This episode of Coffee with the Council is brought to you by our podcast sponsor, Galix.
Welcome to our podcast series, Coffee with the Council. I'm Alicia Malone, Senior Manager of Public Relations for the PCI Security Standards Council. Today, I am joined by Lance Johnson, who has been the Executive Director of the Council for more than six years and a member of the payments industry for more than 40 years. In light of your recent retirement announcement, we're here to reflect on all the moments that have defined your distinguished career, Lance, and to of course, thank you for all of the contributions you've made to our industry.
Lance Johnson: Hi, Alicia, and thank you for having me here. It's my pleasure to be here and to be part of the Council. It's been an honor over these last several years to be doing the work with the payments industry in this role.
Alicia Malone: So, let's go back to the beginning, Lance, when you first started your career in the payments industry. You started out at VISA. Tell us about those early days and how you found your way to the Council.
Lance Johnson: Well, actually I started in payments before VISA. I was in banking, which is how I actually ended up at VISA in the risk management area. For those who were around at that point, that was the mid-1980s. And most of the people in security and risk were ex-law enforcement because fraud back then was really concentrated a lot on lost, stolen cards, physical card counterfeiting, and there was a little bit of mail order fraud. It was a very different fraud environment than it is today, or even was 10 years or 15 years ago. Those ex-law enforcement were really good at pursuing the criminals and stopping them. But when I came into the industry through VISA, from banking, there were a whole bunch of exciting new technologies which were being developed and they were in the beginning of their deployment, like the really fancy and cutting-edge magnetic stripes, online terminals, and some counterfeit-resistant plastics using some various techniques. All of these things at the time were revolutionary and they were really having a significant impact on payment efficiency, the processing efficiency, and the security of card payments. I was brought in as a banker and charged with helping sort out how to use them more effectively as part of a technical tool set, helping law enforcement, helping the security people better utilize these advancements. But looking at fraud, not from a crime and an impact standpoint, which is a lot of what the law enforcement people did, but also from the broader overall impact of what fraud did to the industry. It wasn't minimizing the individual crime on the individual. It was really looking at what the overall impact of fraud was doing to the industry. That's actually how I got into working with risk management from a banking background.
How did I end up getting through to doing stuff with PCI? Well, that was really through a series of convoluted role changes. A lot of that mimicked the changing technology in the industry. The big step for me was probably moving on initially to chip cards. Prior to that, I'd been working with some initial activities around the precursors to neural networks. But everybody was working on chip technology, so I was assigned to work on that. And that's actually how I built the baseline understanding of how to work in a collaborative environment because the chip card technology was new. Everybody was deploying it in various proprietary forms. There was a lot of effort going into making it interoperable, but there wasn't a lot of effort going into making the security across that technology. So, my challenge and my job function was to create a security environment for chip cards that could be expanded and incorporated across the industry. That's really how I learned how to work with all of the other brands and all the other partners and participants in the industry through that effort.
Next from that was an obvious expansion, where I started working on vendor security practices across all of the payment networks and payment brands. And really, all of that took me from the mid-1980s up to the early 2000s. And I think everybody can look back at the early 2000s, the time when the internet was really in its infancy, from a commercial standpoint. It was getting traction. It was getting some momentum. The commercial side was really excited about what it provided us with as far as opportunities to extend the reach of electronic payments, opportunities to ease the implementation of these access to new tools, and such. But equally the criminals were looking at it, rubbing their hands and enjoying the opportunities that they saw because it was a fertile field for them. Data aggregation was something where they hadn't had much opportunity before, but now they were looking at the data, not the product like a card, but the data. And it was really becoming a concern to the industry because breaches were starting to grow, and people were starting to ask the value of these new technologies and these systems. So, the brands came together and in coming together, they really were focused on how much breaches were a concern and they wanted to work in such a way to align their actions against those activities.
