The explosive growth of online transactions has made the digital payment ecosystem one of the most dynamic—and vulnerable—landscapes in today’s business world. Events like Black Friday and Cyber Monday highlight this duality, as payment processors like Stripe and Adyen handled over $65 billion in just four days this past year, setting new records. But with this surge in transaction volume comes a parallel rise in cybercrime, making the protection of sensitive cardholder data more critical than ever. For businesses, there’s no room for error—payment security has become a defining factor in trust, reputation, and survival.
At PCI Proxy, we understand how vital compliance is for protecting payment data and maintaining customer trust. Since its introduction in 2006,the Payment Card Industry Data Security Standard (PCI DSS) has evolved to meet the growing complexities of payment security. Designed to safeguard payment data and reduce the risk of breaches, PCI DSS provides businesses with a robust, globally recognized framework for security. Over the years, updates to the standard have addressed everything from encryption requirements to the adoption of multifactor authentication (MFA) and anomaly detection, ensuring businesses stay ahead of evolving threats.
The release of PCI DSS version 4.0 in March 2022 marked a turning point for the standard, introducing 64 new requirements aimed at bolstering compliance and security practices. After a two-year transition period, PCI DSSv4.0 became mandatory in March 2024, with v4.0.1 following shortly after to add minor refinements. However, the most significant milestone is yet to come: March 31, 2025, when 51 of these new requirements, classified as future-dated, will officially become mandatory.
For businesses working toward PCI DSS compliance, these future-dated requirements represent more than just a checklist—they are a critical opportunity to strengthen security measures and future-proof payment systems. As we approach this deadline, companies must act now to prepare for the changes ahead, ensuring they meet the evolving expectations of PCI DSS while continuing to protect sensitive data and maintain compliance.
At PCI Proxy, we’re here to help you navigate this pivotal phase. In the sections below, we’ll find a detailed breakdown of all the future-dated requirements.
- 3.2.1: Any SAD stored prior to completion of authorization is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes.
- 3.3.2: SAD stored electronically prior to completion of authorization is encrypted using strong cryptography.
- 3.3.3: SAD stored by issuers is encrypted using strong cryptography.
- 3.4.2: Technical controls to prevent copy and/or relocation of PAN when using remote-access technologies except with explicit authorization.
- 3.5.1.1: Hashes used to render PAN unreadable are keyed cryptographic hashes of the entire PAN with associated key management processes and procedures.
- 3.5.1.2: Implementation of disk-level or partition level encryption when used to render PAN unreadable.
- 3.6.1.1: A documented description of the cryptographic architecture includes prevention of the use of the same cryptographic keys in production and test environments.
- 4.2.1 Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked.
- 4.2.1.1 An inventory of the entity’s trusted keys and certificates is maintained.
- 5.2.3.1 A targeted risk analysis is performed to determine frequency of periodic evaluations of system components identified as not at risk for malware.
- 5.3.2.1 A targeted risk analysis is performed to determine frequency of periodic malware scans.
- 5.3.3 Anti-malware scans are performed when removable electronic media is in use.
- 5.4.1 Mechanisms are in place to detect and protect personnel against phishing attacks.
- 6.3.2 Maintain an inventory of bespoke and custom software to facilitate vulnerability and patch management.
- 6.4.2 Deploy an automated technical solution for public-facing web applications that continually detects and prevents web based attacks.
- 6.4.3 Manage all payment page scripts that are loaded and executed in the consumer’s browser.
- 7.2.4 Review all user accounts and related access privileges appropriately.
- 7.2.5 Assign and manage all application and system accounts and related access privileges appropriately.
- 7.2.5.1 Review all access by application and system accounts and related access privileges.
- 8.3.6 Minimum level of complexity for passwords when used as an authentication factor.
- 8.3.10.1 If passwords are the only authentication factor for customer user access, passwords are changed at least every 90 days or the security posture of accounts is dynamically analyzed to determine real time access to resources.
- 8.4.2 Multi-factor authentication for all access into the CDE.
- 8.5.1 Multi-factor authentication systems are implemented appropriately.
- 8.6.1 Manage interactive login for accounts used by systems or applications.
- 8.6.2 Passwords/passphrases used for interactive login for application and system accounts are protected against misuse.
- 8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse.
- 9.5.1.2.1 A targeted risk analysis is performed to determine frequency of periodic POI device inspections.
- 10.4.1.1 Audit log reviews are automated.
- 10.4.2.1 A targeted risk analysis is performed to determine frequency of log reviews for all other system components.
- 10.7.2 Failures of critical security control systems are detected, alerted, and addressed promptly.
- 10.7.3 Failures of critical security control systems are responded to promptly.
- 11.3.1.1 Manage all other applicable vulnerabilities (those not ranked as high risk or critical).
- 11.3.1.2 Internal vulnerability scans are performed via authenticated scanning.
- 11.4.7 Multi-tenant service providers support their customers for external penetration testing.
- 11.5.1.1 Covert malware communication channels detect, alert and/or prevent, and address via intrusion-detection and/or intrusion-prevention techniques.
- 11.6.1 A change-and-tamper-detection mechanism is deployed for payment pages.
- 12.3.1 A targeted risk analysis is documented to support each PCI DSS requirement that provides flexibility for how frequently it is performed.
- 12.3.3 Cryptographic cipher suites and protocols in use are documented and reviewed.
- 12.3.4 Hardware and software technologies are reviewed.
- 12.5.2.1 PCI DSS scope is documented and confirmed at least once every six months and upon significant changes.
- 12.5.3 The impact of significant organizational changes on PCI DSS scope is documented and reviewed and results are communicated to executive management.
- 12.6.2 The security awareness program is reviewed at least once every 12 months and updated as needed.
- 12.6.3.1 Security awareness training includes awareness of threats that could impact the security of the CDE, to include phishing and related attacks and social engineering.
- 12.6.3.2 Security awareness training includes awareness about acceptable use of end user technologies.
- 12.10.4.1 A targeted risk analysis is performed to determine frequency of periodic training for incident response personnel.
- 12.10.5 The security incident response plan includes alerts from the change- and tamper-detection mechanism for payment pages.
- 12.10.7 Incident response procedures are in place and initiated upon detection of PAN.
- A1.1.1 The multi-tenant service provider confirms access to and from customer environment is logically separated to prevent unauthorized access
- A1.1.4 The multi-tenant service provider confirms effectiveness of logical separation controls used to separate customer environments at leave once every six months via penetration testing.
- A1.2.3 The multi-tenant service provider implements processes or mechanisms for reporting and addressing suspected or confirmed security incidents and vulnerabilities.
- A3.3.1 Failures of the following are detected, alerted, and reported in a timely manner: Automated log review mechanisms Automated code review tools
By staying ahead of these upcoming PCI DSS requirements, you’ll not only ensure your business remains secure and compliant but also build trust with your customers, positioning your brand for success in the evolving digital payment landscape.
.svg)
.jpg)
