Many Merchants Worried by Deadline To Toughen Payment Card Security

A growing concern among merchants is their ability to meet new payment card industry (PCI) security standards as early as next March. Failure to complete the upgrade within one year could cost them penalties from $5,000 to $100,000 or more.

The Payment Card Industry Security Standards Council (PCI SSC) develops the Payment Card Industry Data Security Standards (PCI DSS) used across the industry. While the PCI SSC sets these standards, individual card brands create their own compliance requirements. These requirements are then adopted by service providers, and each card brand has its unique compliance program.

PCI-validated encryption and tokenization technology firm Bluefin released a report last month revealing that 94% of commerce industry respondents have significant or very significant concerns pertaining to payment data security. Even with the increasing reports of data breaches industry-wide, only 21% said they are very confident in their ability to protect customer data.

Some 98% of respondents noted their organization experienced at least one data breach over the past 24 months, and 50% admitted to experiencing a breach that significantly disrupted business operations, according to the report.

Urgency To Adopt PCI DSS 4.0

The commerce industry must adopt the latest Payment Card Industry Data Security Standards (PCI DSS 4.0) before the March deadline. The new PCI DSS 4.0 standards necessitate a significant security lift.

Payments stacks continue to evolve alongside customer needs and expectations. Cybercriminals view this as a pivotal opportunity to exploit emerging points of vulnerability and capture critical customer data, according to Brent Johnson, CISO at Bluefin.

“In this environment, it is not a matter of if an organization will experience attempts at being breached. It is a matter of when. Businesses must ensure compliance with new PCI DSS 4.0 standards as part of a holistic approach to protecting customer data, and our new report serves as a guide for organizations as they look to meet these requirements ahead of the looming March 2025 deadline,” he said in announcing the report’s findings.

Enterprise Readiness Insights

Bluefin’s survey revealed the following key findings about enterprise readiness for new PCI DSS 4.0 requirements:

• 93% of respondents indicate the changes required are significant. Some 64% are so concerned with meeting the PCI DSS 4.0 timeline that they would support a timeline extension.
• PCI DSS 4.0 education and execution remains concerningly low. Fewer than a third (31%) of payment data security professionals have a strong understanding of the new requirements, and nearly half (49%) indicate their organizations have yet to begin executing any of them.
• Enterprises overwhelmingly view the new PCI standards positively despite the challenges. More than 4 in 5 (81%) respondents agree or strongly agree that the new rules are fair, necessary, and for the better of the industry and consumers.

Support Tempered by Concerns

While survey respondents generally show optimism about PCI DSS 4.0 benefits, they also share significant concerns over the changes involved. For many, meeting the new standards was tempered with other business operational concerns.

Respondents from large companies (5,000+ employees) view the new PCI requirements as more expensive to implement, resource-intensive, and time-consuming than those from medium or small companies, according to Bluefin VP of Marketing Nick Berents.

“The most significant takeaway for me was just how many businesses said they are not prepared to meet the new PCI DSS 4.0 requirements despite having significant concerns about their payment security,” he told The E-Commerce Times.

Notwithstanding the reported percentages voiced in the survey, Berents was surprised by how many businesses were behind at the time or had not even started implementing the changes, especially in light of their concerns with their payment data security in the first place.

“I am sure there has been progress since Q2 as many companies seem to be more engaged from what I am seeing,” he offered.

Addressing Compliance Challenges

According to Berents, the report also revealed that developing cybersecurity methods for threats and coordinating and performing targeted risk analysis were the top two aspects businesses ranked as most challenging when complying with the new standards. Evidence showed that IT and security departments will be responsible for some of the biggest compliance challenges.

Payment tokenization and PCI-validated point-to-point encryption (P2PE) are vital to meeting new PCI DSS 4.0 requirements and protecting customers’ sensitive payment data. Implementing P2PE can reduce a company’s PCI compliance scope by over 70%, said Berents.

Additionally, over half (51%) of respondents said they would mainly rely on third-party vendors to help meet PCI DSS requirements. He suggested that one of the best ways organizations can address payment security is to use a trusted partner and not feel like they have to take on that burden themselves fully.

Early concerns, a range of knowledge, and mixed comfort levels within many organizations contribute to a slow adoption response. During the survey, many participants expressed concerns about the necessary effort involved.

“Those who understand it strongly value PCI-validated P2PE (36% as a top three ranking) more highly than those with moderate or weak understanding,” said Berents.

Potential Penalties May Push Upgrade Plans

While there are no legal implications to not meeting the deadline, organizations that are not compliant can face serious fines, observed Berents.

The standards are not required by law or regulatory mandate. Instead, they are self-governed and imposed by the Payment Card Industry Security Standards Council, which is run by the global card networks. These governing agencies include Visa, Mastercard, payment processors, service providers, and others in the payments ecosystem.

“The potential fines for non-compliance go a long way toward keeping customers’ data safe. PCI compliance also helps reduce fraud and is in the overall best interest of merchants and consumers,” he added.

2 Key Dates To Watch

The transition to the stricter security measures is 12 months apart. On March 31, 2024, v3.2.1 will be retired, and v4.0 will be the only active version.

This transition period allows organizations to become familiar with the changes and plan accordingly to implement changes and meet the updated requirements, noted Berents.

Organizations with specific questions about their implementation and compliance obligations should contact their acquirer, payment brand, or trusted vendors to help with timelines.

As of March 31, 2025, the best practices listed within v4.0 will become requirements.

Both dates are published on the PCI SSC website within the PCI Perspectives blog.