Get Ready for 2025 PCI DSS: Expert Tips to Stay Compliant

We are rapidly approaching the second major compliance deadline for Payment Card Industry Data Security Standard version 4.0 (PCI DSS 4.0), where "best practices" will become required. When PCI DSS 4.0 was first released as an updated framework for businesses to secure cardholder data, there were 46 requirements that were listed as "best practices," meaning they weren't required for PCI assessments until March 31, 2025. However, as of April 1, 2025, these requirements will apply to all PCI assessments and must be addressed in some manner. As we help our clients prepare to meet these requirements, we've found that a few areas—Targeted Risk Analysis, Phishing Enhancements, and Security Awareness Program Enhancements—typically need either more time or resources than expected by the client. We will explore how these requirements apply to your business and what you should be thinking about as you implement them.

Targeted Risk Analysis

PCI DSS 4.0 introduced the concept of targeted risk analysis (TRA) in requirement 12.3.1, replacing the traditional enterprise-wide risk assessment in prior versions of PCI DSS. TRA allows your business to focus on PCI DSS requirements that offer flexibility in how frequently a control is performed. It enables you to evaluate your risk and determine the security impact of specific requirement controls based on your environment. For example, TRA helps determine how frequently an activity should be performed based on the risk to the environment.

To ensure accuracy and consistency with your organizational policies and procedures, PCI DSS 4.0 requires this risk analysis to be conducted according to a defined methodology. The risk analysis identifies specific assets—such as the system components and data (e.g. log files, or credentials)—that the requirement is intended to protect. It also considers the threat(s) or outcomes that the requirement is defending against, such as malware, undetected intruders, or misuse of credentials.

The following areas should be considered as part of the TRA methodology:

• Establishing evaluation frequency: TRA defines how often the system components should be evaluated, with schedules tailored to the results of the risk analysis. This ensures that resources are allocated efficiently. The criteria for determining these frequencies are documented to maintain transparency and consistency across assessments.
• Updating risk management policies: Your company's risk management policy should be revised to incorporate the TRA methodology and the associated evaluation frequencies. By integrating these new procedures into your existing policy framework, you'll be able to align your company's practices with evolving risk management standards and ensure comprehensive governance going forward.
• Implementing periodic evaluation procedures: Procedures for regularly evaluating identified system components are standardized through the development of checklists and guidelines. Evaluations are scheduled and conducted according to the defined frequencies, ensuring that all components are periodically reviewed. This systematic approach supports proactive risk monitoring while minimizing unnecessary effort.
• Documentation and record-keeping: A secure repository should be established for storing detailed records of risk analyses, evaluation outcomes, and any resulting actions. This repository ensures that your documentation is readily accessible for internal review and external assessments, supporting both accountability and compliance with requirements.
• Adapting to a changing landscape: Recognizing the dynamic nature of the threat landscape and system architectures, your risk analysis process should undergo an annual review. Adjustments to risk classifications and evaluation frequencies should be made as necessary, ensuring that your company's risk management practices remain relevant and effective.
• Staff education and training: Once your methodology is in place, ensure that relevant staff are trained in the TRA process and evaluation procedures. Training sessions will enhance their understanding and promote consistent execution across teams. Training records should be maintained to demonstrate compliance and support continuous improvement.

Phishing Enhancements

PCI DSS 4.0 Requirement 5.4.1 focuses on detecting and protecting personnel against phishing attacks. To meet this requirement effectively, your organization should implement processes and automated mechanisms designed to detect and mitigate phishing threats. A multi-layered approach that combines technology, training, and processes is essential to protect against phishing attacks.

