Organizations are racing against time to meet the PCI DSS 4.0 deadline

Payment data security concerns remain widespread as organizations undertake significant lift to meet the PCI DSS 4.0 deadline, according to Bluefin.

payment data security concerns

94% of survey respondents said they have significant or very significant concerns pertaining to payment data security. Additionally, only 21% indicate that they are very confident in their ability to protect customer data.

As a result, breaches of financial data have become all too common – 98% of respondents indicate their organization experienced at least one data breach over the past 24 months and 50% have experienced a breach that created a significant disruption to business operations.

While 58% of organizations place high importance on securing customer data, it’s evident that the challenges to do so remain persistent. Organizations have turned to the Payment Card Industry Data Security Standards (PCI DSS) for guidance in combating payment data threats for nearly two decades and should continue to do so with the latest requirements in PCI DSS 4.0, which organizations must adapt to before the March 2025 deadline.

Enterprises view PCI DSS 4.0 in a positive light

93% of respondents indicate the changes required are significant. Further, 90% are concerned with meeting the PCI DSS 4.0 timeline with 64% saying they would be likely or very likely to accept a timeline extension.

31% of payment data security professionals have a strong understanding of all requirements associated with PCI DSS 4.0 and 49% indicate their organizations have yet to begin executing on PCI DSS 4.0 changes.

81% of respondents agree or strongly agree that PCI DSS 4.0 is fair, necessary and for the better of the industry and consumers.

“As payments stacks continue to evolve alongside customer needs and expectations, cybercriminals view this as a key opportunity to exploit emerging points of vulnerability and capture critical customer data,” said Brent Johnson, CISO at Bluefin.

“In this environment, it’s not a matter of if an organization will experience attempts at being breached – it’s a matter of when. Businesses must ensure compliance with new PCI DSS 4.0 standards as part of a holistic approach to protecting customer data, and our new report serves as a guide for organizations as they look to meet these requirements ahead of the looming March 2025 deadline,” added Johnson.

Organizations rely heavily on third-party vendors for PCI DSS 4.0

The report also found that there is a strong acknowledgment of the critical role of partners to support PCI DSS 4.0 readiness, with 86% percent of respondents indicating their organization will solely or mostly rely on third-party vendors for PCI DSS 4.0 in some capacity.

Respondents place the highest prioritization on payment data security vendors that have an intimate knowledge of regulatory environments and PCI DSS compliance parameters, including expertise pertaining to the 4.0 updates.

“While PCI DSS 4.0 presents an array of operational and resource hurdles for enterprises to overcome, those that approach it with a strategic mindset will differentiate themselves and ultimately deliver a superior customer experience,” said Jordan McKee, fintech research director at S&P Global Market Intelligence.

“Developing an internal strategy, including the implementation of payment data security technologies like PCI-validated P2PE and tokenization, alongside working with trusted partners will be crucial for organizations to fully understand and address the required changes,” concluded McKee.

Don't miss