skip to main content

Making Sense of Today’s Payment Cybersecurity Landscape

Making Sense of Today’s Payment Cybersecurity Landscape

The surge in cybercrime activity since the outbreak of the COVID-19 pandemic has been tough to ignore. This is particularly true for “high-value” sectors such as finance – especially the payments industry.

One of the most visible business sectors worldwide, cybercriminals have continuously targeted the financial sector not only because of the cache that comes with compromising a high-profile finance name, but also because of the allure of a potentially lucrative payday. In fact, more than 60% of global financial institutions with over $5 billion in assets were hit by cyberattacks in 2022. And with non-cash transactions hitting a record of 157 billion in 2021 in the US alone, the highly disruptive payments sector has emerged as a foremost threat target.

To combat this, the PCI Standards Security Council – which sets industry-wide cybersecurity standards and is led by major players in the payments card space – has unveiled its newest version of its Data Security Standards (DSS), v4.0. With current guidance – DSS v3.2.1 – set to sunset in early 2024, the credit card industry as well as vendors that accept credit card payments have been working diligently to make sure they hit the March 2025 compliance deadline for v4.0. However, with so many new technologies and threats to contend with, and over five years elapsing since the debut of v3.2.1, getting up to speed with the expectations of v4.0 is proving to be easier said than done.

What is new in v4.0?

Originally set to be updated every three years, v4.0 guidance has been long awaited to say the least. At over 350 pages, v4.0 features numerous new best practices as well as enhancements on existing guidelines including: requiring businesses to implement multi-factor authentication on all accounts that access cardholder data, and new mandates for providing employee cybersecurity training, among other things. That said, when combining the leg work of meeting new compliance requirements and double-checking compliance against the rest of the guidance, the process of adopting v4.0 can seem like a highly daunting process – especially for businesses seeking to become DSS compliant for the first time.

  1. Establish a baseline and review guidance pillars

This may seem like a no-brainer, but with such a dense piece of guidance – and fines that can be in the millions of dollars for non-compliance – having a firm grasp of your end-to-end compliance from the start is pivotal. Much like previous versions of PCI DSS guidance, v4.0 is composed of a comprehensive list of 12 pillars that aim to provide the most comprehensive security for the industry and cardholders themselves – tackling things like network security to the cryptography used to transmit cardholder data. In tandem with familiarizing themselves with these pillars and seeing how they stack up businesses need to determine which PCI DSS level they fall under to determine the exact specifics they are required to adhere to in terms of the rollout of their PCI DSS compliance.

  1. Determine the role of technology in your compliance efforts

One of the most interesting aspects of v4.0 is the latitude that is given to businesses to use technology to achieve and demonstrate their compliance. The compliance technology industry has come a long way since v3.2.1 was introduced. Moreover, the posture within the compliance community towards technology has shifted dramatically – with regulators now expecting, rather than encouraging, that technology be a part of an organization’s compliance mix. With that, businesses now have greater latitude to deploy emerging technologies like the cloud and different SaaS tools to help meet their ongoing compliance needs – from network monitoring to vulnerability testing – including when it comes to meeting v4.0 expectations. Thus, in addition to identifying existing gaps or weaknesses in meeting v4.0 oversight expectations, businesses also need to think about how they are going to fill them, and how and when to use technology tools to help them do so.

  1. Embrace flexibility and dynamism

The rapid pace of innovation by cybercriminals means that it is highly likely that cybersecurity guidance will be coming at a much greater frequency from PCI in the years ahead. This means that businesses need to begin building cybersecurity strategies in a way that enables them to be as flexible and adaptable as possible as new payments tech and threats come online Meeting the compliance standards of today is great. However, as the payments world becomes more complex, global and interconnected, businesses simply do not have the luxury of waiting around for new guidance to come out before they update their practices. Cybersecurity is a living, breathing thing, and the payments stakeholders that prioritize both robust reactive cybersecurity measures – like firewalls and anti-malware software – and proactive measures – such as threat hunting and penetration testing – stand a much better chance of not only remaining compliant but delivering a more secure experience for their customers.

PCI DSS v4.0 is a major marker for the future of cybersecurity health and performance of the payments card industry. However, in addition to meeting this compliance threshold, businesses must continue to look beyond this immediate guidance and engage in proactive cybersecurity strategies that continuously push the boundaries of their own security. If they can do this successfully, the payments card space stands a much greater chance of remaining one step ahead of adversaries and can establish greater trust with consumers for years to come.


Written by Norman Comstock, Managing Director, and Luke Nelson, Managing Director, Cybersecurity Solutions, UHY Consulting. Originally published by DarkReading.

Have a Question?

Fill out the form to speak with one of our cybersecurity consultants.

Hide Firm Disclaimer


UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.