Alicia Malone: Welcome to the first episode of our new podcast series, “Coffee with The Council”. I'm Alicia Malone, senior manager of public relations for the PCI Security Standards Council. Today, we'll be talking about what you can expect in the year ahead for PCI SSC with Lance Johnson, our executive director. Welcome, Lance.
Lance Johnson: Hi, Alicia. Thanks for having me here today. I'm really excited about what we're going to be talking about and where the Council is going in 2022.
Alicia Malone: I am so excited too, and I'm just so thrilled that we are able to offer this new podcast platform as a new engagement offering for our stakeholders. And it's just one of many new things coming in 2022. And that's really what I wanted to talk to you about today. So, let's just dive right in. What's new with the Council and what can we expect this year?
Lance Johnson: Wow. Where do I start? Well, I think I have to start 2022 by recognizing that the last two years have been years of change and years of challenge for everybody. The Council is a different organization than it was a couple of years ago; part of that is because of the pandemic and all of the issues that that has created and caused for the industry. But a bigger part of it is actually with a lot of the opportunities that have been entered into the industry and that we're now involved with. Some of those items, we knew were going to be happening; other items we expected, but maybe well into the future. So, what we're looking at for 2022 is really exciting because it addresses many of the issues that we anticipated but is making them more immediate. And I'll jump through a lot of those in a couple of moments. But let me start off with a little bit of history.
The Council is 16 years old this year and it has been a growing, vibrant, actively expanding organization. It has worked well with the industry, and it has continued to grow, to meet what the industry - in its broadest sense - has needed. We went from one standard and now we are at 16. We went from one or two programs, depending on how you want to define them, up to something in excess of 20. We've gone from a few people to dozens of people in multiple countries with standards and documents and support mechanisms that are in many languages. We really have changed substantially, and that same change or that history of change has continued.
Interestingly, at the end of last year, we had a couple of major changes for the Council around the people who have been part of our organization. And I guess most people recognize that an organization is mostly driven by the people who are a part of it. And we've been very fortunate having some exceptional contributors, like some exceptional participants at the Council over the years. Two of those people are Ralph Poore and Troy Leach. Both individuals had been with the organization many years and had contributed significantly to its growth, to its change, to its evolution and its successes. And at the end of the year, for different reasons, both individuals have gone on to other activities. Ralph has retired and Troy is taking on some additional roles in the industry and going off to take on new activities. So, with the loss of those two key people, I think it's probably fair to say we're going to be looking at some changes in the people who are brought into the Council, looking at some exciting opportunities to have additional resources come in, or additional people will be involved in ways that we couldn't have anticipated prior to the end of 2021.
All of those things really lead to: what do we expect in 2022? We expect more change. There is the ongoing issue that I think everybody recognizes that, for some period of time, we're going to be dealing with the issues around the pandemic and how we finally exit the challenges that that has put onto us. It's not going to be instantaneously. It's not going to be easy and it's not going to be the same solution all around the world and for every single situation. But we are really on the process of exiting the impacts of how that has changed the environment.
So, in the first half of the year, where are we? We are on the precipice of one of the most monumental announcements and introductions in the Council's history. Our major initiative over the years has been DSS, our Data Security Standard. That was the very first standard that I mentioned a moment ago, and it is going through its fourth iteration. Very shortly, we will be issuing the document for public use. It is a significant body of work. It will cover both what the requirements are, as reflected in the standard, but also how to assess against the standard and its intent. And that's where some of the biggest changes are going to be because PCI DSS 4.0 will represent a shift in how we look at organizations, assessing their competency and protecting data, what they do, how they do it. It is going to introduce some new options for organizations which are looking at how to do the business differently. So, they can actually look at PCI DSS and say, I don't have to follow explicitly a specific statement as long as I meet the full intent of the requirement. So, there's some really interesting and important changes that that standard will introduce to the body of all of our standards and, hopefully, be a baseline for some of the future work that we do as well. Providing more flexibility, consistency, ensuring that there's flexibility across all of the opportunities for people to explore technologies and new business plans or new business models, but still maintain the fundamental integrity of the payment infrastructure by protecting payment data.
