Digital security has just gained new rules and companies that process card data need to adapt. With the arrival of version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS), established by the PCI Security Standards Council (PCI SSC), the changes are important and directly impact the protection of customer data and how payment data is stored, processed and transmitted. But, after all, what really changes
The main change is the need for an even higher level of digital security. Companies will have to invest in advanced technologies, such as robust cryptography and multifactor authentication. This method requires at least two verification factors to confirm the user's identity before granting access to systems, applications or transactions, making invasions difficult, even if criminals have access to passwords or personal data
Among the authentication factors used are
- Something that the user knowspasswords, PINs or answers to security questions
- Something that the user hasphysical tokens, SMS with verification codes, authenticator apps (like Google Authenticator) or digital certificates
- Something that the user isdigital biometrics, facial, voice or iris recognition
"These layers of protection make unauthorized access much more difficult and ensure greater security for sensitive data", explain
⁇ Коротко, потрібно зміцнити захист даних клієнтів, впроваджуючи додаткові заходи для запобігання несанкціонованим доступам ⁇, explain Wagner Elias, CEO of Conviso, розробниця рішення для безпеки застосувань. "It is no longer a matter of 'adapting when necessary'", more about acting preventively, highlights
According to the new rules, the implementation takes place in two phases: the first, with 13 new requirements, the deadline was in March 2024. As for the second phase, more demanding, includes 51 additional requirements and should be met by March 31, 2025. That is to say,those who do not prepare may face severe penalties
To adapt to the new requirements, some of the main actions include: implementfirewallsand robust protection systems; use encryption in data transmission and storage; monitor and continuously track access and suspicious activities; test processes and systems constantly to identify vulnerabilities; create and maintain a strict information security policy
Wagner emphasizes that, in practice, this means that any company dealing with card payments will need to review its entire digital security structure. This involves updating systems, strengthen internal policies and train teams to minimize risks. For example, an e-commerce will need to ensure that customer data is end-to-end encrypted and that only authorized users have access to sensitive information. A retail network will have to implement mechanisms to continuously monitor possible attempts at fraud and data leaks, exemplifies
Banks and fintechs will also need to strengthen their authentication mechanisms, expanding the use of technologies such as biometrics and multi-factor authentication. "The goal is to make transactions safer without compromising the customer experience". This requires a balance between protection and usability, something that the financial sector has been improving in recent years, highlights
But, why this change is so important? It is not an exaggeration to say that digital frauds are becoming increasingly sophisticated. Data breaches can result in million-dollar losses and irreparable damage to customer trust.
Wagner Elias warns: "many companies still adopt a reactive stance, only worrying about security after an attack happens. This behavior is concerning, оскільки помилки безпеки можуть призвести до значних фінансових збитків і непоправної шкоди до репутації організації, that could be avoided with preventive measures
He also emphasizes that to avoid these risks, велика диференціальна є прийняти практики Application Security (Безпеки Додатків) з початку розробки нового додатку, ensuring that each phase of the software development cycle already has protective measures. Це гарантує вбудову заходів захисту на всіх етапах життєвого циклу програмного забезпечення, being much more economical than remedying the damage after an incident
It is worth remembering that this is a trend that has been growing worldwide. The application security market, that moves US$ 11,62 billion in 2024, should reach US$ 25,92 billion by 2029, according to Mordor Intelligence
Wagner explains that solutions like DevOps, allow each line of code to be developed with protection practices, in addition to services such as penetration testing and vulnerability mitigation. "Continuous security analysis and test automation allow companies to meet standards without compromising efficiency", highlights
Furthermore, specialized consultancies are important in this process, assisting companies in adapting to the new requirements of PCI DSS 4.0. "Among the most sought-after services is Penetration Testing", Red Team and third-party security assessments, that help identify and fix vulnerabilities before they can be exploited by criminals, account
With increasingly sophisticated digital frauds, ignoring data security is no longer an option. Companies that invest in preventive measures ensure the protection of their customers and strengthen their position in the market. Implementing the new guidelines is, before everything, an essential step to building a safer and more reliable payment environment, concludes