Many of you can think back to this when - and I'll talk from VISA's perspective since I was there - when CISP was introduced by VISA. And we can thank Lauren Holloway for that. She was a key part of that. And that, along with the various other tools and capabilities and programs from all of the brands, were used as a foundation for the creation of a common set of requirements for the industry. That was really in like 2003, 2004. And it was in 2004 that I was brought into the mix because I'd actually had experience bringing these various partner organizations to the table and working with them to get a common set of requirements, a common framework, for everybody to work under. And the assignment for me was to do the same for PCI, which wasn't even called PCI at that point. It was still in its pre-PCI days. But with all of the outstanding people that were put onto the effort from all of the participants, VISA, Mastercard, American Express, Discover and JCB ultimately it all came together, and it culminated with the launching of the PCI Security Standards Council in 2006. I then spent the next five years on ExCo (Executive Committee) as VISA representative until I retired from VISA, at which point, I ran out and started working in the industry for other organizations. In particular, I ended up running a fintech startup where I learned about all of the impacts and issues that PCI and various standards had on the deployment side. So, I was a stakeholder for seven years after retiring.
Alicia Malone: And then six years ago, your career really came full circle as you accepted the role of Executive Director to lead the Council. What made you decide to take on that role?
Lance Johnson: Alicia, that is one of the most personally interesting questions you could have asked me because, from the very beginning, after I started working with all my colleagues across the industry, I recognized that the only way we succeed is by working together. The criminals don't necessarily work together, but they certainly learn from each other and share all their knowledge on how to do things. The industry itself works best when they're working collaboratively. There's nothing that they can't really achieve. So, from those days, I've been an absolute cheerleader and advocate of what the Council is, both from the impact it has, but also on the vision of what the Council can be to the industry in the broader sense. And I felt in 2015, 2016, when the opportunity came forward, that my history with the Council in the early days from its establishment for the first five years, and then the subsequent seven years where I was actually one of the stakeholders having to deploy, it gave me a perspective, perhaps even a unique perspective, on how to help the Council grow, how to help it evolve, and how to help it do things better. It really is a testament to what the Council has done, and it has a lot of opportunity to do more. PCI, let me digress here for just a moment.
When we started the Council in the very early days, one of the smartest people that I know was on the Executive Committee, that’s Seana Pitt, and she famously said to all of us who were around the table with her, that if the Council was still in existence in five years, that we collectively have failed in our mission. And I think everybody around the table nodded vigorously that we agreed with her. And within a few years and certainly 10 years later, it really became obvious, but we really didn't understand what we created. It was a true underestimation of the value of the construct of the Council. The Council not only established itself in owning standards and implementing programs, but it grew and succeeded far more than any of us could possibly have anticipated. To the point that it became an industry in and of itself. Its role has expanded, it's gone from just one or two standards up to 15 or 16 at this point; I lose count sometimes. That's what we didn't understand when we started it. But by 2016, when I was coming back to the Council from the industry, it was understood. It was clear the Council had a pivotal and foundational role to security in the industry. And that's what I wanted to be part of again. I wanted to be part of the effort to shape the Council's continued success and its role in the industry as we collectively go together.
Alicia Malone: So much has happened in the past six years, including a global pandemic, which has really changed the trajectory of so many aspects of the payments industry. When you look back at this period of time, what were your biggest challenges and what are you most proud of accomplishing?
Lance Johnson: Wow. That's another one of those questions that really would be best answered over days of thinking about it and just sort of cogitating on the specific elements of it. But I would say there are a number of areas, really the changing nature of the payments industry, of the environment that everybody operates in. We've always been subject to change, but in the last six years, particularly with what the pandemic did, new technologies, new participants, new business models have come in at an astonishing rate. And the pandemic did exactly what we didn't expect it to do. It accelerated that change. It created a situation where everything that people had been planning for 10 years was happening in 10 months. It fundamentally shifted the perspective of how payments needed to occur, how we needed to engage with organizations, and how things needed to happen. So, it was really one of those opportunities to reassess everything that we do. Now, when I say reassess everything we do and look to the future, one of the key elements of that is not undermining the foundation we have because the foundation of where the Council started, how it has grown, and the contributions that have been made to the Council's success by the industry can't be overlooked. They have to be incorporated into everything that sets the stage for going forward. And that means everything from the existing practices and tools, but also the stakeholders. You can sort of look at it from a challenge standpoint.
