In 2022, “mobile technologies and services generated 5% of GDP, a contribution that amounted to $5.2 trillion,” per the GSMA. With that much at stake—and with digital wallets projected to grow at 15% CAGR through 2026—ensuring the security of payment data has never been more crucial.
For more than a decade, the Payment Card Industry Security Standards Council (PCI SSC) has been at the forefront of keeping digital payments safe. A global council founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa Inc., the PCI SSC drives the adoption of data security standards and provides resources to keep payments safe worldwide.
The Council sets those standards through the Payment Card Industry Data Security Standard (PCI DSS), a compliance framework that protects payment card account data and the broader payment ecosystem. The latest version of its guidelines, PCI DSS 4.0, will set important new standards for digital payments by requiring multi-factor authentication (MFA). Because “every merchant, regardless of the number of card transactions processed, must be PCI compliant,” this new guidance represents a major shift for the world’s businesses.
So, let’s review when organizations must move to PCI DSS 4.0, what the new framework requires, the value that MFA provides to all organizations, and the best ways for organizations to implement MFA quickly and successfully.
PCI DSS v4.0 was published in March 2022 and includes several significant changes and updates compared to its predecessor, v3.2.1. One of the most important updates in the latest version is that, while MFA had been a best practice in previous versions of the PCI DSS, version 4.0 requires MFA for all accounts that can access cardholder data after March 31, 2025.
The penalties for failing to meet PCI regulations are steep. While PCI isn’t a law, PCI DSS compliance violations can cost between $5,000 to $100,000. And the credit card companies themselves may charge higher transactions fees or even revoke the use of a given card for payments if a business is out of compliance.
The MFA requirement in PCI DSS v4 is one of the biggest, most valuable, and most important updates for global merchants. MFA is a critical component of cybersecurity architecture: the Verizon 2023 Data Breach Investigations Report found that “the use of stolen credentials became the most popular entry point for breaches” over the past five years. MFA could have prevented many—if not all— of the breaches that began with a stolen credential from beginning in the first place.
Just as important as how data breaches begin is why cybercriminals act: Verizon found that “financial motives still drive the vast majority of breaches.” In fact, financial motives drove 94.6% of all breaches last year. Given that most cybercriminals follow the money, it’s likely that they’ll attack the payment information and infrastructure that transmits billions of dollars every year.
MFA could prevent cybercriminals from using a stolen credential to gain unauthorized access and exfiltrate sensitive information or payment card data. MFA adds an extra layer of security by requiring users to provide two or more different factors to gain access to a resource. This could be something they know (like a one-time password), something they have (like a smart card or mobile device), or something they are (which would include biometric verification). With MFA in place, even if a cybercriminal steals or phishes a user’s password, requiring an additional factor can prevent them from accessing secured resources or applications.
Because so many data breaches begin by breaking passwords, and because MFA could have stopped many of them , MFA is one of cybersecurity’s most enduring best practices: MFA solutions are requirements in governmental cybersecurity mandates and cyber insurance policies. In addition to keeping organizations compliant and secure, MFA can also help an organization’s bottom line: the IBM Cost of a Data Breach Report 2023 found data breaches cost an average of $4.45 million.
MFA delivers major benefits to organizations: it creates a stronger cybersecurity posture, prevents data breaches, protects an organization’s bottom line, maintains customers’ trust, and prevents businesses from incurring fines. Ultimately, there’s considerable upside to PCI compliance generally and to implementing MFA specifically.
And one more bit of good news: MFA implementation doesn’t need to be an onerous effort. RSA provides a range of MFA options—including biometrics, push-to-approve, one-time password, and FIDO-based authentication—that can all help organizations comply with the new MFA requirements found in PCI DSS 4.0. As part of ID Plus, RSA MFA can even extend across on-premises, multicloud, and hybrid environments.
Try it yourself: sign up for a free, 45-day trial of ID Plus to test out MFA delivered via MFA, OTP, passwordless, and more.