So, PCI DSS 4.0, by a huge margin, is going to be that marque event for this year. It's not the only significant event. We have some new mobile standards coming up at the end of the year that's going to reflect the continuing evolution and the importance of mobile as a driving element for payments globally. I think it's not an overstatement to say that mobile is that foundational change in the industry which is going to represent how payments are done in the future. But equally, it is not just about how the payments occur, but it's also about what payments mean. In a mobile environment, you change the design, you change how people interact with each other. You change what the transaction actually is. So, all of this is changing not just the old model of a person going to a merchant and buying something; it's changing what it means to buy. It's changing who the merchant is. It's changing who the buyer is. All of these things are going to be foundational in the future for commerce and much of the work that we're doing right now and will start to be reflected in some of the standards later in the year, will represent those changes.
Sunset of PA-DSS:
Additionally, we're in the process of looking at our folio of existing standards and, like many things, standards and programs - while they can many times be evolved or they can grow or they can mature - at some point they reach an end of life, where the effort to maintain them really isn't giving the industry its value that they had previously. We've had that just occur recently with PA-DSS, our Payment Application Data Security Standard, and in the process of sun-setting that particular standard and the programs that go with it, we've had to look at where the industry has requirements that were being met by that, and still do need to be met, but don't necessarily require us to continue that particular program.
So, one of the areas that we'll be looking at is software security. Software is that other really major engaging area that we have to be more active in. We have to be more forward leaning in. We've done some substantial effort in working and ensuring that PA-DSS specifically has been addressed by our software security standards, but software in and of itself is so transformative. It is the companion to mobile. Mobile may be the venue and the device, but software is the mechanism for delivering the content and the interaction. So those two things together are important. And our software security efforts going in through the balance of the year, really are focused on making sure that we're more flexible; we're more nimble. We are creating modular application frameworks around how to protect particular elements, whether it is a web module or shopping cart, or whether it is some other aspect of an implementation that is software-driven that can be developed, and applied quickly, and pushed out.
Alicia Malone: So, it's a really big year for all of our standards it sounds like. Let's talk now about some of the other changes that are coming to the Council.
Lance Johnson: We've always had this high dependence on automation and tools, especially in our training and certifications. And that became even more important over the last couple of years as we were limited in how often we could meet with people. And what we learned is those tools have evolved and matured to the point that they really provide a whole new dimension in what we can do in helping organizations and people. This upcoming year really is focusing on how do we use these new designs? How do we use these new tools more effectively?
And let me start first with training. We've always done quite a bit of in-person, but also computer-based training. What we're starting to see is that while it is still important regularly to be in front of people and to have that one-on-one personal dialogue with an individual in a class, there are a number of new tools and new capabilities that allow us to look at those classes differently. And to provide a broadening and an expansion of how we actually reach people around the world. So, instead of looking to get 25 people together in a particular city at a particular time, we can get 25 people together at a particular time regardless of their city. And we can do these in a repetitive, multiple language environment that allows us to work across the globe more efficiently and more effectively. We still want to visit with everyone, but this allows us to have a Japanese class or to have a Portuguese class or a Spanish-based class or an English class but provided regardless of where the person themselves is taking the class from. So that's going to be an area that we continue to pursue. It will allow us to provide more customized trainings for organizations and individuals. And it just provides an intense expansion of our flexibility. So that's probably where the biggest single push of our efforts in 2022 are going to show the benefits of what we've learned over the last two years. We'll come back in person, but we'll also still maintain the capabilities that we've learned and adopted over the last couple of years.
Updated Website and New Mobile App:
It's also addressed or highlighted that we need to focus more on how we touch and reach out to people. And because of that, we've recognized that we've been a little laggard in some of the things that we've done, particularly on our website and in how the world consumes information. I think everybody recognizes from years ago that websites were a primary focus of information sources, but they weren't the only source, or they weren't the driver of the main elements of content; there were other means to do that. Over the last few years and, especially over the last couple of years with mobile taking over, not only has the model of what a website looks like changed, but how it's used has changed. It's more integrated, it's more interactive. It provides more content. It provides an easier mechanism to get answers and to consume the information.
