March 31, 2025: The New PCI DSS Security Standard Will Hit Thousands of Organisations All Around The World, And Make Wafs Mandatory

Compliance & Legal

Next Monday (March 31, 2025), all organisations around the world taking payments using credit or debit cards will be hit by the new release of the Payment Card Industry Data Security Standards (PCI DSS) standard, which aims to increase safe payments worldwide. The new version of the standard, PCI DSS v4.x, will bring a whole […]

Posted: Thursday, Mar 27

KBI.Media
$
March 31, 2025: The New PCI DSS Security Standard Will Hit Thousands of Organisations All Around The World, And Make Wafs Mandatory

March 31, 2025: The New PCI DSS Security Standard Will Hit Thousands of Organisations All Around The World, And Make Wafs Mandatory

Next Monday (March 31, 2025), all organisations around the world taking payments using credit or debit cards will be hit by the new release of the Payment Card Industry Data Security Standards (PCI DSS) standard, which aims to increase safe payments worldwide. The new version of the standard, PCI DSS v4.x, will bring a whole range of new requirements, and many “best practices” will be turned into full requirements.

That means thousands of organisations operating in a wide range of industries such as retail, financial services, healthcare services and more, including merchants, processors, acquirers, issuers, and other service providers will be required to improve their security posture when it comes to financial data and card transactions protection.

Organisations who do not comply are at risk of facing substantial financial penalties, with fines ranging from USD $5,000 to USD $100,000 per month, depending on the severity and duration of the non-compliance.

According to John Yang, Vice President, APJ for Progress, while PCI DSS is an extensive standard, there’s one change that any organisation can start adopting today, and that’s implementing a Web Application Firewall (WAF).

“Up until now, the standard offered an alternative to deploying a WAF. But from March 31, 2025, as per the section 6.4 – and specifically requirement 6.4.2 – the use of a WAF will be a mandatory requirement,” said Yang.

“The good news is that beyond simply ticking a compliance box, WAFs can greatly improve an organisation’s security posture and will be beneficial in the long run as more cyberthreats emerge.”

WAFs are technologies that can help protect apps from a wide range of malicious actions – this includes cookie tampering, cross-site request forgery, cross-site scripting attacks, data loss prevention, security misconfiguration, denial of service protection, botnet attacks, web scraping and much more.

Yang added: “I urge every organisation who might be affected by the new PCI DSS v4.x standard to explore their options. They can start by assessing the specific security requirements of the web application for which the WAF will be handling access requests, and select a WAF that aligns with those needs.”

The OWASP Core Ruleset is a very helpful resource that organisations can rely on to help set up and maintain WAFs.

“The regulatory landscape around data security, particularly in the payments and card transactions space is only going to tighten in the coming years. Rather than a burden, PCI DSS should be seen as an opportunity to ramp up an organisation’s defences and build resilience in an increasingly risky cyber world,” concluded Yang.