Card security enters a new era – and it’s personal for the C-suite


28 Mar 2024

A new era in payment card security arrived on April 1. But is the C-suite ready for new data protection responsibilities? Should warning lights be flashing in the boardroom?

From April 1, the new payment security standard PCI DSS v4.0 became the only game in town for organizations that store, process, or transmit cardholder data. After a two-year crossover period, PCI DSS v3.2.1 has now been completely replaced by the tougher v4.0 standard, which helps organizations to better protect card data against evolving threats.

PCI DSS 4.0 demands a shift in mindset. It asks organizations to view card security as a continuous process, rather than an annual compliance exercise. It’s bolstered data protection with 13 measures that merchants must have in place, with another 51 required by March 31, 2025.

But are senior executives fully aware of the big shift taking place – and the implications for them personally?

Growing awareness

Last year, Eckoh conducted a quick poll among senior decision-makers about the arrival of PCI DSS v4.0. Unfortunately, two thirds said they weren’t familiar with the new standard.

This was concerning – given that the drumbeat for v4.0 began at the start of 2022. However, months have passed and it’s hoped that awareness has grown considerably, internal readiness programs have gathered steam, and merchants everywhere have met the recent deadline.

But PCI DSS v4.0 may not have received the senior-level attention it merits. After all, card security can seem like a routine, back-office, compliance-type activity.

What the C-suite may not realize is that the security standard identifies them personally – and the stakes are extremely high.

Choosing a ‘champion’ in the C-suite

Dig into PCI DSS v4.0 and you’ll see it’s a game-changer. The new standard aims to protect and mitigate against a host of modern-day threats around social engineering, phishing, malware, and other attacks and vulnerabilities.

But it also turns the spotlight on who’s ultimately responsible for data protection.

Its author, the PCI Security Standards Council, says organizations must:

“Examine the information security policy to verify that information security is formally assigned to a Chief Information Security Officer or other information security-knowledgeable member of executive management. To ensure someone with sufficient authority and responsibility is actively managing and championing the organization’s information security program, accountability and responsibility for information security needs to be assigned at the executive level within an organization.”

The Council says this person is “often at the most senior level of management and are part of the chief executive level or C-level ...”

In other words, someone in the C-suite must be championing the issue – and taking personal responsibility. Conversations around payment card security need to be elevated to the top table. There’s another reason why this makes sense too – and it relates to the reputation of organizations and the careers of its leaders.

Lawsuits and share price hits

When payment card data breaches happen, the fallout can be devastating. There are potential financial penalties and a business may lose the ability to accept card payments.

But criminals targeting card details could also scoop up other kinds of personal information in the process. Potentially, this could include data that’s covered by HIPAA, CCPA, GDPR, and other regulations.

Suddenly, the penalties can escalate, lawsuits can mount up, customers lose trust, business is lost, and the share price takes a sustained hit. In the middle of all this, senior executives could lose their jobs and suffer a stain on their careers.

The PCI Security Standards Council has made it very clear where the buck stops.

Getting ready for March 2025

Now’s the time for the C-suite to ensure PCI DSS v4.0 is a corporate priority if it wasn’t already.

Many brands will have been following the PCI Security Standards Council’s helpful Prioritized Approach to Pursue PCI DSS Compliance. It’s essential to plan for a steady flow of milestones throughout 2024 and beyond, so the readiness program for March 2025 is manageable.

Organizations can also strengthen their current PCI DSS v4.0 defenses and accelerate adoption of next 51 steps by relying on a trusted partner. For example, a PCI DSS Level 1 Service Provider can handle secure payments for you and actually shield your contact center from any trace of sensitive data. This can ease the stress, cost, and risk for your contact center team – and for the C-suite.

Discover more

You can explore ways to achieve compliance and go further to safeguard your business. You’ll find guides, articles, case studies, and other helpful information at our PCI DSS 4.0 resources hub.