Digital security has just gained new rules and companies that process card data need to adapt. With the arrival of version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS), established by the PCI Security Standards Council (PCI SSC), the changes are important and directly impact on the protection of customer data and how payment data is stored, processed and transmitted. But, after all, what really changes?
The main change is the need for an even higher level of digital security. Enterprises will have to invest in advanced technologies such as robust encryption and multi-factor authentication.This method requires at least two verification factors to confirm the identity of the user before granting access to systems, applications or transactions, making it difficult for attackers to hack even if criminals have access to passwords or personal data.
Among the authentication factors used are:
- Something the user knows: passwords, PINs or answers to security questions.
- Something the user has: physical tokens, SMS with verification codes, authenticating applications (such as Google Authenticator) or digital certificates.
- Something the user is: digital, facial biometrics, voice or iris recognition.
“These layers of protection make unauthorized access much more difficult and ensure greater security for SENT data, he explains.
“In short, we need to strengthen the protection of customer data by implementing additional measures to prevent unauthorized access”, explains Wagner Elias, CEO of Conviso, developer of solution for application security. “It is no longer a matter of “se adapt when it is necessary to”, but to act preventively”, he points out.
According to the new rules, the implementation takes place in two phases: the first, with 13 new requirements, had the deadline in March 2024. Already the second phase, more demanding, includes 51 additional requirements and should be met by March 31, 2025. That is, those who did not prepare can face severe penalties.
To suit the new requirements, some of the main actions include: implement firewalls robust protection systems; use encryption in data transmission and storage; continuously monitor and track suspicious access and activity; constantly test processes and systems to identify vulnerabilities; create and maintain a strict information security policy.
Wagner points out that in practice, this means that any company that handles card payments will need to review its entire digital security structure.This involves updating systems, enforcing internal policies, and training teams to minimize risk. “For example, an e-commerce will need to ensure that customer data is encrypted end-to-end and that only authorized users have access to sensitive information. Already a retail network will have to implement mechanisms to continuously monitor possible fraud attempts and data leaks”, he exemplifies.
Banks and fintechs will also need to strengthen their authentication mechanisms, expanding the use of technologies such as biometrics and multifactor authentication.“O aims to make transactions more secure without compromising the customer experience.This requires a balance between protection and usability, something that the financial sector has already been improving in recent years”, he points out.
But why is this change so important? It is no exaggeration to say that digital fraud is increasingly sophisticated. Data breaches can result in millionaire losses and irreparable damage to customer trust.
Wagner Elias warns: “many companies still adopt a reactive posture, only worrying about security after an attack happens. This behavior is worrying, because security failures can cause significant financial losses and irreparable damage to the reputation of the organization, which could be avoided with preventive measures”.
He also points out that to avoid these risks, the great differential is to adopt Application Security (Application Security) practices from the beginning of the development of the new application, ensuring that each phase of the software development cycle already has protection measures. This ensures the insertion of protection measures in all phases of the software lifecycle, being much more economical than remedying the damage after an” incident.
The application security market, which moves US$ 11.62 billion in 2024, is expected to reach US$ 25.92 billion by 2029, according to Mordor Intelligence.
Wagner explains that solutions like DevOps allow each line of code to be developed with protection practices, as well as services such as penetration testing and vulnerability mitigation.“Performance analysis of security and test automation enables companies to meet standards without compromising on” efficiency.
In addition, specialized consulting is important in this process, helping companies to adapt to the new requirements of PCI DSS 4.0.“Among the most sought after services are Penetration Testing, Red Team and third-party security assessments, which help identify and correct vulnerabilities before they can be exploited by” criminals, he says.
With digital frauds becoming more sophisticated, ignoring data security is no longer an option. “Companies that invest in preventive measures ensure the protection of their customers and strengthen their position in the market. Implementing the new guidelines is, first of all, an essential step to build a safer and more reliable payment environment”, he concludes.
