Why security researchers are key to PCI DSS v4.0 compliance

Over the last few years, the financial industry has been tightening the rules to counter growing cybersecurity threats. Sensitive credit and payment card data are naturally a top target of cyber criminals and therefore a priority for security efforts, especially as the cost of data breaches rises to an average of $4.88 million.

This is where the Payment Card Industry Security Standards Council (PCI-SSC) steps in with its latest version of the Data Security Standards (PCI DSS), introducing Version 4.0. Building on previous versions, PCI DSS v4.0 calls for all entities involved in processing payment card data to adopt significant cybersecurity measures, including automated attack detection systems and strengthened defences against phishing. While these steps mark a positive movement towards securing the industry, time is running out for organisations to comply with these new obligations, leaving many under pressure to achieve the full compliance deadline of March 2025.

The challenge of implementing PCI DSS v4.0 can seem overwhelming, but there is a community of security researchers who are stepping up to ease the process. This community plays a pivotal role in finding vulnerabilities and reporting them before malicious actors can exploit them. Their expertise aligns well with PCI DSS requirements and can help organisations meet the new security standards with greater ease.

Security researchers, often referred to as ‘good faith’ or ethical hackers, test organisations’ digital infrastructures to uncover weaknesses that might otherwise remain hidden. While some companies may hesitate to engage with the community due to misconceptions or outdated views, many organisations have already benefited from working with these researchers. Today, there are well-established practices and systems for working with good faith security researchers. This collaboration can simplify the process of finding and fixing vulnerabilities, particularly under the new PCI DSS regulations.

Organisations can adopt a vulnerability disclosure policy (VDP) or bug bounty program to tap into this expertise. VDPs provide a structured way for third-party security researchers to report any vulnerabilities they find, ensuring security teams act on the report before the vulnerability is exploited by a bad actor. Bug bounty programs go further by incentivising hackers with monetary rewards for disclosing vulnerabilities. PCI DSS v4.0 explicitly recognises these tactics, with Section 6.3.1 guidance recommending bug bounty programs as a way to fulfill vulnerability identification requirements.

These types of proactive security measures are not new to the PCI standards. Several PCI frameworks, including the Mobile Payment on Commercial Off-The-Shelf (MPoC) and the 3-D Secure Software Development Kit (3DS SDK), already require vulnerability disclosure policies. However, the inclusion of bug bounty programs in PCI DSS v4.0 marks a step forward, signalling the growing importance of proactively engaging external researchers to enhance security.

Coordinated Vulnerability Disclosure (CVD) is also gaining traction across industries as a best practice for managing newly discovered vulnerabilities. VDPs are a key part of this coordinated approach and have been adopted by a growing number of organisations, including government agencies. The UK’s Ministry of Defense, for instance, has integrated a VDP into its security practices, working with over 100 researchers to find and address vulnerabilities.

In the private sector, leading companies like Visa, PayPal, and Goldman Sachs have adopted security programs that engage the security researcher community to help manage vulnerabilities and maintain compliance with security standards. These organisations have shown that working with the community is not just a compliance exercise but a valuable strategy to safeguard payment systems.

As the deadline for full PCI DSS v4.0 compliance approaches, it’s clear that organisations cannot tackle the issue of cybersecurity alone. The reality is that over 200,000 common vulnerabilities and exposures (CVEs) have been identified to date, and no single company has the capacity to manage them all. For organisations in the payments and financial services industries, the complexity is further compounded by the intricate network of vendors and partners they rely on.

The solution lies in collaboration. By engaging with security researchers through VDPs or bug bounties, companies can meet compliance requirements while improving their security posture. These initiatives not only simplify the identification and resolution of vulnerabilities but also contribute to a safer and more secure internet overall.