The latest version of the PCI DSS v4.0 payment security standards promises the biggest batch of compliance enhancements since 2004

=A man puts his finger on a fingerprint device used for automatic payments. (Photo by Philippe HUGUEN / AFP)

Payment security tightens another notch as the age of 5G looms

  • The latest version of the PCI DSS v4.0 payment security standards promises the biggest batch of compliance enhancements since 2004, but the rising threat surface means security practitioners need to make sure their organizations are brought up to speed properly
  • Emerging innovations like 5G and edge computing have the potential for massive gains, but present an untested security environment that security pros need to ensure remains safe

As financial institutions and payment industry players alike look to adopt the latest security standard, the Payment Card Industry Data Security Standard (PCI DSS) v4.0, the cybersecurity threats landscape is even more precarious than it was two years ago, as threat actors abound even as organizations scramble to adapt and survive a fast-moving digital payment outlook.

Or at least that’s what the 2022 Verizon Payment Security Report is finding, even as version 4.0 of the payment security standard looks to be implemented by banks, retailers and payment processors worldwide. The Report outlines how, despite significantly sturdier compliance and regulatory apparatus governing a payment landscape that has seen surging online transactions and is easing towards a cashless and contactless digital economy, emerging threats have also been evolving at a frightening pace.

Parallel to the pervasive emergence of new digital dangers ranging from increasing data breaches to financially motivated ransomware attacks, organizations are also grappling with the heightened interest in practically implementing cutting-edge technologies, from 5G to edge computing.

With omnichannel retail now commonplace, and sharp rises in e-commerce, contactless payments and mobile banking, “the speed and stability of 5G could enhance this experience as well as provide greater security by enabling consumers to opt into advanced biometric-based identification and verification methods,” the report quotes Ravi K. Annadanam, 5G and MEC Innovation, of the Verizon Business Group.

The increased speeds and latency benefits of 5G should see organizations layer their approach, both on a project basis and at a strategic level, to maximize their security posture as they prepare to implement strengthened compliances and standardize it over the next two years.

While PCI SSC v4.0 is on track to make significant changes to the sort of outcomes that retailers and financial institutions can expect to see, the core 12 tenets of the PCI Data Security Standard will remain fundamentally the same. FIs and banks will have two years to solidly implement the new requirements, and assessors will hold off until March 2025 to ratify compliance with the       new standards.

PCI DSS compliance saw significant payment security gains in 2020, with nearly half (43.4%) of organizations measured maintaining full compliance, a sizable increase to the 27.9% witnessed in 2019. And despite well over half (56.7%) of companies failing their interim validation assessment as a result of one or more security control omissions, the security control gap still experienced substantial improvement, from a high of 7.7% in 2019 down to a low of 4% the next year.

“Key changes to the standard focus on meeting the evolving security needs of the payments industry, continuously promoting security processes, increasing flexibility for organizations using different methods to achieve security objectives, and enhancing validation procedures,” commented Lance Johnson, the Executive Director of the PCI Security Standards Council.

With skilful cybercriminals exploiting both the well-established payment methods such as card transactions and escalating use of the online business environment, the PCI Security Standards Council has carried out the most significant rewrite of its Data Security Standard since its initial release in 2004. But with such broad and all-encompassing alterations, it falls to Chief Information Security Officers (CISOs) and other payment security leaders to ensure their organizations and resources carry out coordinated evaluations to test the limits of PCI DSS v4.0 changes, making sure the complexity of new measures is simplified to be adapted seamlessly while still maintaining data security protocols.

5G is expected to continue accelerating the advancement of the mobile experience within the payments space, as consumers will be able to leverage increasing advancements in biometric-based identification and single sign-on (SSO) verification methods. Along with advanced identity management should come more secure connections for virtual communication and collaboration tools, while companies continue to find innovative means to leverage 5G-enabled functionality, open architecture and multi-access edge computing (MEC) innovations – security practitioners will need to gauge how these advancements will impact their omnichannel payment ecosystem.