Welcome to our podcast series, Coffee with the Council. I'm Alicia Malone, Senior Manager of Public Relations for the PCI Security Standards Council. Today, we'll reflect on the accomplishments of 2022 and look ahead to what 2023 will bring at the PCI Security Standards Council. My guest for this episode is Lance Johnson, Executive Director at PCI SSC. Welcome, Lance.
Lance Johnson: Hi, Alicia. Welcome to 2023.
Alicia Malone: Well, 2022 was a big year for the PCI Security Standards Council. We released PCI DSS v4.0. We retired the PA-DSS standard. We even released a brand-new standard, Mobile Payments on COTS (MPoC). But there were other major accomplishments, too. Can you give us a little recap of what was accomplished in 2022 and how that positions the Council for the year ahead?
Lance Johnson: Well, I'm glad you asked that question because there was so much we did in 2022 and it was so important. Effectively, everything that you just said really set the stage for some of the major successes. PCI DSS v4.0, Mobile Payments on COTS, all of those things were really the continuation of the foundation of what we do. But, as you just stated, there were some significantly new areas as well.
In 2022, we did a reassessment of the engagement model that we have used for a number of years. And what we have come to is recognizing that the real core of what makes the Council work is the broad range of participants. And what we've decided and have now implemented at the end of 2022, going into '23, is that we are going to completely reimagine how we leverage the contributions of all of our participants. It is a fundamental reassessment. We're actually calling it the third phase of the Council, where we're looking to the industry to help us drive what the key elements are that we need to be doing. First and foremost, in that is that we've changed how we look at our participant model.
Historically, we've had one type of organization model. Now, we have expanded that to three. And with those three, what we're really trying to do is expand the opportunity to be involved, expand the areas that those organizations can participate in and contribute to. In particular really, the key element is for the Principal participant, which is brand new, and as of this year, it will have a much greater access and input on some of the strategic direction of the organization. Our Associate membership really is the lifeblood of what we have been and will continue to be. Those are the organizations which had been with us for years and continue to support us and represent the needs of the industry. But we've added something new, which is the Individual participant, which means that anyone can now be part of the organization and those are really significant changes. They're going to define the profile and the nature of the work that the Council does in the future, and really start to change the very image of how the Council impacts the industry and impacts the needs of all of the organizations that work in the industry.
Alicia Malone: So, as we start 2023, one of the first major initiatives will be the nomination of our new Board of Advisors, which begins in February. Tell us a little about what's different this year in terms of the Board.
Lance Johnson: Our participants - Associates, Principals and the Individuals - as I said a moment ago, they are the heart and soul of what makes our work successful. We exist because of what they bring to the table. The new BOA, which is really one of the fundamental ways in which the information from all of these participants is presented and refined within the Council, is a reflection of the old BOA, builds off of it, but does a couple of key things that are really important and exciting.
First, we're going to effectively double the size of the group to introduce new participants, to get some of the organizations which previously might not have been part of it, and to get those voices around the table so we can have a broadened discussion on a number of new areas that might not have been part of the agendas in the past. With that though, we're actually looking at also doing something entirely new, which is we are looking to this organization, this Board of Advisors, as providing that key element of approval to the work that we do. Historically, as Advisors, they would guide, they would instruct, but now what we're doing is we're adding a third element and we're asking them to actually approve the work we do. Any major work item that comes out of the standards area, like a standard that has a major revision, those will all be submitted to the Board of Advisors, discussed, debated and approved by the Board of Advisors before they're published. And that is what we're hoping really drives some new activity within that group. That is one of the reasons that we wanted to expand the size so we get the discussions more dynamic and more engaged across a broader range of subjects. And it's really going to be an interesting opportunity for the Council to start listening to new issues and new areas that we may have missed before.
Alicia Malone: Also new this year is the launch of two new initiatives, the Global Content Library, and a new Jobs Board for our industry. What can you tell us about these?
Lance Johnson: So, let me take the first one. Our Global Content Library is a major step forward. We do a tremendous amount of work in presenting information to the industry. But a couple of the areas that we actually do extremely well, particularly around our Community Meetings, have the very experts from the industry talking. So, with the Global Content Library, now that we're fully recording everything and looking at things in a much more broad perspective, we're taking that and we're putting it into a format that allows anyone from that point forward to go ahead and review it again. Or people who didn't have the opportunity to attend, either in person or remotely, to look at what was said. Obviously, we have a number of concurrent streams that go on in some of these meetings. So, they can't be in two places at one time. So now they can go back, and they can actually see what was said in some other areas. So, the Global Content Library really is a fundamental expansion of our capabilities of providing that information and that content to everybody on a long term basis.
