Evolving PCI Standards and Validation is a core pillar in the PCI Security Standards Council’s strategic framework, which guides how the Council achieves its mission and supports the needs of the global payments industry. In this interview with PCI SSC Engagement Officer Troy Leach, we discuss this pillar and how it’s shaping Council priorities.
What is meant by evolving security standards and validation?
Troy Leach: As payments and technology change, the Council will continue to evolve its standards and validation programs to support a range of environments, technologies and methodologies for achieving security.
This includes adding to or subtracting from an existing standard, or replacing it with a new standard.
How does the Council evolve its security standards and validation programs?
Troy Leach: Collaboration with relevant payment stakeholders is at the heart of our evolution process for PCI Standards and Programs. Engaging payment industry stakeholders is imperative to ensuring that our standards and resources reflect and address industry needs and challenges.
We do this most broadly through our request for comments (RFC) process, which provides PCI SSC stakeholders the opportunity to review draft standards and contribute their feedback to help shape the standards’ development.
As our community has grown, we’ve created additional targeted channels for seeking different types of input and engagement from specific stakeholder sets. These channels include Task Forces, Special Interest Groups (SIGs), the Global Executive Assessor Roundtable (GEAR), Board of Advisors and Regional Engagement Boards.
What are some examples of how this pillar is shaping PCI SSC initiatives?
Troy Leach: With PCI DSS v4.0 we are evolving the standard and validation program to support a range of environments, technologies and methodologies for achieving security.
The PCI Secure Software Standard, which is part of the PCI Software Security Framework (SSF), replaces the Payment Application Data Security Standard (PA-DSS) with modern requirements that support a broader array of payment software types, technologies, and development methodologies.
If we look at the practices from the past decade, the speed of software delivery, the third-party dependencies and the reliance on software-based controls is significantly different and vastly more important to payment transactions.
So as the technology and business practices change, so must the security requirements within our standards continue to evolve to protect payment data. These new standards and supporting certification programs exemplify this pillar.
How does the Council’s focus on evolving security standards and validation ultimately benefit the industry?
Troy Leach: Technology is changing at a tremendous rate and organizations want assurance that the payment infrastructure they rely on keeps pace with new adoption as well as addressing new threat actors trying to exploit vulnerabilities.
With a commitment to regularly evaluate the payment landscape for improvements to security within our standards and training, organizations have a reliable source to turn to help keep them informed and lab-tested solutions they can trust.