Digital Health Care Flourishing Despite Legal, Logistical Hurdles

A growing concern among merchants is their ability to meet new payment card industry (PCI) security standards as early as next March. Failure to complete the upgrade within one year could cost them penalties from $5,000 to $100,000 or more.

The Payment Card Industry Security Standards Council (PCI SSC) develops the Payment Card Industry Data Security Standards (PCI DSS) used across the industry. While the PCI SSC sets these standards, individual card brands create their own compliance requirements. These requirements are then adopted by service providers, and each card brand has its unique compliance program.

Urgency to Adopt PCI DSS 4.0

The commerce industry must adopt the latest Payment Card Industry Data Security Standards (PCI DSS 4.0) before the March deadline. The new PCI DSS 4.0 standards necessitate a significant security lift.

Payments stacks continue to evolve alongside customer needs and expectations. Cybercriminals view this as a pivotal opportunity to exploit emerging points of vulnerability and capture critical customer data. Businesses must ensure compliance with new PCI DSS 4.0 standards as part of a holistic approach to protecting customer data and the new reports serves a guide for organizations as they look to meet these requirements ahead of the looming March 2025 deadline.

Support Tempered by Concerns

While survey respondents generally show optimism about PCI DSS 4.0 benefits, they also share significant concerns over the changes involved. For many, meeting the new standards was tempered with other business operational concerns.

Respondents from large companies (5,000+ employees) view the new PCI requirements as more expensive to implement, resource-intensive, and time-consuming than those from medium or small companies according to Bluefin VP of Marketing Nick Berents.

Notwithstanding the reported percentages voiced in the survey, Berents was surprised by how many businesses were behind at the time or had not even started implementing the changes, especially in light of their concerns with their payment data security in the first place.

Addressing Compliance Challenges

According to Berents, the report also revealed that developing cybersecurity methods for threats and coordinating and performing targeted risk analysis were the top two aspects businesses ranked as most challenging when complying with the new standards. Evidence showed that IT and security departments will be responsible for some of the biggest compliance challenges.

Payment tokenization and PCI-validated point-to-point encryption (P2PE) are vital to meeting new PCI DSS 4.0 requirements and protecting customers’ sensitive payment data. Implementing P2PE can reduce a company’s PCI compliance scope by over 70%.

Potential Penalties May Push Upgrade Plans

While there are no legal implications to not meeting the deadline, organizations that are not compliant can face serious fines.

The standards are not required by law or regulatory mandate. Instead, they are self-governed and imposed by the Payment Card Industry Security Standards Council, which is run by the global card networks. These governing agencies include Visa, Mastercard, payment processors, service providers, and others in the payments ecosystem.