The Jobs Board is really our first effort to look at how do we address one of the fundamental issues that the industry is facing. Like everyone else, technical skills and individuals in the cybersecurity area are a key problem. While we do a lot of training, we're looking at ways that we might be able to facilitate more resources becoming available. Our first step really is in this Job Board and just giving people a clearinghouse and an opportunity to say, "Here's what I need," or "Here is the skillsets that are important to us as an organization and we're hiring." So that you don't have to go and try and figure out what is an organization doing in this particular area of payment security. They'll be able to go to our site and look at it and say, "Ah, these organizations have a need, I have the skills, and let's see if there's something here for that."
Like I said, this is a very initial step in this area. I don't know how it's going to play out, but the first indications from people who have talked about the concept with us from the industry, they're very excited about it and they want to see it grow and be used more actively. So those are the two basic items going into 2023, but I'll just say they're really only the first steps. We have a lot more coming in the future.
Alicia Malone: In terms of standards and programs, what will the focus be this year?
Lance Johnson: So, Alicia, a moment ago you talked about PCI DSS v4.0, and you talked about Mobile Payments on COTS and some of the other areas that we put a lot of effort in in the past. I think 2023 and going forward is going to see a lot of the same. PCI DSS v4.0 is still a work in process. The standard has been produced. People are now starting to apply that to their domains. We still have a lot of training that we need to do around that. So, there's going to be a lot of work to make PCI DSS v4.0 understood and applied as organizations are starting to adopt it. So, there's still all of that. PCI DSS v3.2.1 is still there as well, and that needs to continue to be supported.
The mobile and software area, that's the pointy end of the effort right now, where the industry is really focusing on how to better use software, how to look at mobile and use the dynamics that mobile has introduced into payments to ease the friction for consumers to make payments and to do transactions. We have some standards in that area. You mentioned that MPoC has just been released, v1.0. We need to do more. We need to be looking at more areas where we can do more standards around software. We need to be looking at additional items that we could be looking at with mobile. And how does that change the dynamics of the industry? I don't know yet, but those are the areas that we'll be focusing on.
However, the Council has been a success by making sure that people have the tools that they need to protect payments in all of its forms and in all of its environments. So, everything that we have done remains. We continue to do it. So, if it's a PTS POI device or if it is Card Vendor, or if it is any of the other areas that we have had extensive work done in the past, nothing gets left behind. Everything continues to work and can be supported. So, the future isn't about going forward and leaving stuff behind. Where that's necessary, such as PA-DSS, we can do that. But in most cases, it's really about adding new things and not leaving anything behind because it's still basic, necessary, and important to the participants in the industry.
Alicia Malone: The return to in-person Community Meetings was a highlight last year. How did those go, and what can we expect from the Community Meetings this year?
Lance Johnson: You know, the thing about the Community Meetings this past year is there was such a pent-up demand, and everybody was excited. I can tell you definitively that the meetings that we had, they went exceptionally well. It was exactly what the industry had been asking for, precisely the type of information and interaction and opportunity to share and learn in person that everybody had been demanding. But it is also where we introduced some of the learnings that we had gotten over the last couple of years. The very nature of the Community Meetings have introduced new methods of communicating with people, new methods of engaging them. So, we added the simulcasting, which beyond almost any of our expectations was a spectacular hit. Many people used it, even people on site. We have some anecdotal stories of people who had two laptops open and they were watching two streams simultaneously because they wanted to be in both of them while they were going on and they couldn't.
So, the meetings themselves, overall, they were extremely successful, whether it's in person, whether it's simulcast or whether it is in some expansion of that. So overall, they were exceptionally well. They set the groundwork and a very high bar going into the future, but I think as we go into the future, they're only going to get better.
Alicia Malone: Before we close, is there anything else that you'd like to share with our listeners today?
Lance Johnson: Absolutely. The Council is a growing, dynamic organization which is only a reflection of the needs of its participants. So, we are highly dependent on all of the engagement activities which we do and learning from the very organizations which are using what we provide.
So, for us to be a success and continue to do that, all of the participants, everyone listening, it really is an issue of keeping the dialogue going, making sure that the contributions and the inquiries and the observations continue to come forward. So, it really is a request to stay involved. To stay involved in what you have been doing, to look at the new ways that you can be involved, to offer what you can, to ask the questions where you have a need for help, but to provide your expertise and knowledge that we can then socialize for others to use as well. This is really about a community, and it is about making sure that people stay engaged and provide to the rest of the community and learn from the rest of the community those things they need.
Alicia Malone: Well, thank you so much for joining us on Coffee with the Council today, Lance, and it's always a pleasure chatting with you.
Lance Johnson: Thank you for having me.
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Spotify, Anchor, Pocket Casts, or Google Podcasts. Coming soon, the podcast will also be available on Apple Podcasts and RadioPublic.