Hello everyone, and welcome to our podcast series, Coffee with the Council. I'm Mark Meissner, Senior Vice President for Education and Engagement at the PCI Security Standards Council. Today I'm joined by a panel of current Principal Participating Organizations, or PPOs. The Principal PO program is one of three levels of participation with the Council and defined as a strategic level of leadership and influence with the Council. PPOs get access to exclusive strategy sessions with the Executive Committee, with PCI Council staff, and stakeholders to discuss standards direction, drive technical discussions, and have direct input into Council initiatives.
Listen to the full episode on Spotify or on your favorite podcast player.
Today I want to focus on the value that PPOs find in belonging to the PPO program, why other companies might consider joining as a PPO, and how their collaboration with the Council is helping to drive the future of payment security. So, welcome everybody and let's meet our panel. I'll have each one of our PPOs introduce themselves. I’ll start with Simon Turner.
Simon Turner: Hi, thanks Mark. My name is Simon Turner and I'm Head of Security Governance and Compliance for PCI DSS at BT Group.
Brett Johnson: Hello, Brett Johnson. I run the America's Business for Reflectiz.
Gagandeep Singh: I am Gagan, and I lead the technology governance and compliance function for Salesforce globally.
Mark Meissner: Thank you for those introductions. Simon, I'll start with you, first question. You are based in Europe; you're in the UK. Give us a little snapshot of what are the major issues in payments that you're currently seeing in your region of the world?
Simon Turner: I guess one of the biggest ones we're seeing is the ability for instant payments. We've got the speed versus security tension. The challenge in Europe is that we're pushing hard towards instant payments by default, but with some of the regulation that's mandating real-time payments verification of payee controls, it's certainly been a challenge. But faster payments, obviously the challenge there is reducing the window and the time to detect fraud. So, as an industry, I think what we need to do is we need to maintain trust and ensure that the money can also move in seconds as required.
Mark Meissner: That’s an interesting perspective from Europe. Gagan, I wanted to ask you, your company, Salesforce, recently participated in our AI series. The Council's putting together the AI Exchange: Innovators in Payment Security. The purpose of the series is really to showcase all the great work that's being done in the AI space by PCI stakeholders. I wanted to just ask you, tell us a little bit about why you guys participated in that series and tell us some of the things that you're working on related to AI.
Gagandeep Singh: As everyone would have heard about Salesforce, we are an agent force first company. We are not only using AI in our day-to-day operations, but we are also providing that to our customers. And when we do that, an agent force as a service, we really wanted to make sure that our AI is not only secure, but also ahead of the game when it comes to security and compliance. That's why I think this AI series was super helpful. From our perspective, we are using AI in our day-to-day operations, compliance, and security. So, we have agents like design review agents and compliance agents, which are performing all of these operations on a day-to-day basis, keeping us more secure and more compliant as we go forward.
Mark Meissner: Very good and we're excited about the AI series. We launched that relatively recently and the popularity of it has really surprised us. There's a lot of companies who want to be involved in it, and there's a lot of companies in the payments industry that are doing some really great things with AI, and that series will continue moving forward. Brett, let me jump to you real quick. Your company does surveys and studies and you recently came out with a report called State of Web Exposure Report for 2026. Tell us a little bit, what is that report and what were some of the key findings?
Brett Johnson: The research report you referenced is really something that we pulled together at the end of 2025, and we do this annually. In the 2026 State of Web Exposure Report, we also compare the findings against the 2024 report. And this comes as a result of our businesses really monitoring websites for website security, as well as privacy and compliance, such as PCI, as well as consent. So, we do a number of these. We work with companies around the globe, across many different industries. And because we remotely monitor these websites, in this report, we looked at 4,700 websites across 10 different industries. And what could be relevant for those in the PCI group, as an example, is we could look at things like iframes because we can again remotely monitor; we can see all aspects of the site, including the checkout areas, including within iframes. And we can see things such as, even though the number of third-party applications such as tracker technologies went down in 2025, compared to 2024 across industries, the number of over-permissioned apps within those iframes actually increased. So that's a little bit of a good and bad at the same. But in general, we also just observed that more than half of these applications, these third- and fourth-party applications running on sites, are accessing sensitive information without any business justification. So, we have a full breakdown in the report. What are the most frequently offending third parties and fourth parties? What should you look out for? Where are you going to have the most malicious risk? Things like recently registered domains. You'll see sites that have self-deleting code or more redirects, and more trackers. So, all of this is broken down across industry, and it's available complimentary for anyone that would like this report. We also had 128 security leaders surveyed as part of this report, providing their input on the findings.
