Digital Payment Security: Trends and Realities of 2025

As we navigate 2025, the digital transformation continues to reshape industries, with the financial sector  at its forefront. Digital payments are no longer an emerging trend, but a fundamental part of the global  economy.

In 2023, global e-commerce sales reached an estimated $5.8 trillion, according to Statista. This growth  trajectory continues, and it’s critical to acknowledge that with it comes an amplified risk landscape.  Cybercrime is becoming increasingly sophisticated, leveraging AI and exploiting vulnerabilities in new  digital payment systems. Therefore, robust protection of payment card information is more crucial than  ever.

The Payment Card Industry Data Security Standard (PCI DSS) remains a cornerstone of this protection.  Established in 2004, and now in its version 4.0.1 (updated in June 2024), PCI DSS sets the baseline for  securing cardholder data processed, stored, or transmitted by organizations. Compliance is not optional,  but the specific requirements depend on your transaction processing methods.

PCI DSS: Key Controls Now Mandatory in 2025

As of April 2025, several key controls of PCI DSS v4.0.1 have become mandatory, demanding more  complex implementation. These include:

1. Sensitive Authentication Data (SAD) encryption, including CVV, during authorization. 2. Technical controls to prevent PAN copying via remote access.
2. Targeted Risk Analyses (TRAs) to determine control periodicity.
3. Malware scanning on removable media.
4. Secure payment script management.
5. Authenticated internal scans.
6. Payment page script monitoring.

A significant evolution within PCI DSS is the emphasis on “Targeted Risk Analysis” (TRA). Defining the  periodicity of controls now requires a documented risk analysis of the control and its applicable assets.

AI and PCI DSS in 2025

Artificial intelligence continues to be a driving force in 2025, including within PCI DSS compliance. AI can  assist with controls like code cross-reviews, and generating secure code recommendations. Tools  leveraging AI can also streamline inventory management and payment script monitoring.

Scope and Data Discovery

A critical responsibility for organizations in 2025 is the accurate identification and monitoring of their PCI  scope. Data discovery tools are essential for demonstrating the proper definition of the Card Data  Environment (CDE). We have seen an evolution of PCI scope where every time more merchants are using  Tokens in their environment helping them to reduce drastically the scope of their PCI assessment.

The Ongoing Evolution of Cybersecurity

Cybersecurity in 2025 is a dynamic field, adapting to evolving threats and attack vectors. Compliance with  PCI DSS is paramount for protecting cardholder data, maintaining trust, and safeguarding information.  The new and dynamic environments in cloud allow multiples features that could be helpful to the  compliance of different control but at the same time bring new risk that must be evaluated and considered  while implementing these kinds of solutions. As we move forward, continuous vigilance and adaptation are key to navigating the digital payment security landscape.

About the Author

Oswaldo Silva is the Mexico Vice-President of Operations and Redteam at GM Sectec, where he leverages  his extensive expertise to enhance organizational security through structured risk management and the  implementation of diverse security solutions.

A seasoned information security professional, Oswaldo holds prestigious certifications including CISSP,  CISM, CEH, PCI-QSA, PCI-SSA, PCI-SDLC, and ISO/IEC 27001 Lead Auditor. He also holds a Master in  Technology Management (MATI). A PCI-QSA since 2016, Oswaldo is dedicated to advising and supporting  security improvements across the payment ecosystem.

His passion lies in the continuous analysis of emerging security technologies, regulatory compliance, and  risk management methodologies to ensure robust information assurance.