You can sort of look at the industry as a multi-headed animal. That animal is standing on a road and one of the heads is looking down the road and seeing a pasture where there are fruit trees. And it wants to go down and take care of these new sweet fruits. It wants to eat it. They're really enticing. And it knows if it can get the body to go with it, the other two heads will just come along. One of the other heads is looking at an area adjacent and saying, well, this is really just comfortable. Let's stay here for a while and rest. And then the last head is looking and saying, you know, there are other structural issues. We're really thirsty and there's water right here. Why don't we focus on the things we need to do here and now and just take a drink and then maybe go get some of that fruit or maybe take a rest. They're all pulling in different directions. Maybe that's a bad analogy, metaphor, but it really is all of the different aspects of the industry are looking at the industry through their own lens. And that's what makes it so exciting, but it's also what makes it challenging to get everybody to agree on what the next step should be.
I would say that if I were to look at those challenges, they actually do frame what I consider the biggest successes. But let me just clarify something. I don't consider the successes mine. They're not mine. Because I could have stood on the street corner on some sort of podium box and said anything I wanted to, but it doesn't have any value unless everybody else is collaborating and working on it together. So really the success that we've had, the successes the industry is experiencing, is due to the collaboration of the participants. I'm proud of what the Council is. I'm proud of what the Council has accomplished. But what the Council is in its broadest sense, the people and all of the stakeholders, it's that team that made it happen, not me. I was just at the right type of place at the right time to be able to maybe highlight some aspects of the options.
Alicia Malone: When you reflect upon your career, Lance, are there any defining moments or memories that you can share with us that made an impact on you?
Lance Johnson: Wow, yes, many. And for this, I'll sort of exclude some of the family-related ones. While they're more poignant personally, the focus here should be on PCI. Realizing the importance that the Council and its efforts have become to the industry, I knew the Council was a fulcrum point for a lot of activities, but within a few months of coming back to the Council, I realized just how much the industry relied on what was coming from the Council. As a matter of fact, there's an entire sub-industry within payments, which is exclusively PCI SSC standards and programs related. And it's a huge, dynamic, active, environment, globally. That was the first part of the realization of really how all of this activity was important to the future of payments. And one of the things that's clear is that financial payments are the lifeblood of modern society. So, we have to get a lot of this right. Equally, one of the things I found about the time that I realized just how important the Council and its activities had become to the industry, was how fragile that relationship was. Keeping the alignment, keeping the participation, the partnership, the collaborative perspective of all the participants first and foremost is a lot of work.
And it's necessarily important for that collaboration and for that partnership to continue because it doesn't take much to break that. And if it breaks, then what you have is a lot of the diverse differences driving change in the industry that really just open up the opportunity for bad things to happen, whether the criminals are identifying a gap that somebody hadn't identified that would have been had the right people been around the table or something else happens. This is how we work. We're heavily dependent upon everybody's work, but that dependence and that collaboration is a fragile thing that needs to be nurtured and protected.
Alicia Malone: What has been the most rewarding aspect of your career at the Council? What do you want your legacy to be?
Lance Johnson: Well, the first part of that is easy. It's the team, it's the people. Honestly, it's the PCI staff, all of the colleagues across all of the organizations, the stakeholders, it's the whole noisy competitive ecosystem of payments. It's just absolutely energizing. It's addictive in many respects. It's a fun environment, challenging and frustrating at times, but I wouldn't look to do any other area because it's just been that special.
Legacy. That's a hard question to answer because like I said, really, I look at the successes as being the team successes. But if there's one thing that I would hope people would point to, it's that the Council did adapt, it did change, it did grow, and that adaptation and that growth, that evolution, has really set the stage for the Council to stay relevant. All the changes we've talked about earlier in its history, from technologies to the participants, really demonstrate how dynamic the industry is and how much new is occurring. And it would have been easy at various stages for the Council just to get comfortable and say, we're just going to continue doing what we're doing. And that would have been fine for some period of time, but eventually the industry would have outgrown it. The challenge that has been evident over the last few years is how to keep the Council as that organization, which is first and foremost in helping the industry succeed. It really is about making sure the Council is still here in 10 years and still that dynamic and thought leadership organization.
