Navigating the PCI DSS 4.0 transition and meeting compliance with phishing-resistant YubiKeys

In just a few days, on March 31, 2025, decision makers in industries that involve payment processing – including financial services, retail & hospitality and telecommunications – are tasked to finalize the transition to Payment Card Industry Data Security Standard (PCI DSS) 4.0. This deadline marks a critical juncture for all organizations handling payment card data, as compliance with the updated standards is essential for maintaining robust security and avoiding potential penalties. It’s imperative for organizations to assess current security measures and ensure alignment with PCI DSS 4.0 requirements: failing to meet this deadline could not only result in non-compliance penalties – but a continued increase in vulnerability to phishing attacks. 

The PCI Security Standards Council (SCC) continues to demonstrate investment and expertise as they enhanced the core 4.0 standard with a 4.0.1 update. The latest revision speaks to the need to ensure digital identities are tied to individuals, to prove that identity at regular intervals, and to implement strong multi-factor authentication (MFA) in line with best practices. Notably, PCI DSS 4.0 speaks to the need for MFA in line with NIST Special Publication 800-63’s definition of phishing-resistant MFA – including FIDO2/WebAuthn-based authentication like YubiKeys or a Smart Card (YubiKeys can also be used as PIV-compatible Smart Cards). The requirement also specifically references the FIDO Alliance when choosing authentication factors.

Across financial services, account lockouts due to phishing and credential theft demonstrate the need (and requirement) for strong, phishing-resistant MFA. However, PCI DSS goes one step further and acknowledges the requirement to ease the reliance on human knowledge, asking for consideration of how users interact with systems and how to make authentication as easy as possible without putting the burden on the user. When thinking about an authentication solution that meets the requirements, it’s important to consider a solution that is user-centric, strongly tied to identity, and phishing-resistant.

How YubiKeys meet PCI DSS 4.0 compliance

Financial institutions and organizations dealing with payment processing information are prime targets for cyber criminals, with phishing attacks and account takeovers posing significant risks. Even AI-driven phishing attacks exploit human vulnerabilities while leveraging phishing kits and malware-as-a-service. PCI DSS 4.0 includes a handful of requirements that were designed to address evolving security threats and ensure that organizations handling payment card data maintain robust cybersecurity practices.

Long story short: the weaker your MFA posture, the greater your compliance burden. This means longer cybersecurity policies, more user training and more controls to manage risk. 

The solution? Apply strong phishing-resistant MFA to all employees in order to create phishing-resistant users

As hardware security keys that contain device-bound passkeys, YubiKeys play a pivotal role in helping achieve this goal while maintaining PCI DSS 4.0 compliance. The use of YubiKeys ensures that even if credentials are compromised, attackers cannot gain access without the physical key. The touch sensor on the YubiKey verifies that the user is a real human and that the authentication is done with real intent as it can’t be triggered by a remote attacker or malware. Utilizing this level of  high security measures not only helps organizations comply with PCI DSS 4.0, but also reinforces commitment to protecting clients and customer data while maintaining brand reputation. 

For more about the requirements for PCI DSS 4.0, we welcome you to check out our recent webinars here and here, as well as our solution brief.

Talk to our teamTalk to our team

Share this article:


  • Goodbye master passwords: Dashlane and Yubico enhance credential vault encryption and login with YubiKeysAt Authenticate 2025 this week, the world’s leading experts on modern authentication and securing digital identities gathered, to discuss the future of secure authentication and achieving usable security across the account lifecycle. The message was clear: the future of phishing-resistant authentication is using passkeys for encryption, and the gold standard is device-bound passkeys – YubiKeys. […]Read morecredential vault encryptioncredential vault loginDashlanepartnerpasskey encryptionPRF
  • Piloting Europe’s future ID: Passkeys securing digital walletsOver the last several years, passkeys have become ubiquitous. They are available on every mobile platform, in every leading browser, as part of all major enterprise IAM solutions, and in most major cloud services. Until wwWallet came along, the only place where passkeys hadn’t yet made an impact is in the rapidly developing world of […]Read moredigital identity walletspasskeysSIROSwwWallet
  • We’re excited for what’s to come – meet us in-person to find out whyIt’s been a busy year for our team, filled with exciting company and product updates aimed at better serving our customers and helping them achieve cyber resilience as AI-driven phishing threats continue evolving globally. Between industry award recognitions and key new executive leadership hires to lead Yubico to its next stage of growth and a […]Read more
  • FIPS certified vs. FIPS compliant: What’s the real difference?“Is your MFA solution FIPS compliant, or is it certified?”  This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements […]Read moreFIPSNIST