Cequence unveils PCI DSS 4.0 threat insights

Cequence Security, a pioneer in API security and bot management, unveiled new insights from its CQ Prime threat research team that reveal a surge in cyber threats as businesses race to comply with the March 31 PCI DSS 4.0 deadline. The research underscores the escalating risks of API-driven fraud, credential stuffing, and payment system abuse, particularly in retail and financial services.

Drawing on billions of real transactions and attack data from Cequence’s Unified API Protection (UAP) platform, the report highlights the growing attack surface cybercriminals exploit in payment infrastructure, loyalty programs, and product pricing systems.

Key findings

• Scale of Credential Attacks: As the PCI DSS 4.0 deadline approaches, automated fraud is accelerating. More than 300 million account takeover (ATO) attempts were blocked in the past year, illustrating the growing scale of credential stuffing attacks.
• Retail’s High-Stakes Battleground: Retailers faced 66.5% of all malicious traffic, highlighting their vulnerability due to high transaction volumes and fragmented security postures.
• Product Search & Pricing Abuse: A staggering 822 million attempts were blocked as 89% of non-ATO bot-driven attacks focused on scraping product pricing. This enables competitive algorithm manipulation, scalping, and real-time price undercutting of legitimate retailers.
• Loyalty Rewards Abuse: Over 22 million fraudulent attempts were blocked as attackers exploited loyalty programs, treating reward points like cash. These accounts are frequently drained due to easier liquidation than stolen credit cards, often going undetected until significant losses occur.
• Shopping Cart & Inventory Abuse: Nearly 6 million attacks were prevented as fraudsters weaponised automation to hoard high-demand products.
• Credit Verification Fraud: Over 69 million attempts were blocked as cybercriminals mass-tested stolen credit card details through low-risk transactions before making larger fraudulent purchases, fuelling the circulation of compromised payment data.

Traditional security defences for API

PCI DSS 4.0 introduces critical security updates, many businesses still struggle with API protection

“PCI DSS 4.0 is pushing businesses to modernise security, but many are still scrambling to catch up, giving attackers the perfect opportunity to strike,” said Randolph Barr, CISO at Cequence.

“Account takeovers remain the biggest threat, but we’re also seeing a wave of new, highly sophisticated attacks exploiting every stage of the digital payment process. The common thread? APIs. Attackers are sidestepping traditional security defences and going straight for API endpoints that handle cardholder data - one of the most critical yet overlooked vulnerabilities. Businesses that focus only on compliance risk falling behind.”

While PCI DSS 4.0 introduces critical security updates, many businesses still struggle with API protection, an area that attackers are actively exploiting.

Key actions of Cequence

To ensure compliance while defending against real-world threats, Cequence recommends these key actions:

• Ensure Secure Data Transmission: Encrypt all Primary Account Number (PAN) information when transmitted over open, public networks to prevent unauthorised access.
• Secure API Endpoints: Identify all API endpoints that transmit PAN and ensure they only transmit encrypted PAN, reducing the risk of data exposure.
• Proactively Identify Vulnerabilities: Inspect custom application code for security flaws before deployment using automated tools to identify risks in APIs, third-party integrations, and custom applications.
• Continuously Test and Monitor: Regularly test APIs and applications for misconfigurations or vulnerabilities before production and monitor them for anomalous or malicious behaviour in real time.
• Deploy Automated Preventative Controls: Use security solutions that prevent both conventional attacks and business logic abuse while ensuring sensitive data is not exposed to unauthorised entities.
• Implement Real-Time Threat Prevention: Identify and block malicious traffic before it reaches your applications using intelligent, automated security mechanisms.