Dynamic Security for Card Data Protection

Author

Gabriel Juri

Published

8 July 2026

Reading time

minutes

Required knowledge

  • Basic knowledge of information security 
  • Familiarity with the financial industry and payment systems

In 2004, the Payment Card Industry Security Standards Council (PCI SSC) introduced the Payment Card Industry Data Security Standard (PCI DSS). This independent body includes the leading credit card companies Visa, MasterCard, American Express, Discover, and JCB. The standard provides the basis for technical and operational requirements to protect account data and applies globally to all companies that process, store, or transmit credit card data.

Need for of a New Version of the Standard

The introduction of PCI DSS 4.0 was necessary to address the constantly evolving threats and technologies. The main reasons for the changes in version 4.0 are:

  • ensuring that the standard continues to meet the security needs of the payment industry
  • promoting security as a continuous and dynamic process
  • improving validation procedures to make them more robust
  • supporting additional methods of achieving security objectives to enable the use of new technologies and innovative controls

Examples of Threats and Technologies

Threats and technologies are constantly evolving, necessitating the new standard version:

  • Cybercrime and artificial intelligence: Cybercriminals are increasingly using generative artificial intelligence (AI) to steal money or data with fake videos and personalized phishing messages. Companies are also using AI to predict and neutralize threats in real time.
  • Instant payments: The introduction of instant payments increases the need for security and the ability to monitor and protect transactions in real time.
  • Blockchain technology: The use of blockchain in payments requires new security measures to ensure the integrity and security of transactions.
  • Strong customer authentication (SCA): Strong customer authentication requirements under the EU’s Payment Services Directive PSD2 require robust security mechanisms to verify user identity and prevent fraud.
  • Mobile payment security: The release of PCI DSS 4.0 is an important milestone, especially with the increasing use of mobile payment solutions. The security of mobile systems has become a serious concern as cyberattacks increase in number and sophistication.

Multi-Factor Authentication

A major difference between versions 3.2.1 and 4.0 is the expansion of the multi-factor authentication (MFA) requirements. While MFA was primarily required for remote network access and non-console-based administrative access to the cardholder data environment (CDE) in the old version, the PCI SSC has significantly expanded the requirements in the new version. MFA is now required for all access to the CDE, whether administrative or non-administrative, including in cloud environments, hosted systems, and other system components. This includes organizations implementing phishing-resistant MFA, such as hardware tokens and biometric methods (e.g., fingerprint or facial recognition). These measures make it more difficult for cybercriminals to gain unauthorized access to systems, even if they have stolen credit card data.

Cardholder Data Environment

The CDE includes all system components that store, process, or transmit credit card data. PCI DSS 4.0 places greater emphasis on securing the CDE through enhanced MFA requirements and the introduction of new security controls. These measures are designed to ensure that only authorized users have access to sensitive data and that organizations continuously monitor that access.

Risk-Based Approach and Security Controls

Another key difference between PCI DSS 3.2.1 and 4.0 is the move to a risk-based approach. While the old version relied primarily on predefined security controls, the new version promotes a more proactive and dynamic approach to risk assessment. Predefined security controls are defined measures and procedures that should be implemented regardless of the specific risk situation. These controls are standardized and apply equally to all organizations. Examples include regularly updating antivirus software, implementing firewalls, and encrypting data during transmission and in storage.

In contrast, the current version encourages a more anticipatory and dynamic approach to risk assessment and security controls. This means that companies and other organizations that process credit card data must continually monitor their security posture and adapt to current threats and vulnerabilities. Preemptive measures include conducting regular penetration tests, monitoring network activity in real time, and implementing threat intelligence systems that can detect and defend against potential attacks. It is increasingly important that mobile payment systems in particular are robust against attacks such as ghost tap. This is a method in which cybercriminals use stolen credit card data associated with mobile payment systems such as Apple Pay or Google Pay. The technique redirects NFC traffic between devices to complete transactions without the victim’s physical card or device being present (see box). PCI DSS 4.0 can help prevent such attacks, particularly by implementing security mechanisms such as secure communication protocols and monitoring for anomalies in NFC traffic.

Algorithms and Encryption

PCI DSS 4.0 also brings changes in terms of encryption algorithms and key management. The new version requires the use of stronger encryption algorithms to ensure the security of card data during transmission and storage. In addition, organizations that process credit card data must ensure that they securely store and regularly change their encryption keys. These measures should make it more difficult for cybercriminals to intercept and misuse this data.

Status of Implementation

The implementation of PCI DSS 4.0 in Switzerland is still in progress. The new requirements will be binding as of 31 March 2025. Card processors such as Worldline and specialized companies authorized to conduct audits are assisting companies in adapting their security measures to the new standards and are offering training and advice to facilitate the transition. 

Implications for Companies and Card Processors

The introduction of the new version brings both challenges and benefits for businesses and card processors. The effort required to comply with the new requirements can be significant, as companies will need to review and adapt their existing security measures. This may require investment in new technology, staff training, and the implementation of additional security controls.

However, the return on this investment is significant. The new release promises to improve the security of credit card data, significantly reducing the risk of data breaches and fraud. This not only better protects sensitive data, but also increases customer confidence in the company’s security measures. In the long run, compliance with the new standards will help companies protect their reputations and avoid potential financial losses due to security incidents.

 

Gabriel Juri
SIX

Find Out More

Artificial Intelligence: Payment Data that Makes the Difference

Focus

Artificial Intelligence: Payment Data that Makes the Difference

AI has become indispensable in everyday banking. High-quality payment data is critical for personalized experiences and efficient AI applications. Payment enrichment improves data quality and optimizes key processes.

8 July 2026

5 minutes
Service Bureaus: Little-Known Key Players in Swiss Payments

Experts

Service Bureaus: Little-Known Key Players in Swiss Payments

Service bureaus have been central players in Swiss payments since the 1990s. They transmit payment orders and ensure data integrity. The SNB has published formal requirements to ensure security and efficiency.

8 July 2026

6 minutes
CBDC and Instant Payments: A Combination with Pitfalls

Panorama

CBDC and Instant Payments: A Combination with Pitfalls

Only one country operates both a CBDC and an instant payment system to increase financial inclusion and efficiency. However, different standards and technologies make interoperability difficult. Some countries are considering wholesale CBDCs instead.

8 July 2026

4 minutes
A Look at the Cost of Payment Methods

Panorama

A Look at the Cost of Payment Methods

In German e-commerce, high processing costs are incurred for some payment methods. On average, it costs 10 euros if something goes wrong during a purchase and payment process. One in twenty advance payment transfers and payments on invoice requires manual processing.

8 July 2026

3 minutes
Can AI Cross Borders?

Panorama

Can AI Cross Borders?

The integration of AI and deep learning will affect the future of payment systems, including for cross-border transactions. Research suggests that AI promises greater efficiency, security, and compliance for traditional payment systems.

8 July 2026

3 minutes
“Machine Beats Man” – True for Chess and Payments

Talk

“Machine Beats Man” – True for Chess and Payments

Helge Kraas, PPI AG, talks about artificial intelligence in payments. The focus will be on fraud detection, instant payments, e-invoices, Request to Pay, personalized financial services, regulation, financial crime and judicious AI decisions.

8 July 2026

9 minutes