Author
Published
8 July 2026
Reading time
Required knowledge
In 2004, the Payment Card Industry Security Standards Council (PCI SSC) introduced the Payment Card Industry Data Security Standard (PCI DSS). This independent body includes the leading credit card companies Visa, MasterCard, American Express, Discover, and JCB. The standard provides the basis for technical and operational requirements to protect account data and applies globally to all companies that process, store, or transmit credit card data.
Need for of a New Version of the Standard
The introduction of PCI DSS 4.0 was necessary to address the constantly evolving threats and technologies. The main reasons for the changes in version 4.0 are:
Examples of Threats and Technologies
Threats and technologies are constantly evolving, necessitating the new standard version:
Multi-Factor Authentication
A major difference between versions 3.2.1 and 4.0 is the expansion of the multi-factor authentication (MFA) requirements. While MFA was primarily required for remote network access and non-console-based administrative access to the cardholder data environment (CDE) in the old version, the PCI SSC has significantly expanded the requirements in the new version. MFA is now required for all access to the CDE, whether administrative or non-administrative, including in cloud environments, hosted systems, and other system components. This includes organizations implementing phishing-resistant MFA, such as hardware tokens and biometric methods (e.g., fingerprint or facial recognition). These measures make it more difficult for cybercriminals to gain unauthorized access to systems, even if they have stolen credit card data.
Cardholder Data Environment
The CDE includes all system components that store, process, or transmit credit card data. PCI DSS 4.0 places greater emphasis on securing the CDE through enhanced MFA requirements and the introduction of new security controls. These measures are designed to ensure that only authorized users have access to sensitive data and that organizations continuously monitor that access.
Risk-Based Approach and Security Controls
Another key difference between PCI DSS 3.2.1 and 4.0 is the move to a risk-based approach. While the old version relied primarily on predefined security controls, the new version promotes a more proactive and dynamic approach to risk assessment. Predefined security controls are defined measures and procedures that should be implemented regardless of the specific risk situation. These controls are standardized and apply equally to all organizations. Examples include regularly updating antivirus software, implementing firewalls, and encrypting data during transmission and in storage.
In contrast, the current version encourages a more anticipatory and dynamic approach to risk assessment and security controls. This means that companies and other organizations that process credit card data must continually monitor their security posture and adapt to current threats and vulnerabilities. Preemptive measures include conducting regular penetration tests, monitoring network activity in real time, and implementing threat intelligence systems that can detect and defend against potential attacks. It is increasingly important that mobile payment systems in particular are robust against attacks such as ghost tap. This is a method in which cybercriminals use stolen credit card data associated with mobile payment systems such as Apple Pay or Google Pay. The technique redirects NFC traffic between devices to complete transactions without the victim’s physical card or device being present (see box). PCI DSS 4.0 can help prevent such attacks, particularly by implementing security mechanisms such as secure communication protocols and monitoring for anomalies in NFC traffic.
Algorithms and Encryption
PCI DSS 4.0 also brings changes in terms of encryption algorithms and key management. The new version requires the use of stronger encryption algorithms to ensure the security of card data during transmission and storage. In addition, organizations that process credit card data must ensure that they securely store and regularly change their encryption keys. These measures should make it more difficult for cybercriminals to intercept and misuse this data.
Status of Implementation
The implementation of PCI DSS 4.0 in Switzerland is still in progress. The new requirements will be binding as of 31 March 2025. Card processors such as Worldline and specialized companies authorized to conduct audits are assisting companies in adapting their security measures to the new standards and are offering training and advice to facilitate the transition.
Implications for Companies and Card Processors
The introduction of the new version brings both challenges and benefits for businesses and card processors. The effort required to comply with the new requirements can be significant, as companies will need to review and adapt their existing security measures. This may require investment in new technology, staff training, and the implementation of additional security controls.
However, the return on this investment is significant. The new release promises to improve the security of credit card data, significantly reducing the risk of data breaches and fraud. This not only better protects sensitive data, but also increases customer confidence in the company’s security measures. In the long run, compliance with the new standards will help companies protect their reputations and avoid potential financial losses due to security incidents.
Sequence of a Ghost Tap Attack
Gabriel Juri SIX
Focus
AI has become indispensable in everyday banking. High-quality payment data is critical for personalized experiences and efficient AI applications. Payment enrichment improves data quality and optimizes key processes.
Experts
Service bureaus have been central players in Swiss payments since the 1990s. They transmit payment orders and ensure data integrity. The SNB has published formal requirements to ensure security and efficiency.
Panorama
Only one country operates both a CBDC and an instant payment system to increase financial inclusion and efficiency. However, different standards and technologies make interoperability difficult. Some countries are considering wholesale CBDCs instead.
In German e-commerce, high processing costs are incurred for some payment methods. On average, it costs 10 euros if something goes wrong during a purchase and payment process. One in twenty advance payment transfers and payments on invoice requires manual processing.
The integration of AI and deep learning will affect the future of payment systems, including for cross-border transactions. Research suggests that AI promises greater efficiency, security, and compliance for traditional payment systems.
Talk
Helge Kraas, PPI AG, talks about artificial intelligence in payments. The focus will be on fraud detection, instant payments, e-invoices, Request to Pay, personalized financial services, regulation, financial crime and judicious AI decisions.
PAY NEWSLETTER
Join our community and never miss an update!
Categories