most breached in 2023, overtaking healthcare with over a quarter (27%) of recorded incidents.

In this context, some of the key changes from the previous PCI DSS iteration are:

1. A larger range of acceptable network security controls that can be used instead of firewalls
2. A new requirement to deploy multi-factor authentication (MFA) for access into the cardholder data environment (CDE)
3. Greater flexibility in demonstrating compliance with security objectives
4. New targeted risk analyses, designed to give complying organizations more flexibility in how frequently they perform certain activities

With a mission to keep pace with the ever-changing card industry, technology and threat landscape, PCI DSS 4.0 was designed to:

1. Provide greater flexibility in the technologies organizations can use to achieve compliance
2. Promote continuous security, rather than treating compliance/security as a tick-box endeavor
3. Enhance validation methods and procedures

Five steps to get started

There are over 50 new requirements in PCI DSS 4.0. Some will be easier to meet than others. To get started, consider the following:

1. Perform a readiness assessment
   Get an in-house or third-party expert to assess the scope of the organization’s PCI DSS compliance program, and check if it’s correct. Anything done at this stage to reduce the scope (like removing unnecessary hardware/software components) will also help to reduce cost and minimize attack surface. This initial process should identify any gaps and deliver a roadmap for compliance.
2. Update training and awareness programs
   Many organizations forget that a critical component of PCI DSS success is its people. Staff need to be regularly updated on the latest security threats and how to identify and handle them. That’s because each passing month, threat actors devise new ways to compromise CDEs. Training lessons should include real-world attack simulations and be fairly short (10-15 minutes), but frequent.
3. Develop the right policies and procedures
   This is perhaps the most important step, as policy is the bedrock of any compliance strategy. It will require documenting a set of written procedures that explain how the organization manages its CDE. Include information security, incident response and user awareness and training as a starting point.
4. Get granular with technical controls
   PCI DSS 4.0 is highly granular in its required technical controls. There will also be some updates in there from previous versions, like MFA, anti-phishing procedures, authenticating internal vulnerability scanning, and anti-e-skimming measures. Remember: the devil’s in the detail.
5. Perform continuous monitoring
   PCI DSS 4.0 is all about security as a continuous process rather than a point-in-time compliance play. One of the best ways to achieve this is through continuous monitoring of security controls and of the CDE. The former will assess and flag any non-performant controls for remediation, while the latter will ensure any new data appearing in the CDE is automatically protected.

Consider comforte’s Data Security Platform here. It uses AI technology to automatically discover, classify and protect (in line with policy) any sensitive data, wherever it is being stored across the organization—including in cloud environments. This is essential given the increasingly distributed nature of banking IT infrastructure today, and the rigorous requirements of PCI DSS 4.0.

In it for the long term

As always, the effort needed to attain PCI DSS compliance will be significant. But so will the rewards. This is not just about mitigating the risk of major compliance fines. It is about building a more secure enterprise data environment. That will stand the organization in good stead not just with the PCI SSC, but other regulations—from GDPR to CCPA and beyond.