Mark Meissner: The next question I want to ask and it's really for all three of you. The Council put together the PPO program, and the idea behind it was just really designed for those companies that wanted to be involved at a higher level in what the Council is doing. The PPO program was designed so that companies could really help with the strategic direction of the Council, could also be more involved during the process of developing and updating a standard, and they really have a kind of a window into that process. So, I wanted to ask each one of you, and I'll start with Simon. Simon, why was it important for BT to be a part of this process, and why'd you join as a PPO?
Simon Turner: Thank you. I guess one of the things that BT is all about and one of our goals is to become the most trusted brand. A part of that is delivering the best connectivity of products that we sell, but not only that, but also customer experiences. So, the heart of that is all around trust. We talk about the BT brand being important to the organization. Customers need confidence in us that as a company, we're protecting their data. And that absolutely includes credit and debit card payments as well. So that brings PCI DSS into the mix. So, to support that at BT, we have a specialist internal group that's dedicated to engaging in industry bodies. I'm fortunate to be part of that because PCI DSS being a key part of that around customer confidence brings us into the payment space. And I guess becoming part of the PPO has given us the opportunity to engage with the (PCI Security) Standards Council at a much deeper level than we've had before. Because as an organization, being a multi-omnichannel organization, not only are we a merchant, we're a service provider, and we're part of the UK carrier network. It gives me, personally and as a company, quite a lot of view and being able to impact the way the standards are moving forward is kind of critical to our organization as a whole.
Mark Meissner: Salesforce is a really big-name company. Everybody knows it. Everybody's heard of it. It's a household name. Tell us a little bit about why you wanted to join as a PPO.
Gagandeep Singh: At Salesforce, our number one principle is trust. And we believe that, and it's not just to get a logo. We joined because we believe that the organization that helped write the rules has a responsibility to make them better for everyone. I'll list out a couple of points on why it was important for us and why did we want to join as a PPO. First and foremost, shaping the standards and not just following them. I think this gives us that unique opportunity to be ahead of the game or understand what kind of rules and regulations are going to come. Secondly, direct access to the Council. The PPOs get early visibility into emerging standards and drafts. That, I believe, is actually a competitive advantage as well, as we go forward. Representing customers and ecosystems: so we have a lot of real-world analysis and experiences and that's what we want to utilize and share when these standards are being formalized. Peer collaboration: you're in the room with the most security-minded organizations in the payment industry. That's something that really excites us as well. And of course, credibility, trust, and giving back to the community. So, we want to show that we're not just following these standards, but we are also part of the life cycle and helping share our experience, making it better for the community, for everyone, for all the other organizations as well. And that's, I think, a crux of why it was important for us and why we wanted to join as a PPO.
Mark Meissner: I think that last point is really important. I know a lot of our PPOs don't look at just being a PPO as representing their company, but sometimes they represent their customers and represent maybe a segment of the industry, and that's important for them as well. Brett, your company is relatively new to the PPO community. I'm curious, what made you interested in joining the Council as a PPO?
Brett Johnson: Yeah, so I think it's consistent with what the other gentlemen have said. We really wanted to be aware of the priorities, the discussions, the trends, and what was of interest too. We have customers that are active participants in the Council. I think about a year ago, it was February of 2025, I was on a call with one of our customers, a big conglomerate with many brands around the world. And while we were on the call going over PCI and reviewing the requirements, the new guidance came out from the Council. So actually, we were sitting around on the call for about an hour reading through the updates together. And I think after that call, the discussion internally was, this would be really nice if we were more actively involved in the Council and we could kind of be informed of the thought process and be representing our customers because we're having a lot of these conversations. And so, as you pointed out, can we take some of that responsibility and bring it to the Council? Because we have some customers that are very active with the Council and their voices are surely heard, but we have many others that aren't.
Mark Meissner: Wonderful. Those are all really good reasons and are exactly why we developed this group. One of the benefits of being a PPO is that you get to be part of the Technology Guidance Groups, the TGG. Those groups drive the technical discussions as standards are being developed or updated. It’s a great opportunity for knowledge sharing and technical oversight. You get a chance to have input ahead of Requests for Comments (RFCs), which a lot of companies find a lot of value in, and it gives you a chance to help shape the standards direction. The product families that are worked on by the TGG, we've broken those down into seven product families. One is Data and Environment, that's the DSS; Mobile, Software, Card, Key Management - which is a hot relatively new one - Point to Point Encryption, and Device. And the reason the Council has broken those areas down into these product families is we wanted to make it easier for the PPOs to focus on those areas that they care most about. So, somebody might only care about the DSS, they might only care about maybe Mobile or Software, and they don't have to spend time in the other areas. That's one of the great advantages of being a PPO is that you get to pick and choose what product family you really want to be involved in with the Council. So, my question to each one of you, and I'll start with Simon again, tell us what are the product families your company at BT is involved with as a PPO?
