In 2018, PCI Security Standards Council established its first Global Executive Assessor Roundtable (GEAR) consisting of senior leadership members of payment security assessors. The vision for the roundtable was simple: encourage the exchange of information, and increase payment security, through greater coordination with this key stakeholder group. Specifically, GEAR was designed to gather input on PCI assessor programs and payment security issues from the assessor community perspective. Key initial objectives were to gain insight through the GEAR on training content and qualification requirements, assessor quality and to increase assessor availability and engagement in emerging markets. Now, in 2020, GEAR members have completed their first two-year term and are preparing for the upcoming nomination period for the 2020 – 2022 roundtable, which runs from 1 – 26 June.
PCI SSC interviewed Executive Director Lance Johnson about the program’s successful inaugural run and what we can expect from the GEAR in the future.
What kinds of insights did you gain from GEAR’s inaugural members during their two-year service?
Lance Johnson: Two years ago, when we considered the needs and what GEAR’s role would be, we intended to engage the one group who didn’t have an empowered voice: executives in the assessor community. I had high hopes that this initiative would provide the opportunity to hear from executives regarding enhancements for PCI assessor capabilities and skills that broaden service and value to all stakeholders, but especially merchants and processors. It started out as sort of an experiment and, to be honest, I was nervous that bringing together competitors might have the opposite effect than what was intended. I expected it would take a year for the GEAR to feel comfortable working together and helping the Council to improve our programs and standards. But, it actually only took one meeting. From that point forward, the GEAR worked together and represented the assessor community as if they had been doing it for years. The inaugural members are a passionate group of actively engaged assessors who easily set aside competition and, instead, worked collaboratively and supported each other in pursuit of good security. This group exceeded all my expectations, both in their commitment and in their scope of contributions.
As we prepare to welcome a new Roundtable this year, what goals do you hope to achieve in this next two-year term?
Lance Johnson: This next two-year term of GEAR will continue the work already started. A heavy focus will be on the roll out of PCI DSS 4.0, which will be a fundamental change to how we approach assessment and validation for the industry. When we implement this standard, it will fall on assessors to help guide us on what works and what doesn’t. We’ll need feedback about the consequences of changing the assessment models and insight into the changing technologies. In addition to standards implementation, we will also continue, and probably increase our focus on, the efforts surrounding assessor quality and addressing some of the shortages in assessors globally. Particularly, with COVID-19 now changing the landscape so dramatically, we’ll need the GEAR to help the Council and the rest of the industry adapt to the changes without losing security. There will be a greater focus on coming to the table with issues, insights and solutions.
What are the benefits or advantages of sitting on the Global Executive Assessor Roundtable?
Lance Johnson: Let me first start by stating what it means to have a seat at the Global Executive Assessor Roundtable. Seated members are expected to contribute as representatives of their companies and of their communities. There is an expectation that they will attend meetings, argue their positions and present new thoughts or perspectives to the Council. But it is more than just representing their companies. In short, they must represent the broad industry, not just their own business interests. The Council is depending on the GEAR to help craft solutions and provide guidance.
In return, GEAR members get valuable opportunities to be heard by the Council, its affiliates and partners, and our Board of Advisors. GEAR members get the chance to influence the Council’s strategy and direction, create solutions, validate decisions, and influence what happens in our industry.
Building a strong assessor community and developing high quality training programs is a priority for the PCI SSC in its efforts to help secure payment data globally. How does the GEAR program help you achieve this?
Lance Johnson: The GEAR represents a broad cross-section of the assessor community. They see every program and most of the standards. They know, through experience, what it takes to succeed and where there are challenges. The GEAR helps educate the Council on those issues, identifying where we can work more efficiently, recommending what we can do to expand, and leading us to understand how to implement change. Essentially, GEAR extends the Council’s voice internally with their clients and externally as industry spokespeople.
What would you want to tell PCI assessor companies that are interested in serving on the Roundtable this year?
Lance Johnson: Please do. Step forward. Make your voice heard. It is fundamental to the Council’s success to ensure we are hearing from all perspectives in our industry. The GEAR is a serious commitment to improving the Council and payment security. It is intended to cover the broadest range of representation with a manageable number of members who meet the criteria. We encourage your participation on the advisory group and in any of PCI SSC’s many programs.
How to Participate
PCI Assessor Primary contacts at eligible organizations can nominate senior executives as a candidate for the PCI SSC Global Executive Assessor Roundtable. Nominations can be submitted through the PCI SSC portal. For help with login credentials, please contact firstname.lastname@example.org.
Eligible companies include any PCI SSC assessor company that has been an active assessor for seven years; is actively participating in at least three assessor programs; is conducting business in at least three assessor regions (not including ASV locations served), and is in good standing* with respect to each PCI Assessor program in which it is a participant.
PCI SSC assessor programs include: 3-D Secure (3DS) Assessor, Approved Scanning Vendor (ASV), Card Production Security Assessor (CPSA), Payment Application Qualified Security Assessor (PA-QSA), Point-to-Point Encryption (P2PE) Assessor, Qualified PIN Assessor (QPA), Qualified Security Assessor (QSA) and Software and Security Framework (SSF) Assessors.
*Good standing means, with respect to a given PCI Program, being in compliance with the applicable rules and requirements of that PCI Program.