The Payment Card Industry Data Security Standard (PCI DSS) has been a critical framework for protecting cardholder data for the last two decades. It’s also presented a major — and gradually rising — compliance challenge for organizations that handle cardholder data.
That challenge is set to ramp up significantly in the coming months, as security standards become even more stringent with PCI DSS 4.0 updates taking full effect in March 2025. To understand how companies are preparing for heightened compliance standards, Protegrity partnered with Gatepoint Research to survey 100 senior compliance professionals across various industries. The survey focused on several essential questions, including:
- What techniques do you use to comply with current PCI-DSS regulations?
- What changes will take the greatest effort to comply with PCI-DSS changes coming in March 2025?
- What is the most important outcome for your investment in PCI compliance technologies?
Key finding #1: Compliance complexity keeps increasing
The biggest challenges in meeting updated PCI DSS 4.0? Two-thirds (64%) said that ensuring appropriate processes and documentation changes for PCI DSS 4.0 will require the greatest effort and cost. Moving to a different encryption technique — or upgrading their current solution — will also consume significant resources.
These responses highlight the growing complexity of compliance requirements and foreshadow later findings around the need to invest in technologies to modernize compliance programs.
Key finding #2: Tokenization still dominates, but more organizations adopting defense-in-depth strategies
Tokenization remains the most popular technique for achieving PCI DSS compliance, with 74% of respondents utilizing this method. Tokenization replaces sensitive cardholder data with non-sensitive substitutes, reducing the risk of data breaches and simplifying compliance efforts. Hashing follows closely, used by 57% of respondents as a method for transforming data into secure values that are nearly impossible to reverse.
But the survey showed that these methods of de-identifying data are not the only methods of data protection that can be used within an organization’s PCI compliance program. More than one-third (38%) utilize format-preserving encryption (FPE), and 37% said they simplify compliance by eliminating the number of systems that interact with sensitive data.
This layering approach signals a broader shift toward “defense-in-depth,” where multiple strategies work together to provide stronger security and more flexible compliance options.
Key finding #3: Organizations applying advanced data protection beyond PCI DSS
Putting the tools and processes in place to implement strong and agile data protection can be a heavy lift. But more organizations are looking to make the most of those investments — expanding their data protection strategies beyond the scope of their PCI data.
Two-thirds (63%) of respondents say they’re trying to get ahead of the game by transforming all sensitive data — not just credit card information. The potential value of this approach — protecting all valuable and sensitive data with embedded data-centric protection — goes beyond addressing security risks. This approach also helps to free that data to be moved and consumed at speed and at scale by increasing data utility and maintaining referential integrity for cardholder data, which in turn empowers data analytics, unblocks data for AI applications, and accelerates data sharing or outsourcing strategies.
Yet, the survey showed few organizations are realizing this full value of comprehensive, integrated data protection. The focus of PCI data protection solutions remains squarely on security outcomes: reducing cyber risk (81%), improving compliance (76%), and increasing data security (72%). Only 19% say they’re targeting revenue-generating applications that will yield true return on investment from their data protection investments.
Key finding #4: Most aren’t ready for rapidly approaching PCI DSS 4.0 requirements
The final major insight directly speaks to the first point around rising complexity of PCI requirements: Only 32% of respondents say they’re fully prepared to meet PCI DSS 4.0. More than a third (37%) admit they’re not fully ready, including 7% that say they’re outright not prepared.
Perhaps more telling, 72% say they haven’t fully figured out what they need to do — more specifically, the investments they need to make in people, process, and technology — in order to meet the heightened PCI standards and expanded scope.
With March 2025 rapidly approaching, organizations cannot afford to wait any longer to begin the process of modernizing PCI compliance programs. And if they’re unsure of what to do or where to start, now is the time to engage an expert partner that can help them identify the necessary investments and build the processes to meet heightened requirements.
Beyond compliance: Unlocking the value of data
Meeting the updated PCI DSS 4.0 requirements represents a major challenge that will demand significant investments in building out the people, process, and technology to meet these more stringent standards. Our survey shows that security leaders and decision-makers recognize that there is no magic bullet to achieving this higher level of data protection. Effective compliance — and the underlying goal of confident data security — requires a defense-in-depth strategy that layers fit-for-purpose data protection methods to meet the specific data security and data consumption demands of unique types of data.
Moreover, the survey suggests that more organizations recognize the heavy lift of modernizing their PCI DSS compliance program can provide value beyond security, compliance, and the scope of cardholder data. Expanding their data protection program and applying the same fit-for-purpose approach to protecting all sensitive data — embedded into the data itself — will yield significant business value. Not just in terms of mitigating increasing data security risks and related costs, but also (and arguably, more importantly) preparing that highly sensitive and highly valuable data to be moved and consumed in new value-adding, revenue-generating, competitive advantage-building ways.
Ready to de-risk your data and reduce your PCI DSS scope?
In our latest webinar, join Protegrity’s PCI DSS experts for a deep dive into how your peers are using data-centric security to remove systems from PCI scope, reduce compliance obligations, and future-proof the organization against evolving security or privacy mandates.
Visit http://www.protegrity.com/demo to see how fit-for-purpose data protection can transform your business.