In partnership with Red Sift, we recently hosted a webinar to explore the latest changes in PCI DSS v4.0 and how these updates will impact businesses managing customer payment information.
If you missed the session, you can find a recording below as well as a brief overview of what was covered, and why PCI DSS v4.0 should be a priority as you prepare for the March 2025 deadline.
Key Takeaways from our PCI DSS v4.0 webinar.
The latest version of PCI DSS, v4.0, introduces significant changes designed to help businesses strengthen their data security and payment protection. With a focus on risk management and flexibility, it offers a more adaptable approach for both large organisations and smaller merchants alike.
As Cornelius Goosen, Secon’s Head of Sales and Marketing, highlighted during the webinar, “the new version allows organisations to tailor controls to their specific payment processing risks, moving away from prescriptive requirements to a more dynamic, risk-based model.”
Here are the major highlights of the changes introduced in PCI DSS v4.0:
- Risk-Based Controls: The new risk management focus encourages businesses to tailor their security measures based on their unique environments, rather than following a one-size-fits-all compliance model.
- Continuous Monitoring and Testing: Businesses must now implement continuous monitoring, including Security Operations Centres (SOCs) and Security Information and Event Management (SIEM) solutions. This will help ensure businesses stay ahead of potential threats by identifying vulnerabilities in real time.
- Multi-Factor Authentication (MFA): Previously, MFA was only required for remote access. Now, PCI DSS v4.0 mandates MFA for anyone accessing cardholder data, regardless of whether they are internal or external employees.
- Enhanced Password Policies: Password standards have become stricter, now requiring longer and more complex passwords to ensure higher levels of security.
- Stronger Encryption Standards: Encrypting stored and transmitted payment data is more critical than ever, and businesses must now ensure their encryption standards meet or exceed the new requirements.
- Incident Response Plans: Incident response is no longer just about having a plan; it’s about testing that plan regularly. Red teaming, blue teaming, and even purple teaming exercises are encouraged to test response capabilities against real-world attack scenarios.
Addressing Business Email Compromise and Cryptography.
One of the new requirements under PCI DSS v4.0.1 is aimed at protecting businesses from phishing attacks. Requirement 5.4.1 introduces a mandate for organisations to have procedures and automated systems in place to safeguard employees from phishing and social engineering attacks, something that has been an increasing risk for many organisations.
Cornelius noted the growing importance of certificate management and cryptography: “Certificates used to safeguard payment account numbers (PAN) must be valid, not expired, and should not have been revoked. Moreover, businesses need to maintain an inventory of these certificates to ensure proper management.” These steps are essential in mitigating man-in-the-middle attacks and other forms of data interception.
Practical Solutions for Achieving Compliance.
During the webinar, both Secon and Red Sift emphasised that compliance is achievable, even for smaller businesses. Red Sift’s tools, like Red Sift on DMARC help automate complex processes such as managing email authentication protocols and ensuring that businesses can maintain secure, trusted communication with their customers.
Additionally, for those concerned about the costs associated with implementing SIEM or SOC solutions, Cornelius highlighted the importance of choosing the right solution: “There are vendors out there who cater to smaller organisations, offering scalable solutions that won’t break the bank.” These tailored services can help businesses meet their compliance needs without overextending their resources.
Preparing for 2025: What Should You Do Next?
March 2025 is the official enforcement date for PCI DSS v4.0. Now is the time to assess where your organisation stands and take action to meet the updated requirements. Whether you’re a merchant, payment service provider, or third-party vendor, ensuring that your risk management, encryption standards, and incident response plans are aligned with PCI DSS v4.0 is essential.
At Secon, we are here to help. We’ve been guiding organisations through the complexities of PCI DSS compliance for over a decade. Whether you’re a small merchant or a large enterprise, our team can assist with tailored solutions that not only help you meet compliance but also enhance your overall security posture. If you’d like our support, please get in touch.