And when I say thought leadership, I don't just mean what's published by the Council. I mean, from all of the organizations which are actively participating in the Council. So, my legacy, is really that the Council has been able to adopt a perspective that change is good and that we shouldn't get rid of stuff just to get rid of it. But when things need to change because the industry has changed or some other threat has represented itself, it's a good thing to go ahead and focus on that and address that as part of our efforts as well.
Alicia Malone: What piece of advice would you leave behind for your peers, your colleagues, and just the industry as a whole?
Lance Johnson: Wow, well, I think I've sort of answered that in the last couple of questions that I've answered. It really is to stay focused on the objectives. Change is inevitable. The industry is dynamic. The challenges that we're going to be faced come from a multitude of known sources, but also a whole bunch of sources that we probably don't even recognize yet. But change is something that we all live with, whether it's from the industry side or even internally. So don't be afraid of it, embrace it. But don't embrace it and become - going back to the metaphor of the challenges of perspective - don't discard what we have. Don't discard and throw away the foundations which have played well. Use those foundations as the basis to address change and to accommodate it and to succeed in that changing environment. And don't be afraid to compete. Competition is good, but it's equally important that we're strongest dealing with challenges when we work together. As I said a moment ago, the bad guys do. And they learn from each other. So, we need to utilize the various strengths that we individually have and make sure that those are all brought together. Doesn't mean that we're not all competitors in one form or another, but we're strongest in dealing with the outside forces or those negative issues that undermine the integrity of the payment system when we work together.
Alicia Malone: So, what's next for you, Lance? What are you most looking forward to in your retirement?
Lance Johnson: Oh, not being governed by my calendar. I would have so many meetings in a given week and then I would have so many meetings in the following week. Having more time on the calendar to be a little more flexible. I'm definitely looking forward to using some of that time to be with friends and family, because during my career, they haven't always been a priority. I've tried to be consistent, but sometimes they have to take a back seat. And I especially want to make sure that I spend time and effort with my wife. And I expect to find some other challenges. I don't expect to walk away. I'm not a “front porch, rocking chair” kind of guy, but whatever I do it'll be for the pleasure, for the absolute engagement and hopefully at a less intense level than it has been for the last four and a half decades.
Alicia Malone: Yes, you're not completely done yet as you've agreed to stay on in a consulting role until the end of the year as the Council completes the transition with our new Executive Director. Will we see you at the Community Meetings this fall?
Lance Johnson: Wow, well, the CMs are wonderful events. I encourage everyone to take part in them. They are the opportunity to get together. They are the - I heard someone referred to them as - the marketplace for people to share ideas. I think that they're absolutely wonderful. I love the CMs. And I do hope that I will be there, but it's a little far ahead still. I know it's only a few months, but given where I am, it's really just an unknown. But I do expect in the future at some point to be part of some of them. But at this point, it's a little too early for me to say whether I'll be at the ones in the fall.
Alicia Malone: Is there anything else you'd like to add before we wrap up today?
Lance Johnson: You know, if I had a long list and 20 minutes, I could go through all of the people and all of the activities that I've worked with all those people on and thank them. Let me just say as a blanket, thank you: It has been an absolute pleasure. It has been an honor. It has been the fulfillment of much of what I have worked on my entire life being here with the Council. The financial industry is the lifeblood of modern society. And the Council is one of those organizations which helps keep the financial industry safe, secure, so that we can, our children can, our colleagues and our friends can, all rely on it and carry on in their lives without having to worry about it.
Alicia Malone: Well, I just want to take this opportunity, Lance, to thank you for all of your contributions to the payments industry, and particularly for your service to the Council. On behalf of everyone at PCI SSC, we want to thank you for all your hard work and dedication to helping the Council grow into the organization it is today, and for your valued expertise and commitment, and for the personal friendships that have been forged over the years. We wish you all the best in your retirement.
Lance Johnson: Alicia, thank you. It has been my pleasure.
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Apple Podcasts, Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, Stitcher, Audible, Overcast, or Pandora.