What Does PCI DSS V4 Mean for Online Gaming and Gambling?


Consumers have a heightened expectation for the security of their data, and the realm of online gaming and gambling is no exception. In some cases, to ensure the safeguarding of personal information, international regulations like GDPR have been enacted by governments, but in others, private companies set the bar.

The Payment Card Industry Security Standards Council (PCISSC) is a global forum created to increase security standards for safe payments across the globe.

So, what is the PCISS?

The PCISSC was established in 2006 by major credit card companies, American Express, Discover, JCC International, MasterCard, and Visa. The organisation focuses on four main goals:

  1. Enhancing industry participation and knowledge

  2. Updating security standards and validation

  3. Securing emerging payment channels

  4. Increasing standards alignment and consistency

To fulfil its mission to enhance security standards, the PCISSC created the Payment Card Industry Data Security Standard (PCI DSS) which sets the minimum technical and operational requirements for safeguarding payment data. The guidelines are updated regularly to address new security threats, with the latest version, 3.2.1, released in 2018. 

However, the way people make purchases has undergone a significant transformation during this time, with a rise in the use of point-of-sale machines. Furthermore, a growing number of organisations use cloud-based services. This has prompted the PCISSC to announce the release of PCI DSS Version 4 in March 2022.

Penalties for failing to comply with PCI DSS, include fines ranging from $5,000 to $100,000 per month 

What distinguishes PCI DSS Version 4 from previous incarnations?

Some of the key requirements in previous versions of the PCI DSS still apply in Version 4, but with a twist – they’ve been reimagined to provide more flexibility. Here’s what online gaming and gambling businesses need to know about the changes.

Protection against malware – staying ahead of the game

The ongoing war against malware means security protocols must continuously adapt. Version 4 means compliance tests are no longer enough – security must now be an ongoing process with regular data checkpoints to enhance overall protection. And every PCI DSS requirement will have a designated staff member, with more detailed reporting for increased transparency. 

Additionally, merchants must locate and track all unencrypted primary account numbers (PAN) every year or whenever significant changes occur to the data environment. As such, businesses in the online gaming and gambling industry will have to locate and account for all sources and locations of non-encrypted (cleartext) primary account numbers (PAN). This helps to secure cardholder data during transmission, a common weak point for malicious attacks.

Greater security flexibility

The revised guidelines have eliminated specific language related to technology solutions, such as firewalls and routers, to allow companies more flexibility in their security measures. Businesses now have the flexibility to choose customized solutions that fulfil the requirements, so long as the intended purpose is met. This alteration eliminates the need for cumbersome compensation controls.

Personal security requirements

PCI DSS V4 also emphasises the need for increased security measures for personnel with access to cardholder information. Before, passwords had to be at least seven characters long, but Version 4 requires passwords to be at least eight characters, with a recommended length of 12 characters if the system permits. Password changes are mandatory at a minimum every 12 months, privilege reviews every 6 months, and third-party accounts must be monitored and enabled only when necessary.

Future iterations of PCI DSS may introduce new security methods to replace passwords, and V4 is viewed as a stepping stone in that direction. The updated regulations mandate that every individual with access to data must possess a distinct ID. However, implementing physical tokens can present operational difficulties for many organisations. Multi-factor authentication using two or three steps, as well as biometric factors such as physical or behavioural biometrics, are becoming increasingly widespread and may soon become standard.

Failing to abide by the PCI DSS guidelines can cause significant harm to an organisation’s reputation

What should online gaming and gambling businesses do in response?

The PCISSC has allowed a two-year transition period for businesses to get up to date with the new guidelines, so PCI DSS V4 will not be enforced until March 2024. 

In the meantime, organisations can take the following five steps to ensure they are prepared for when the moment arrives.

  1. Review and understand all the requirements of the update

  2. Compare existing policies and procedures to the new requirements

  3. Assign a staff member or team to oversee the transition

  4. Eliminate unnecessary data from systems

  5. Regularly update, test, and document all security activities


And if organisations fail to comply?

Failing to comply with PCI DSS means facing significant penalties, including fines ranging from $5,000 to $100,000 per month from the founding credit card companies of the PCISSC. However, the consequences of non-compliance extend far beyond this. Consumers expect their payment information to be secure whenever they enter their card information or use a machine. Failing to abide by the PCI DSS guidelines can cause significant harm to an organisation’s reputation and lead to decreased sales and increased customer attrition.