Organizations must adopt stronger security measures or face fines up to $100,000 per month.
Starting March 31, 2025, businesses across the Asia-Pacific (APAC) region that process credit or debit card payments must comply with PCI DSS v4.x, the latest version of the Payment Card Industry Data Security Standard aimed at enhancing payment security globally.
The updated standard affects thousands of organizations across industries such as retail, financial services, and healthcare, requiring them to strengthen data protection and transaction security. Non-compliance could lead to fines ranging from $5,000 to $100,000 per month, depending on the severity and duration of violations.
John Yang, Vice President, APJ, Progress, emphasizes the importance of implementing a Web Application Firewall (WAF): “PCI DSS is an extensive standard, but one change organizations can adopt today is implementing a Web Application Firewall (WAF). From March 31, 2025, under section 6.4.2, WAF deployment will be mandatory.”
Beyond compliance, WAFs provide protection against cyber threats such as cross-site scripting, botnet attacks, and data loss prevention. Yang advises businesses to assess their specific security needs and consult resources like the OWASP Core Ruleset for effective WAF implementation.
Bill, PCI Qualified Security Assessor at Schellman, highlights the impact on service providers: “Service providers are the most affected by the newest updates within PCI DSS v4.0. Prepare your company for the transition by discovering the largest changes.”
Bill notes that disk-level encryption (Full Disk Encryption or FDE) will no longer suffice for protecting primary account numbers (PAN). Organizations must implement additional controls to secure data, especially against remote access threats.
Thales Group, a leader in data protection solutions, offers guidance on achieving compliance: “The new version of PCI DSS 4.0 includes many updates. Thales CipherTrust Data Security Platform solutions can help businesses streamline compliance.”
Thales recommends that organizations evaluate their current security measures and consider solutions like the CipherTrust Data Security Platform to address new requirements effectively.
Key Changes in PCI DSS v4.x
- Multi-Factor Authentication (MFA): New requirements mandate implementing MFA for all access into the Cardholder Data Environment (CDE), expanding beyond administrative users.
- Script Management: Organizations must manage all payment page scripts loaded and executed in consumers’ browsers, including authorization and integrity checks.
- Tamper-Detection Mechanisms: Deployment of mechanisms to alert personnel to unauthorized modifications of HTTP headers and payment pages as received by consumer browsers.
Preparing for Compliance
To prepare for PCI DSS v4.x, organizations should:
- Assess Current Security Measures: Conduct thorough evaluations to identify gaps in existing security protocols.
- Implement Required Technologies: Adopt necessary technologies, such as WAFs and advanced encryption methods, to meet new standards.
- Engage Qualified Security Assessors (QSAs): Consult with QSAs to ensure accurate interpretation and implementation of PCI DSS requirements.
- Educate and Train Staff: Provide comprehensive training to employees on new security protocols and compliance obligations.
Conclusion
The regulatory landscape around payment security is expected to tighten in the coming years. Rather than viewing PCI DSS as a burden, organizations should see it as an opportunity to strengthen defenses and build resilience in an increasingly risky cyber world.
