In just a few days, on March 31, 2025, decision makers in industries that involve payment processing – including financial services, retail & hospitality and telecommunications – are tasked to finalize the transition to Payment Card Industry Data Security Standard (PCI DSS) 4.0. This deadline marks a critical juncture for all organizations handling payment card data, as compliance with the updated standards is essential for maintaining robust security and avoiding potential penalties. It’s imperative for organizations to assess current security measures and ensure alignment with PCI DSS 4.0 requirements: failing to meet this deadline could not only result in non-compliance penalties – but a continued increase in vulnerability to phishing attacks.
The PCI Security Standards Council (SCC) continues to demonstrate investment and expertise as they enhanced the core 4.0 standard with a 4.0.1 update. The latest revision speaks to the need to ensure digital identities are tied to individuals, to prove that identity at regular intervals, and to implement strong multi-factor authentication (MFA) in line with best practices. Notably, PCI DSS 4.0 speaks to the need for MFA in line with NIST Special Publication 800-63’s definition of phishing-resistant MFA – including FIDO2/WebAuthn-based authentication like YubiKeys or a Smart Card (YubiKeys can also be used as PIV-compatible Smart Cards). The requirement also specifically references the FIDO Alliance when choosing authentication factors.
Across financial services, account lockouts due to phishing and credential theft demonstrate the need (and requirement) for strong, phishing-resistant MFA. However, PCI DSS goes one step further and acknowledges the requirement to ease the reliance on human knowledge, asking for consideration of how users interact with systems and how to make authentication as easy as possible without putting the burden on the user. When thinking about an authentication solution that meets the requirements, it’s important to consider a solution that is user-centric, strongly tied to identity, and phishing-resistant.
How YubiKeys meet PCI DSS 4.0 compliance
Financial institutions and organizations dealing with payment processing information are prime targets for cyber criminals, with phishing attacks and account takeovers posing significant risks. Even AI-driven phishing attacks exploit human vulnerabilities while leveraging phishing kits and malware-as-a-service. PCI DSS 4.0 includes a handful of requirements that were designed to address evolving security threats and ensure that organizations handling payment card data maintain robust cybersecurity practices.
Long story short: the weaker your MFA posture, the greater your compliance burden. This means longer cybersecurity policies, more user training and more controls to manage risk.
The solution? Apply strong phishing-resistant MFA to all employees in order to create phishing-resistant users.
As hardware security keys that contain device-bound passkeys, YubiKeys play a pivotal role in helping achieve this goal while maintaining PCI DSS 4.0 compliance. The use of YubiKeys ensures that even if credentials are compromised, attackers cannot gain access without the physical key. The touch sensor on the YubiKey verifies that the user is a real human and that the authentication is done with real intent as it can’t be triggered by a remote attacker or malware. Utilizing this level of high security measures not only helps organizations comply with PCI DSS 4.0, but also reinforces commitment to protecting clients and customer data while maintaining brand reputation.
For more about the requirements for PCI DSS 4.0, we welcome you to check out our recent webinars here and here, as well as our solution brief.