The following measures are designed to detect, prevent, and respond to phishing threats effectively:

• Advanced email filtering solutions are critical in intercepting phishing attempts before they reach employees. Security gateways leveraging AI and machine learning can detect suspicious emails, including those using sophisticated phishing tactics. These systems should be supported by regularly updated filtering algorithms to adapt to evolving phishing techniques.
• Web filtering technologies further reduce risk by blocking access to malicious content linked in phishing emails. Configuring web filters to block known malicious domains and URLs and maintaining an up-to-date database of phishing websites ensures proactive defense against threats.
• Security awareness training empowers employees to recognize and respond effectively to phishing threats. Training sessions should include real-world examples of phishing attacks and practical exercises. Simulated phishing campaigns can also help test and improve employee vigilance.
• User-friendly reporting mechanisms should be established to ensure swift identification of phishing attempts. Employees must have easy access to tools for reporting suspected phishing emails. All reports should be analyzed and confirmed threats integrated into the organization’s threat intelligence feeds.
• An incident response plan tailored to address phishing incidents should define clear protocols for containment, eradication, and recovery. This plan must be regularly tested through drills and tabletop exercises to ensure readiness and effectiveness.
• Deploying multi-factor authentication (MFA) is essential to mitigate risks associated with compromised credentials. MFA should be implemented across all systems, especially those accessible via the internet while educating users on its importance as a critical security layer.
• Regular risk assessments are necessary to continuously evaluate and strengthen anti-phishing defenses. These assessments should review the effectiveness of existing controls, identify areas of improvement, and inform updates to your organization's anti-phishing strategy.
• Continuous monitoring of network and email traffic for phishing indicators can provide your business with faster detection of an event. Utilizing Security Information and Event Management (SIEM) systems enables real-time detection of phishing activity through alerts that should be investigated to minimize potential impacts.

Security Awareness Program Enhancements

PCI DSS 4.0 Requirement 12.6.3.1 highlights the need to include awareness of threats and vulnerabilities that could impact the security of the cardholder data environment (CDE) in your security awareness training program. Specifically, it mentions threats such as phishing, social engineering, and related attacks.

To ensure compliance with PCI 4.0, the security awareness training program must undergo a comprehensive review and update. This process involves aligning the program with the latest requirements, addressing newly introduced threats and vulnerabilities, and incorporating targeted training to mitigate risks effectively.

The updated program should emphasize key areas of vulnerability, starting with phishing attacks, which has been a major factor in many breaches. The training should help your employees recognize and respond to various forms of phishing, including email, voice, and text-based attacks. They should learn how to identify suspicious emails, URLs, and attachments, as well as the importance of promptly reporting potential threats. Similarly, social engineering techniques—such as pretexting, baiting, and tailgating—should be covered using practical examples to ensure employees are prepared to handle these tactics and verify the identity of individuals seeking sensitive access.

We recommend enhancing employee engagement and retention by incorporating realistic scenarios and simulations. These exercises should mimic real-world phishing and social engineering attempts that apply to your company’s industry and size. This approach will provide employees with a safe environment to practice their responses and build confidence in their ability to recognize and react appropriately to threats. Additionally, your organization should develop role-specific training to ensure employees understand the risks associated with their job functions and how to respond effectively.

Your program should also include detailed explanations of common attack techniques, such as email impersonation and pretext scenarios, which will help employees spot red flags early. Periodic testing, including simulated phishing campaigns and social engineering exercises, will assess the effectiveness of the training and identify areas for improvement for your employees and the training program itself.

Incident response procedures should be also integrated into the training to guide employees in handling potential security breaches, from reporting the incident to mitigating potential damage.

Security is a shared responsibility, and the training program should extend to third-party vendors and partners with access to sensitive systems. This ensures that everyone involved is aware of your organization's security expectations and equipped to comply.

Finally, feedback should be actively sought from employees to refine and improve your program continuously, ensuring it evolves to address new challenges and remains a robust defense against changing threats. A clear and secure reporting process should be a cornerstone of your program, empowering employees to report suspected security incidents without fear of reprisal. Regular and ongoing training sessions, including annual refreshers, will keep your workforce updated on emerging threats and reinforce a culture of vigilance.

We are here to help our clients understand how these PCI requirements apply to their specific use case and implement solutions that meet their needs. While many companies have a portion of these requirements in place, it is important to ensure that the new requirements are fully addressed by your company and that updated documentation is maintained as you begin to work towards your 2025 PCI DSS compliance goals.