It is essential that regulatory frameworks harness and don’t hinder innovation, as the payment sector continues to adapt it will cast a vigilant eye over incoming legislations that could impact the sector’s evolution.

For the latest in our Payment Innovation series, Pieter Danhieux, CEO & Co-Founder of security software company Secure Code Warrior, analyses the “positive disruptive force” of the new PCI-DSS 4.0 regulations.

Businesses will have to comply with the Payment Card Industry Data Security Standard (PCI-DSS 4.0) by March 2025. Although this date may seem distant, it is important to start preparing for its implementation as soon as possible to ensure a smooth transition. 

To achieve compliance, businesses will need to assess complex security processes and scrutinise elements of their tech stack, as well as implement role-based security awareness training.

While compliance is important, businesses should look beyond just ticking a box—they should see this as an opportunity to create a new security culture by making a commitment to security awareness across the organisation.

Any organisation that manages, saves, or transmits cardholder data, as well as those that offer services that have the potential to affect or influence it, must comply with PCI-DSS. According to UK standards, PCI-DSS is a worldwide standard for guaranteeing safe card purchases, which means all UK merchants or entities that handle or send cardholder data must be compliant, or risk a significant fine.

One of the requirements that must be met by 2025 is that businesses must provide employees with the necessary knowledge to identify potential security risks and protect their data from any threats.

For truly impactful vulnerability reduction, developer training must be prioritised. PCI-DSS 4.0 mandates annual training for developers, though education should be far more frequent and ongoing if a business hopes to create safer, compliant software. PCI-DSS 4.0 points the way to better security, but building on its requirements is necessary to create a security-conscious culture.

Turning disruption into a business opportunity 

The new update to PCI-DSS is a positive disruptive force. It challenges businesses to upskill their workers and implement the right tools and programmes in order to be compliant. Organisations that choose to ignore this pose a threat to their entire business dynamic and payment companies, not just regulators, who may choose to impose fines and other penalties on merchants who are found to be non-compliant with PCI-DSS.

Businesses should update their infrastructure ahead of time, to avoid the strain (financial and otherwise) of rushing to meet the deadline. However, before taking the required steps, businesses need to ensure these efforts are not limited to the security team.

The opportunity for businesses is to achieve the highest level of software security excellence. This is where developers come into play. While the investment – not to mention ongoing engineering efforts – required to achieve PCI-DSS compliance can be substantial, developers should:

  • Evaluate: to make sure nothing is overlooked, set clear boundaries from the beginning in order to determine the areas to be evaluated. In short: what needs to be compliant?
  • Plan for continuous compliance: developers must stay up-to-date on any changes to the PCI guidelines and ensure that the necessary processes are in place for continuous compliance. We didn’t move smoothly from 3.0 to 4.0, so expect 4.1 at some point down the line.
  • Ensure testing is a habit: regular testing can help developers ensure that the necessary security protocols are in place and properly maintained, enhancing the overall security of payment processing infrastructure. PCI-DSS demands that compliance is not just one-and-done, every change needs to be compliant too.

Building a development team with a security mindset

For developers to start taking steps towards meeting PCI-DSS requirements, they’ll need sufficient skills and knowledge. Being compliant with these requirements is a shared responsibility, so how can businesses support their developers to help them in return?

A comprehensive understanding of the security requirements and processes is a must to take an active role in meeting PCI-DSS demands. However, PCI-DSS 4.0 emphasises the need for continual, ongoing education and implementation of secure software development practices, so an isolated annual training session isn’t enough. Upskilling opportunities need to provide regular education on relevant security practices.

It is essential that developers are given the opportunity to build their knowledge of the OWASP Top 10 and other application security vulnerabilities that are pertinent to the language and operations of their business. Again, this should be an ongoing process, not only teaching the technical aspects of secure coding, but also instilling a security-focused mindset that can be applied to all their development work.

Having a development team with a security mindset will act as a differentiating factor for the organisation. It’s a long-term investment, where businesses can build their development teams into powerhouses to support their overall security objectives.

Creating a security-first culture

Businesses should use the time they have to prepare and understand the new standards and requirements of PCI-DSS, focusing on training and awareness programmes to educate their development teams. This will help create a culture of security-aware developers, leading to more secure applications in the future. Junior developers will follow the lead of seniors—what matters to them will matter to the whole team. 

Developers are not the only party responsible for meeting these requirements, but getting them on board is a vital step in making sure businesses go beyond compliance to embed security into everything the organisation does. 

Enhancements to security and compliance in the payments industry will be explored further during the Payment Innovation track at SBC Summit Barcelona 2023. The show welcomes delegates from over 95 countries, all joining for a detailed discussion at the magnificent Fira de Barcelona Exhibition Centre. 

For more information on the event and to book your place, click on the banner below. 

Payment Innovation TrueLayer