Digital security has just gained new rules, and companies that process card data need to adapt. With the arrival of version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS), established by the PCI Security Standards Council (PCI SSC), the changes are important and directly impact the protection of customer data and how payment data is stored, processed, and transmitted. But what really changes?
The main change is the need for an even higher level of digital security. Companies will have to invest in advanced technologies, such as robust encryption and multifactor authentication. This method requires at least two verification factors to confirm the user’s identity before granting access to systems, applications, or transactions, making invasions more difficult, even if criminals have access to passwords or personal data.
Among the authentication factors used are:
- Something the user knows: passwords, PINs, or answers to security questions.
- Something the user has: physical tokens, SMS with verification codes, authenticator apps (such as Google Authenticator), or digital certificates.
- Something the user is: digital biometrics, facial recognition, voice recognition, or iris.
“These layers of protection make unauthorized access much more difficult and ensure greater security for sensitive data,” explains.
“In short, it is necessary to enhance the protection of customer data by implementing additional measures to prevent unauthorized access,” explains Wagner Elias, CEO of Conviso, a developer of application security solutions. “It is no longer a matter of ‘adapting when necessary,’ but of acting preventively,” he emphasizes.
According to the new rules, implementation occurs in two phases: the first, with 13 new requirements, had the final deadline in March 2024. The second phase, more demanding, includes 51 additional requirements and should have been met by March 31, 2025. In other words, those who are not prepared may face severe penalties.
To meet the new requirements, some of the key actions include: implementing robust firewalls and protection systems; using encryption in data transmission and storage; continuously monitoring and tracking suspicious accesses and activities; constantly testing processes and systems to identify vulnerabilities; creating and maintaining a strict information security policy.
Wagner emphasizes that, in practice, this means that any company handling card payments will need to review its entire digital security structure. This involves updating systems, reinforcing internal policies, and training teams to minimize risks. “For example, an e-commerce business will need to ensure that customer data is end-to-end encrypted and that only authorized users have access to sensitive information. On the other hand, a retail network will have to implement mechanisms to continuously monitor possible fraud attempts and data leaks,” he exemplifies.
Banks and fintechs will also need to strengthen their authentication mechanisms, expanding the use of technologies such as biometrics and multifactor authentication. “The goal is to make transactions more secure without compromising the customer experience. This requires a balance between protection and usability, something that the financial sector has been improving in recent years,” he emphasizes.
But why is this change so important? It is not an exaggeration to say that digital frauds are becoming increasingly sophisticated. Data leaks can result in million-dollar losses and irreparable damage to customer trust.
Wagner Elias warns: “many companies still adopt a reactive posture, only worrying about security after an attack occurs. This behavior is concerning because security failures can result in significant financial losses and irreparable damage to the organization’s reputation, which could be avoided with preventive measures.”
He also emphasizes that to avoid these risks, the key differential is to adopt Application Security practices from the beginning of developing the new application, ensuring that each phase of the software development cycle already has protective measures. This ensures the inclusion of protective measures in all phases of the software life cycle, being much more economical than remediating damages after an incident.”
It is worth noting that this is a trend that is growing worldwide. The application security market, which is expected to reach $25.92 billion by 2029, up from $11.62 billion in 2024, according to Mordor Intelligence.
Wagner explains that solutions like DevOps allow every line of code to be developed with security practices, in addition to services like penetration testing and vulnerability mitigation. “Performing continuous security analysis and test automation enables companies to comply with regulations without compromising efficiency,” he emphasizes.
Furthermore, specialized consultancies play a crucial role in this process, helping companies to adapt to the new requirements of PCI DSS 4.0. “Among the most sought-after services are Penetration Testing, Red Team, and third-party security assessments, which help identify and fix vulnerabilities before they can be exploited by criminals,” he explains.
With increasingly sophisticated digital frauds, ignoring data security is no longer an option. “Companies that invest in preventative measures ensure the protection of their customers and strengthen their position in the market. Implementing the new guidelines is, above all, an essential step in building a safer and more reliable payment environment,” he concludes.
