In his keynote presentation at the 2019 PCI Community Meeting this week in Vancouver, Executive Director Lance Johnson introduced the Strategic Framework that is guiding PCI SSC activities to achieve its mission and support the needs of the global payments industry. In this interview, we cover key questions about the framework and how it’s shaping the Council’s priorities.
What is the PCI SSC Strategic Framework?
Lance Johnson: The Strategic Framework is simply the Council’s mission statement and four strategic pillars that define how the organization achieves its mission.
Has PCI SSC changed its mission?
Lance Johnson: No. The Council’s mission is the same today as it was when the organization was founded. What has changed is the scope of PCI SSC activities needed to support an increasingly complex and global payments ecosystem. The Strategic Framework reaffirms the Council’s mission and extends it to include four strategic pillars that define how PCI SSC achieves this mission now and going forward.
How is the Strategic Framework being used?
Lance Johnson: The Council uses the framework to guide its decision-making process and ensure that every initiative is aligned with the organization’s mission and supports the needs of the global payments industry.
Similarly, the framework is a tool for communicating the Council’s mission and the scope of its activities to ensure a consistent understanding across the organization and its stakeholders of what PCI SSC does, and equally important, what PCI SSC does not do, and why.
Can you provide an overview of the four pillars of the Strategic Framework?
Lance Johnson: Global payments industry participation in the development of PCI Standards is critical to Council’s mission to enhance global payment security. As payments and technology continue to evolve, increasing knowledge across the industry will be integral to driving effective implementation of PCI Standards by global stakeholders.
It’s with this participation and knowledge that we will evolve PCI Standards and validation programs to ensure they are relevant and current to meet the needs of the industry and support and enable safe commerce. We will develop new standards, programs, and related resources to help secure the acceptance and processing of new card-rooted payments channels, such as mobile and IoT.
And finally, we will prioritize consistency and industry alignment to reduce redundancy and friction for stakeholders and support effective implementation of PCI Standards. This means continuing to provide globally applicable data security standards and supporting validation programs that are recognized by the payment brands and align with other standards organizations.
Can you clarify what is meant by card-rooted payment channels?
Lance Johnson: The use of the term “card-rooted” acknowledges that emerging payment channels are expanding beyond just cards to include methods and technologies that do not require the use of a physical card. The Council’s remit will continue to focus on account data security for network card payments, whether a card is involved or not.
How is the Strategic Framework shaping current PCI SSC initiatives?
Lance Johnson: The standards and programs the Council prioritizes and how the organization goes about delivering these initiatives are all being driven by the Strategic Framework.
For example, the new Request for Comments (RFC) process recognizes the importance of industry participation in the standards development process in order to continue to provide resources that address industry needs and challenges.
With PCI DSS v4.0 we are evolving the standard and validation program to support a range of environments, technologies and methodologies for achieving security.
Our mobile payment acceptance standards are designed to support secure payment acceptance in new and emerging payment channels.
All of our standards bring together multiple perspectives and security requirements into one aligned data security standard for the industry, with the goal of driving effective implementation by stakeholders. The Council also works to align efforts with other standards organizations to reduce redundancy and potential confusion. The PIN Security Standard and Assessor Program is a great example of this in action.
As we look to build on these efforts in 2020 and beyond, in a rapidly changing environment, stakeholders can be certain that industry participation, evolution, alignment and consistency will be constants in the Council’s efforts to provide standards and resources for securing payment data.