Digital security has just gained new rules, and businesses that process card data need to adapt. With the arrival of version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS), established by the PCI Security Standards Council (PCI SSC), the changes are significant and directly impact customer data protection and how payment data is stored, processed, and transmitted. But, after all, what really changes?
The main change is the need for an even higher level of digital security. Companies will have to invest in advanced technologies, such as robust encryption and multi-factor authentication. This method requires at least two verification factors to confirm the user’s identity before granting access to systems, applications, or transactions, making intrusions harder, even if criminals have access to passwords or personal data.
Among the authentication factors used are:
- Something the user knows: passwords, PINs, or answers to security questions.
- Something the user possesses: physical tokens, SMS with verification codes, authenticator apps (like Google Authenticator), or digital certificates.
- Something the user is: digital fingerprint, facial recognition, voice recognition, or iris recognition.
“These layers of protection make unauthorized access much harder and ensure greater security for sensitive data,” he explains.
“In short, it’s necessary to strengthen customer data protection by implementing additional measures to prevent unauthorized access,” explains Wagner Elias, CEO of Conviso, a company that develops application security solutions. “It’s no longer a matter of ‘adapting when necessary’ but of acting preventively,” he highlights.
According to the new rules, the implementation happens in two phases: the first, with 13 new requirements, had a deadline of March 2024. The second phase, more demanding, includes 51 additional requirements and should be met by March 31, 2025. In other words, those who are not prepared may face severe penalties.
To comply with the new requirements, some key actions include implementingfirewallsand robust protection systems; using encryption for data transmission and storage; continuously monitoring and tracking suspicious access and activities; constantly testing processes and systems to identify vulnerabilities; creating and maintaining a strict information security policy.
Wagner emphasizes that, in practice, this means any company handling card payments will need to review its entire digital security structure. This involves updating systems, strengthening internal policies, and training teams to minimize risks. “For example, an e-commerce business will need to ensure customer data is encrypted end-to-end and that only authorized users have access to sensitive information. A retail chain, on the other hand, will have to implement mechanisms to continuously monitor potential fraud attempts and data breaches,” he illustrates.
Banks and fintechs will also need to strengthen their authentication mechanisms, expanding the use of technologies like biometrics and multi-factor authentication. “The goal is to make transactions more secure without compromising the customer experience. This requires a balance between protection and usability, something the financial sector has been improving in recent years,” he highlights.
But why is this change so important? It’s no exaggeration to say that digital fraud is becoming increasingly sophisticated. Data breaches can result in million-dollar losses and irreparable damage to customer trust.
Wagner Elias warns: “many companies still take a reactive stance, only worrying about security after an attack occurs. This behavior is concerning because security flaws can lead to significant financial losses and irreparable damage to the organization’s reputation, which could be avoided with preventive measures.”
He further highlights that to avoid these risks, the key differentiator is adopting Application Security practices from the beginning of a new app’s development, ensuring that each phase of the software development cycle already has protective measures. This guarantees the inclusion of security measures at all stages of the software lifecycle, being much more economical than remedying damages after an incident.”
It’s worth noting that this is a growing trend worldwide. The application security market, valued at $11.62 billion in 2024, is expected to reach $25.92 billion by 2029, according to Mordor Intelligence.
Wagner explains that solutions like DevOps allow each line of code to be developed with protective practices, along with services such as penetration testing and vulnerability mitigation. “Performing continuous security analyses and test automation enables companies to meet regulations without compromising efficiency,” he highlights.
Additionally, specialized consulting is important in this process, helping companies adapt to the new PCI DSS 4.0 requirements. “Among the most sought-after services are Penetration Testing, Red Team assessments, and third-party security evaluations, which help identify and fix vulnerabilities before they can be exploited by criminals,” he says.
With digital fraud becoming increasingly sophisticated, ignoring data security is no longer an option. “Companies that invest in preventive measures ensure customer protection and strengthen their market position. Implementing the new guidelines is, above all, an essential step toward building a safer and more reliable payments environment,” he concludes.