Additionally, mobile content, as I said a moment ago, it's changing how payments occur, but it's also changing how people interact and learn. And one of the things that we have not been successful at, historically, is engaging some of those people who really only use their phones or use their tablets as their primary means of learning. So, coming up this year, we are going to be putting more emphasis on ensuring that our website really does represent some of the more valuable attributes of communication, of engagement, of ease of access, of comprehensive view of what we do, but also engagement with the people who need that information. And extending the same set of objectives to a new mobile app so that the mobile app provides for those people who don't sit 24/7 behind the computer system or a computer screen but are on their phone. And they're doing those things generally around the world, the same capabilities, but some new capabilities as well.
So much of what we're doing is catching up to where others already are. But a few things that we're doing really are trying to push the boundaries on how to engage organizations, engage people, and teach them about our mission and provide them with the tools and information of how to protect payments data, and maybe have some fun along the way, I hope.
PCI SSC Community Meetings:
Alicia Malone: Well, this is very exciting news. But now I want to ask something that I know is on everyone's mind: will the Council return to in-person Community Meetings this year?
Lance Johnson: Wow. Okay. So, I'm going to be cautious and I'm going to say - last year, I said, yes, and I was wrong - this year I'm going to say yes and I'm pretty sure I'm right. As I said when we started, the world is not where it was a year ago, let alone two years ago, so we've adapted, and we've changed. But it is clear that the community and the effectiveness of two people standing together, having a conversation, or a group of individuals standing around talking about a particular issue, is an incredibly powerful and an important aspect of how our community works. That is the heart and soul of what our Community Meetings are.
We get some of that in the virtual environment, but we lose a lot of that when we don't have any opportunity for people to get together. So, while you can never say definitively that the answer is yes or no, I will tell you, it is an absolute priority that we do have those meetings in-person this year. They may be structured a little bit differently and there may be some different aspects to it. But our intent is that we are going to have those face-to-face meetings this year. Now, one of the things that I find really exciting that we're going to do, as a companion process this year that we learned worked really well, is that historically we would have the face-to-face Community Meetings with hundreds or thousands of people there. And they were extremely well regarded and valuable to the entire community. We're going to change those a little bit this year because one of the things that worked very well while we weren't allowed to do that, is recording a lot of the content and putting that content into a form that allows the community to access it when they need it, or at some other time. Are we going to have a meeting in Toronto this year for the North American community? Yes, we are. Are we going to have one in Europe this year? Yes, we are. But equally, we'll be taking content and putting it into a format that will allow our stakeholders, our Participating Organizations, our assessors, and our extended community to have access to that information, or those presentations, for an extended period of time because that's turned out to be extremely valuable to everyone in the world. And we're going to add in some of the capabilities that we've learned worked really well over the last two years, some of this information which people can get on-demand.
Alicia Malone: It sounds like this is going to be a very exciting year for the Council. Before we close, is there anything else that you'd like to share with our listeners today?
Lance Johnson: This year is different. This year is back to that: how do we make it better? How do we grow? How do we make everyone have more of what they need and how are we able to take advantage of these new tools and these new opportunities to share the word of how you protect payment data; to engage more organizations and more people; and to raise the banner of protecting this information since it's critical to everyone's commerce? So, for me, 2022 is about excitement and about looking forward and about what we intend to accomplish. And not looking backward on what we may have left in our rearview mirrors as we've passed the last two years.
Alicia Malone: And one more thing before we wrap up: how do you take your coffee, Lance?
Lance Johnson: Well, if you knew my family they would say: in large doses and very hot. I usually use a little cream in it, but I'm also a bit of a snob. So, I like very strong and particular beans that I grind myself.
Alicia Malone: Wow. I love it. Thank you so much for sharing all of this great information today. I look forward to checking in with you each quarter on all things Council-related.
Lance Johnson: And I look forward to it as well. I think we have an exciting journey over this next year and beyond. It's going to be an interesting journey because it isn't what we expected. And I thank you for the opportunity to share my views and what I've learned and what's exciting about the world in the PCI area with all of our listeners.
Alicia Malone: Thanks, Lance.
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Spotify, Apple Podcasts, Breaker, Google Podcasts, Pocket Casts, or RadioPublic.