One way to see what a quantum leap PCI 4.0 is for merchants is to consider the extended timeline for compliance. Unlike previous updates to the benchmark data protection protocol, which generally required retailers to comply within a year, this update provides a full three years.
In his report PCI 4.0: What Merchants Need to Know, Don Apgar, Director of Merchant Payments at Javelin Strategy & Research, takes an in-depth look at what retailers need to do to comply with the new rules by the time they take effect in April 2025. This update expands the focus beyond IT to encompass the entire enterprise.
Origin Story
In 2004, Visa partnered with Mastercard to build out the work initiated through its Cardholder Information Security Program, resulting in the development of the Payment Card Industry Data Security Standards, often referred to as PCI-DSS, or just PCI. This global standard was established to help companies within the card payments ecosystem in combating rising fraud and protecting cardholders from data theft.
Two years later, American Express, Discover, and JCB joined the original partners to form the Payment Card Industry Data Security Council. Over the past 20 years, the council has continuously updated and expanded the PCI data security requirements to address emerging threats and vulnerabilities that have come along with new technologies, evolving merchant categories, and novel use cases for card payments.
The latest iteration of PCI, Version 4.0, became effective April 1, 2022, and v3.2.1 will sunset next April. Companies with annual PCI audit, review, and update cycles that extend beyond this date will need the additional time. This extension is necessary because PCI is evolving from a set of prescriptive measures for securing card data to a more holistic data security framework.
“The big paradigm shift is that they’re saying, OK, well, we’ve done everything we can to secure your payment data,” said Apgar. “Now what about access to the overall system?”
The Shifting Threat
For many years, the greatest threat to a retailer’s card data was a hacker gaining access to the database and retrieving 100,000 card numbers. Today, however, the deepest threats come from social engineering and account takeover. By tricking someone into revealing their password, criminals can log into accounts, change shipping addresses, and make unauthorized purchases using stored credit card information.
While most large retailers have taken steps to protect themselves and their customers from such breaches, the heavy lift for PCI 4.0 compliance lies not in the security measures themselves but documentation and controls that companies must demonstrate. This aspect of compliance is often the most labor-intensive.
“A major retailer like Target will need to have an annual PCI audit,” said Apgar. “They will have to pay a qualified security assessor, certified by the PCI council, to audit their PCI requirements. A company will review all of the security processes and how everything’s plugged together.”
It’s not a cheap process. A large company might spend around $200,000 annually on these audits. Once an organization’s protective measures are established, maintaining them shouldn’t result in significant additional costs. However, documenting subsequent changes can be costly. Anytime a modification is made to the system, it requires someone to note how that affects PCI.
Enforcing the Rules
There’s no enforcement mechanism for companies employing PCI. Organizations won’t be fined or otherwise sanctioned if they don’t comply. The real penalty is that if you can’t demonstrate compliance with PCI 4.0, other firms might be reluctant to do business with you.
“Let’s say you want to add on a processor like Worldpay to do part of your business,” Apgar said. “Worldpay is going to ask if you are PCI compliant. They will be reluctant to take any customers that aren’t PCI compliant because of potential risk to them. The penalty is your ability to transact in the business world, your ability to choose among vendors, providers, and bankers.”
Another wrinkle is that if an organization falls victim to a successful cyberattack, it’s considered noncompliant. The theory is that if you were compliant, you wouldn’t have been hacked.
This underscores why companies should move away from viewing data security as solely the responsibility of the IT department and instead adopt a holistic approach. PCI 4.0 doesn’t care where the threat originated; it only cares that you deterred it.
“All the versions up until this point have been laser-focused on protecting the payment data,” said Apgar. “It’s like as soon as you put up a firewall, hackers find a way around it. Now the hacking is has gotten away from some guy in a basement dialing in to the system and moved toward social engineering. The weakest link is us.”