PCI DSS 4.0 Compliance Requires a New Approach to API Security

Retailers, Financial Services, and the API Security Wake-Up Call

With the PCI DSS 4.0 compliance deadline fast approaching, Cequence threat researchers have uncovered troubling data: 66.5% of malicious traffic is targeting retailers. And attackers aren’t just after payment data. They’re weaponizing APIs to exploit every stage of the digital buying process. The conclusions in this blog are sourced from Cequence’s threat intelligence database comprised of real attack data from anonymized customer production environments and sampled from billions of transactions.

Cequence blocked over 300 million account takeover (ATO) attempts in the past year alone, and another 822 million attacks were aimed at scraping product prices to fuel scalping and undercutting tactics. These automated threats aren’t just disruptive; they’re designed to bypass traditional defenses and target exposed API endpoints.

APIs are the connective tissue of modern apps. But with organizations running an average of over 800 APIs, blind spots are everywhere. Cybercriminals are exploiting:

• Credential stuffing and ATOs (300m+ attempts blocked)
• Loyalty rewards abuse (22m+ attempts blocked)
• Shopping cart hoarding and inventory fraud (6m+ attempts blocked)
• Credit card verification abuse (69m+ attempts blocked)

These attacks have very real financial and reputational consequences if not prevented.

Why PCI DSS 4.0 Raises the Stakes for API Security

PCI DSS 4.0 introduces new requirements around automated threat blocking, API security testing, change management, and real-time monitoring. These are welcome updates, but the reality is that attackers are not waiting for compliance deadlines. APIs have become their top target, and traditional security approaches cannot keep up.

One of the most significant shifts in PCI DSS 4.0 is its increased emphasis on flexibility and continuous risk assessment. While this modernized approach allows organizations to tailor security controls to their environment, it also introduces challenges—particularly when it comes to gaining visibility into sprawling API ecosystems and ensuring that every API handling cardholder data is fully protected.

The standard also requires that organizations adopt a proactive approach to application security testing, encryption of cardholder data during transmission, and active monitoring for malicious behavior—all of which are critical for identifying and stopping threats targeting APIs.

How Attackers Are Exploiting PCI Gaps Through APIs

As organizations work to meet PCI DSS 4.0 controls, cybercriminals are already exploiting gaps in payment infrastructure through:

• Automated account takeovers that test massive volumes of stolen credentials to gain access to legitimate user accounts
• API scraping to undercut competitor’s product pricing and gain competitive advantages
• Loyalty program abuse, where points are drained and monetized like cash
• Credit card verification fraud to test small transactions and validate stolen credit cards

These aren’t isolated incidents. Cequence data shows these tactics are being used at scale and often go undetected until real financial damage has occurred.

A Path Forward: Beyond Compliance Toward Resilience

Meeting PCI DSS 4.0 requirements is a critical milestone, but it should be seen as a baseline, not a finish line. True resilience comes from understanding how attackers are abusing business logic and APIs to bypass traditional defenses.

Here are a few steps organizations should take now:

• Ensure all Primary Account Number (PAN) data is encrypted when transmitted over public networks
• Inventory and classify all APIs including internal, external, and third-party
• Shift left with pre-production API security testing to remediate vulnerabilities prior to production
• Shield right with real-time bot mitigation and API protection
• Block scraping, ATOs, and payment fraud attempts before they can succeed

Who’s Most at Risk? Retail and Financial Services

Retail and financial services organizations continue to face a disproportionate level of risk. These sectors deal with high transaction volumes, broad third-party integrations, and sensitive customer data—making them prime targets for malicious actors.

In fact, retail businesses alone accounted for two-thirds of all malicious traffic observed. The combination of seasonality, promotional pricing, and fragmented infrastructure gives attackers plenty of opportunity to launch successful API-driven fraud.

PCI DSS 4.0 brings important updates, but real security goes beyond the checklist. With APIs at the center of digital interactions—and cyberattacks—now is the time to assess your risk, strengthen your defenses, and stay ahead of evolving threats.

Interested in better understanding your API threat exposure? Request a free assessment to gain insights into your API posture and potential risks.