Simon Turner: I guess the great thing for me is, as a PPO, we're not just observing; we're getting involved, we're helping shape the direction of the standards. And given the scale and experience of our organization, I think we're very well placed to provide practical insights into what the market really needs to see. I guess one point I'd like to highlight before I go into which of the areas we point out to, as an organization, I don't do this singly. I bring in others from within my organization. I've got such a breadth of knowledge and expertise within the organization that, you know, they're kind of, bring them in to help. And I guess that's a key bit for people is not just to think that you as a PPO rep, are able to support that, but bring others within your organization. So, some of the groups that I've been involved in, not only the Data Security Standard, because that's personally me, as a merchant, where I get involved in, we also get involved in Mobile. We've been involved in Software, Key Management, believe it not, P2PE and also Device. Because as an organization, we touch quite a lot of this technology. We actually have a research center within BT, where we work with other industry leaders. So, for example, PQC, Post Quantum Cryptography, we've got a center there where we're working with very large external partners. And we've got a lot of knowledge and expertise. So, the benefit of being able to delegate that function over to somebody else within the organization and feed them into being part of that is kind of one of the things that I'm quite excited about and one of the reasons that I thought coming in and supporting these groups is important to me. And then just to finish off, one of the benefits of people recognizing that BT Group run the PPO as well is when we go and do our community events or when I do other talks and community events outside, I get approached all the time and asked questions specifically. And one of the recent ones being MPoC. What are we doing around MPoC? So, I know there's a lot of community people who aren't able to participate as a PPO, and like the others have said, I'd like to think I can bring in the questions not only from my own organization, but from others outside in industry and feed that into what we're doing as part of the TGG groups.
Mark Meissner: And Simon, you make a really good point. When you are involved in the TGG with the product families, you can bring in different experts within your company to participate in those groups. We set it up that way because we wanted to bring experts to the table. And again, you just gave a great example of how you're bringing other people's voices to the table. When you're out talking, you're hearing things that you bring to that group. Gagan, what are the product families that Salesforce, that you guys participate in as a PPO?
Gagandeep Singh: We are pretty much involved in all of them. We participate in all of them. Our business touches some elements of all these product families. And by being a PPO, we gain valuable insight and have a say on the direction of the standard and that impacts us and our clients. So, that's been great. We are super excited to keep collaborating and contribute to the ongoing advancement of security within the PCI program. But I do want to highlight that one of the biggest areas that has been helping us is figuring out the efficiencies across all the global standards. So, that really helps us in shaping because of how spread out Salesforce and its operations are in figuring out how we can use PCI DSS. That is, of course, the best standard out there to secure payments, but how does that help us expand that into securing our products plus gaining efficiencies with all the other regulatory requirements that we have across the globe?
Mark Meissner: And Brett, I know you guys are relatively new. Have you selected the product families that you want to be involved in and why?
Brett Johnson: For Reflectiz, our focus is really on companies that the website is a big part of their business. We are focused on those customers for website security and compliance, which is PCI, and DSS is the group within the PCI areas that we focus on. And it's really around, not the data that once a site visitor like you or me goes to a site and, submits and puts in all the credit card information, and it sits on the server. It's really all of those third and fourth parties that are on the site reading that data, seeing what's happening can potentially have a lot of risks and exposure, you know, for when you and I go to a site, how well is that data secured? That’s our focus. So, on the DSS, I think there's a lot of interesting areas we can contribute, and we see all the time, maybe new threats and new areas that should be paid attention to by the Council.
Mark Meissner: Thanks to all of you for joining us for the Coffee with the Council. This has been a really valuable discussion on the PPO program. And once again, we truly appreciate this collaboration with our stakeholders. Our success at the Council depends on the feedback and input of the entire payments industry to keep our standards and programs relevant. And we are grateful for this level of participation. If your company is interested in learning more about joining the Council as a Participating Organization, I would invite you to visit our website for more information. We've provided a link in the blog transcript of this episode. Thank you so much for joining us and thank you to our panel.
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Apple Podcasts, Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, or Stitcher.
