In today’s digital age, protecting customer payment information is more critical than ever.

No matter what business or industry you’re in, the number of applications that handle payment data has grown significantly, from e-commerce platforms to mobile payment solutions and beyond. Each of these applications presents a potential vulnerability.

With over a quarter (26%) of consumers having actually abandoned a brand or service in the past 12 months over concerns about how their data was being used – there’s a clear business imperative to protect any and all customer data that transcends compliance.

That’s where PCI DSS 4.0 comes in. This latest version of the Payment Card Industry Data Security Standard (PCI DSS) sets the bar for safeguarding cardholder data. But what is it exactly, and why should businesses pay attention?

What exactly is PCI DSS 4.0?

PCI DSS 4.0 is the latest version of the Payment Card Industry Data Security Standard; a set of security requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

Released to address evolving security threats, PCI DSS 4.0 includes updated guidelines and new requirements to enhance data protection, improve security practices, and provide greater flexibility for businesses to meet compliance. This version aims to help organisations better safeguard payment data and reduce the risk of data breaches. Sounds great, right?

But with new requirements being introduced, many businesses are no doubt grappling with how to tackle compliance by the deadline of March 31st 2025. So, with this in mind, here are the key factors you need to take into consideration to ensure compliance:

Know Your Tech: Conduct an audit to identify all software and APIs in your tech inventory. This helps you manage vulnerabilities in processing, receiving, transmitting, and storing cardholder data, ensuring comprehensive protection.

Tailored Security: Implement a strong application security strategy using methods and technologies that best suit your business. You have the flexibility to choose, as long as you can prove their effectiveness. This allows for innovative and customized cybersecurity approaches.

Strong Authentication and Encryption: Use secure methods to verify the identity of users, devices, and systems, and ensure the confidentiality and integrity of cardholder data. This can include tokenization, point-to-point encryption, and biometrics.

Advanced Fraud Detection: Employ proactive and varied techniques to detect and prevent fraud, such as bot detection, management, and firewalls that automatically block suspicious behavior.

Continuous Security and Compliance: Regularly monitor and evaluate your security posture, including that of your supply chain. For compliance, businesses must assess and document their security measures regularly, not just annually.

It’s not all about compliance

Instead of seeing PCI DSS 4.0 as a cumbersome tick compliance exercise, business and security leaders must instead view the transition as an opportunity to enhance their organisation’s overall security posture, integrate cybersecurity with fraud management, and revolutionise the protection of cardholder data. Not only will this result in compliance and prevent expensive breaches, but it will also uphold customer confidence – a win win.

However, PCI DSS 4.0 no doubt requires substantial effort from organisations to evolve beyond legacy requirements and achieve compliance for the new ones. Businesses playing catch up should treat this as a decisive moment to organise their compliance strategy, and get their efforts underway.

The process of budgeting, planning, implementing, testing, and validating solutions requires time and should not be rushed. Remember: data is one of businesses’ most valuable assets, and its security and integrity should never be put at risk.

Tim Ayling is Vice President Cyber Security Solutions EMEA for Imperva, a Thales company.